Re: [OPSEC] WGLC: draft-ietf-opsec-indicators-of-compromise

Chris Box <> Fri, 12 August 2022 17:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 01F0AC14CF10; Fri, 12 Aug 2022 10:51:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SvEdfiX4DV0C; Fri, 12 Aug 2022 10:51:42 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 7F432C14F73E; Fri, 12 Aug 2022 10:51:42 -0700 (PDT)
Received: by with SMTP id h125so1914545oif.8; Fri, 12 Aug 2022 10:51:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=IKN5tD4mFjqFpaSexro5dBl9pPkXOuYeC5+m0QxFJ7Y=; b=BapPOYZGVl0FyTmbDd3Qjxvwf56dLbsn6wbsV6T3wi3zcdziCiijRJr/KhyDRKXhlD GcIl5rtHGK1vc1mg6DjVDonYv0BfqaxUX+WfAXG4SoGe0LA2WzLjouc3FZhtQmwyGE36 3xeSfoA61HfAh40gdM46kDsJTncGWflaEERuBit2KJB3WJfn0blZjozpdELCkHqYIaYw AXqOvzgUTF4B1MmLfgLe6DdpQGBzeDNIL+xYSQcEtCnx7OuZh2+0iUVzXcYUCMCRLU/h JQoGzP2R3Y5RGrKf9xhjGbdFFlvL/2B9sxTS3r2989Y2RZ1v54clQkofpHOA8IUKSSON F3hