[OPSEC] Review of draft-paine-smart-indicators-of-compromise

"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Wed, 17 February 2021 19:12 UTC

Return-Path: <ncamwing@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E2EF3A1CAD for <opsec@ietfa.amsl.com>; Wed, 17 Feb 2021 11:12:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=JWJi/m/3; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=vfbv8tz/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qfI8pZN9ULy9 for <opsec@ietfa.amsl.com>; Wed, 17 Feb 2021 11:12:48 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D59623A1CA9 for <opsec@ietf.org>; Wed, 17 Feb 2021 11:12:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18667; q=dns/txt; s=iport; t=1613589167; x=1614798767; h=from:to:subject:date:message-id:mime-version; bh=+V9P2AccZxHIrsIIJ33lhzSg6CvGitbim8Wry89Tz2k=; b=JWJi/m/3gjrK6LJ6vcreMFWk1t5pidHLVcTR65Uem4bWm+vORTortd/J /3zbhRs5XyzwLNzKjEwSgDup1t9fb7ZUTEJlHGz27wAzc2rxjW0aevOqh NnxaGkIihA4PuMYx+/fp1j+IXyAGjQUm2BrgA+q0KET3vg6RT8eOMno96 M=;
X-IPAS-Result: =?us-ascii?q?A0CbAwCgaC1gmIsNJK1ig3swUX1aNjEKAYQ2g0gDjWMll?= =?us-ascii?q?C2Ec4FCgREDVAsBAQENAQEyAgQBAYRmgXQCJTgTAgMBAQEDAgMBAQEBBQEBA?= =?us-ascii?q?QIBBgQUAQEBAQEBAQGGNgEMhm4KEwEBMgYRAQZEAgQwJwQnglcBgX5XAy4Bk?= =?us-ascii?q?n6QagKKJXaBMoMEAQEGgkyCVRiCEgmBOIJ2hAUBAYJQhBkcggKBEScMEIFZf?= =?us-ascii?q?oQ+g1Q0giuCRGoELxSBZgMFJQ8ZD5A2CxkrgnyHP54VCoJ7BJwKAx+DMZA8j?= =?us-ascii?q?0SUPZ0RKIRGAgQCBAUCDgEBBoFrISyBLXAVGksBgj5QFwINjjiDVopZczcCB?= =?us-ascii?q?gEJAQEDCXyKCAGBDgEB?=
IronPort-PHdr: =?us-ascii?q?9a23=3AZl+sChMmqI9blVfVlqgl6mtXPHoupqn0MwgJ65?= =?us-ascii?q?Eul7NJdOG58o//OFDEvKw33l7EQYud7OhL2KLasKHlDGoH55vJ8HUPa4dFWB?= =?us-ascii?q?JNj8IK1xchD8iIBQyeTrbqYiU2Ed4EWApj+He2YklYBMi4YEfd8TW+6DcIEU?= =?us-ascii?q?D5Mgx4bu3+Bo/ViZGx0Oa/s53eaglFnnyze7R3eR63tg7W8MIRhNhv?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,185,1610409600"; d="scan'208,217";a="672060320"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 17 Feb 2021 19:12:44 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 11HJCiXb026000 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for <opsec@ietf.org>; Wed, 17 Feb 2021 19:12:44 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 17 Feb 2021 13:12:44 -0600
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 17 Feb 2021 14:12:42 -0500
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 17 Feb 2021 14:12:42 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mBI7KtDa3arsEFploVtIHqOwh7qUHLR3lGlrJ5+jGcDVL+knz0MesJfm59A8nuV/YFjbti+M/mwi7SwEE6o9DgLpdhtesoS9tGyT9DjgXH9n1WPcQek8eMnXC/65hZnICcQJnI8KxKlNXVt9XZJNjfjxeJQzUEj0F91Q0dJ7dFTSSePXW7YPwmyqk+x5FYnMFgjIoXZSnfm8ng0Lxc4AekuMZfTV5cODyZe2GL5C0SQksqJfdhK83uxGUR3zD13s7KFsdXu+gnEUEwD3ji1YlvHWEv8vtMETGSMGhOl4ClfqQR0s7DE6AaOnNBvtSDDZtXNjaydZvDcIrBvAvOYCMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+V9P2AccZxHIrsIIJ33lhzSg6CvGitbim8Wry89Tz2k=; b=g6sX0AeJAOQp+BWqirF63SqzVE2+j96I2xLTtwbhZaBnll0JkVXNOpc+vFM12fOiUXvNvogLRkIMwMePppxF4eJDrCMfATqCTFm2G+EB+WgHXNrlaWwLOpWSJcphYIBHDHFlx0mhkk/S3Dc+rielZcgs69OjJV80qgxzCteEuUxfh1puJgtlT12k2gt1oN/kty4+nLd43hNez1mBqhbxXhHZwTBkEBoo60V0+kiXjA8lF13QEGTFnly/cbBXATovrZoFh/m0Nd+gm8mdFfVWAySSerlkflURRLupzMVjTqIfjL2c17dQLoPjATCwb/macy3vDPZbk50WTa+hVS8KHA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+V9P2AccZxHIrsIIJ33lhzSg6CvGitbim8Wry89Tz2k=; b=vfbv8tz/tkbdzvYglsIc4jM4uqyIuJFadt5ytBUxrvojYFdaR60h9uhMCxNisWz9FBzMM3JNxX+FmecUgm4n9W+lWKCD/vHhOEYDZLl+9dlpaniL3BMoWMJH3t9wuV9ABlDtNWbqbmZll2PrVO8le5e/sfk35U+Blz9cdwEsE8E=
Received: from BY5PR11MB4070.namprd11.prod.outlook.com (2603:10b6:a03:181::16) by BYAPR11MB2647.namprd11.prod.outlook.com (2603:10b6:a02:be::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.29; Wed, 17 Feb 2021 19:12:40 +0000
Received: from BY5PR11MB4070.namprd11.prod.outlook.com ([fe80::a0a8:521a:f44e:518f]) by BY5PR11MB4070.namprd11.prod.outlook.com ([fe80::a0a8:521a:f44e:518f%7]) with mapi id 15.20.3846.042; Wed, 17 Feb 2021 19:12:40 +0000
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: Review of draft-paine-smart-indicators-of-compromise
Thread-Index: AQHXBWDcQf/w+lUKKES8KJWFv1aG0A==
Date: Wed, 17 Feb 2021 19:12:40 +0000
Message-ID: <2332AAB3-7960-4A7F-ACFE-E682DD391835@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [73.162.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c797ee38-3671-4d63-9eb7-08d8d377ff1e
x-ms-traffictypediagnostic: BYAPR11MB2647:
x-microsoft-antispam-prvs: <BYAPR11MB2647EB9E777332E66EBAB39DD6869@BYAPR11MB2647.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bTKe+wHGvNWGGbus1roeW4VnhfRrhBnBb5erIOi7At6Hroi3HDTCw8rWO+C1duab3Ck8N8O9WGRsiGph4yLs6Pn07uqB6mY9D6XZ29xQ61mRnl8z++GcW2o2uPS5+13qpA2ey4ukenLsK4GKohbwmXujHc3kae8EyK1mPAvuBt590tuMD1zhHPve/BqdzRxvNiZf/3jFhvP2alZF1D2Qcx5VG7ZoCKW6jnGBcz8fKkfpJQBJEdns2mC1VbM5BYrYtXyBgK02dE+GPuSUD9W5KngZtRB5cauJrIVWkyVnsUy5BX9jBU0LegFx9aVkyxj5F2t9NwoZ43rxyUfvqqy9FjXrhnyKDCtPG6IsFCQQrle+ciRtKz20wdbsLfBnRSuMQ9agCzFUOus1J5FH2nV1+Yx5X1BdEsx+1WGY07ReZegHHXnMS6iZj3pO+8PpmPfXtQSUXuj6E8epTmTrMhYm/Wg0tghia1VrcE9ignpjMUkinl5PozWEcFNB2aNBETkYEWYlnnWGShItFdbEjVyzDxsWIrt2VP7FzYrS9mKopJkIMdmusFwm5GpszzbCdI4BFf8RA2Nvlqk1suvgQhGk5Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4070.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(376002)(39860400002)(136003)(396003)(346002)(6506007)(86362001)(64756008)(66476007)(2616005)(66556008)(8676002)(36756003)(66446008)(6916009)(76116006)(8936002)(186003)(66946007)(26005)(9326002)(71200400001)(83380400001)(5660300002)(6512007)(6486002)(2906002)(316002)(478600001)(33656002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?WjlycVYyWUtpT2MvTW5tWG5QYXp1V0k5TzhEd1l0UWtMWDRFL0lYOWdLSGhs?= =?utf-8?B?Q3NCY3BtSUF4L2ZLWDNPSDRlTGZVOFlPK0ZhWmRsNi9XRldEQXdBdEJaZGQ0?= =?utf-8?B?aWJ6bEw4VmYrSWxzWmdkYjN3dG9VM3RFNXBGQXU2NnBKejNPVXI0eGVmalZk?= =?utf-8?B?eHZiWnZqWkJQVEphK0FwYVFaZWNwczdmN0lxQ0FYMEUyKzB6OWtDV3BqQTIw?= =?utf-8?B?L2MzaE15MDNqNGw0TTdpYndFV0V2ZEJoRGlIMU5XSGNHeWNqTGN3b1lYenJY?= =?utf-8?B?emdFRk1OaitxemFXVmU5RENsbDJPQUNRakdIYWZ4K0pUdWJEdkpoN205ODZ5?= =?utf-8?B?RlhjY0dVUTBmZ21OL3ZsWkIzN0NKYjRlQURKeC9WVjVxWUJtek11ZlU4ZUZx?= =?utf-8?B?cXFuUWJoek1xRlFRWHZOT2pwT1hBMkdZMFVVM3QxYXM3Q3p6c3VMWnZOUzRE?= =?utf-8?B?bjNJeEd3R3BPV2pBNXdUbzJ2OTRYV0U3bXNGeVEzVFk2N1NESU9mMXQ1cjY5?= =?utf-8?B?MHAydUpLR3BaMDFUSFNJK0ZhaytWc3ZUeGtLd25MenRzZHI0b1IzVXcwMkdr?= =?utf-8?B?WFhrcU4rV0pzdVEzNFF1RkNMNFZPRE9wY2RZVWtmaDFXalJJbkh2RXo0TktI?= =?utf-8?B?aXhVaEVwYk5zK2hRcGN3UldvMXBZa3NZOUNOZnZ2Mldxc0tWcUxtaVFzbCtF?= =?utf-8?B?WGxnRElTYzZuWU10clNjby9UQlFiK3kvOGVyZ3pDN1Zud3Jic0RGMkdONVhY?= =?utf-8?B?WndnMFhqc2M4a2dEaE93L3hQME9Vd0w1UmxyK2pZTnZ1UmNLbEw5TFRhTGNV?= =?utf-8?B?TGxOUTU4dzJhcHVaLy9wd1Y4aGlTMXVIb3dld3RYWldBSzNTWWdHM05mMG9V?= =?utf-8?B?Q0s5ampGRnVkWWtSVFU4cll2Nm15ZWp3T3hRVGc1MDdFWFlCdEt5SXZwek9a?= =?utf-8?B?blVQU3B5ZDNyTXlHS2tCWDlaRllXNEF6T0FZKzRaT3dTMjJ1cVVxc2l5UDBu?= =?utf-8?B?Vkt3d0xaN21JemRpckdqc1NlNFJvRDZsWGFtNlFNMTlQRkdIOFcvTTJVUUNn?= =?utf-8?B?UFg1NEdSNUdCOVRaays4c1VrSzJzRVl4a2NMMHlQNEh2aE5MQ2haN1Bpd0Fu?= =?utf-8?B?V1RtekNucFprNG5LRWFxcDhsSmZRSWtRdFhuclRwbldML1NxanFqV1VzdjlN?= =?utf-8?B?U3ZoSFdpdnRLa1hNa3RadmhCck5LZWdtQnZpMFJ2TUVuQVk1dUJzdmtLM0dn?= =?utf-8?B?b1dkTkZLblhGb3dRMm0vNHM4bGljOUR3a0k4TlFpN0UwUHBraWlORjdOWi9U?= =?utf-8?B?U0tMR2d2Y0lSd2J1VEVFTTFvVy96TnBqODJDd3c3dzV2RitrbE9RZW5aZlBU?= =?utf-8?B?WW1pLzk5V0hHamhjMm85bnc4NEMzUjgrNFBUODE2UXRBYkdMbUxHd3FZVjky?= =?utf-8?B?RDJXRmVRUnBQbytKTU9DcFNjYUNBNUFQNU5Zc0N2b203a2pEa2FLOFNkWkFX?= =?utf-8?B?SlBRMGdLMzdpN3FsSlVvSU1RbG93QjNEQ3Fxb1JkSGt3eVBkQUdmbHlYUDRI?= =?utf-8?B?ZkVLUW1sdndQdU5RMEVLd1RsTFM1Y0VDTDMwOXpJUWoydnJUS3NGSjJvM3Z2?= =?utf-8?B?NlZsTTFpNURvY0Vtdkc5VkRpcmZFSWIrQ3NHM0pWSk9QYkJtVk1aRTJPK2Nk?= =?utf-8?B?bUtmMHN1UG5MWXdnRTNZNnJ0aHJZZ0JHOUdPTHBraWF3RFM5WU1HcUZMZ0hC?= =?utf-8?B?cWJocGNCekFUdnhNRm5FaVVZT3FiWkJjYS9tTGk1YThqeVVjZ0ZjZnhjOTZC?= =?utf-8?B?RGdOVnVzWjg4MGs2emV1dz09?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_2332AAB379604A7FACFEE682DD391835ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4070.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c797ee38-3671-4d63-9eb7-08d8d377ff1e
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Feb 2021 19:12:40.6721 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mIV2BR9DXChsvxLryq6w6knmrzyqa44guTc90S6V0hrip7zqjJ/V+7Ktl2xMWJy3ZydvWLp80rTKtp87JZdahA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB2647
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/GLRVtfrp229MvHSe3ADBwfz1jsI>
Subject: [OPSEC] Review of draft-paine-smart-indicators-of-compromise
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 19:12:50 -0000

Hi,
I also volunteered to review the draft-paine-smart-indicators-of-compromise draft and my comments follow:


I think the document is relevant and in scope for opec as it highlights another swath of the cybersecurity discipline that should be raised in this community.

I would add though,  the document should provide more details on the common IoC instantiations and communications used today especially the more common ones (detailing what would be the best practice).



Nits

——

Section 3: Still has a “TODO” that should get resolved….my suggestion is that it would be good to describe what an IoC lifecycle means, and why these stages are needed/required.

How are IoCs expressed and communicated today?  That would also be useful to include.



4.1: As this is the first reference, “C2” should be expanded (Command and Control, I presume)





The document would flow better if Section 5 followed Section 3





5.2 more elaboration or data to substantiate the “ease” of deployment and use of IoCs are needed.

I think you take a “leap” in stating that “….if deployed quickly via a mechanism such as a protective DNS filtering service”, as I think it would depend on the IoC? And relates back to “common practice today” which I think is missing in the document.



5.3 Subjectively, STIX could be viewed as either “easy” or “not” easy to share.  This section perhaps should be better suited as “IoC commonly used formats” of which STIX is one; but given this is targeted as a best practice, mention of other commonly used ones like OpenIOC unless you are prescribing that STIX is more superior (but then, I’d expect rationale to substantiate that stance too).



5.4 The title of this section suggests the section would be on how IoC’s map to specific threat actors but the prose is more about orgs choosing which IoCs to use based on the info?  Can you provide more description in this section on how IoC’s could be categorized to then allow that categorization to be mapped to a threat actor?



Sections 5.2-5.4 don’t read like a use case to me.



5.5 can you describe how they are shared today? And can that be used as a best practice?



Section 8: can be construed as both Security and Privacy considerations.

  * There are security considerations to the IoC “exchange” as well.  How trusted/reliable the IoC information is…especially over time?  IoC source/provenance?



Section 9: I’m not sure I understand and would disagree on IoCs not needing protection?  Depending on the communication channel, how does the recipient know that the IoC information is authentic?  While I may argue that it doesn’t need to be confidential, considerations from tampering are required.



Questions to consider

——————————

* Is there a well understood semantic format(s) for IoCs? What is more commonly used, what is the “best practice” to date?

* Is there one or more “standardized” IoC exchange data and communication format?  Some discussion on this topic would be good.


Best, Nancy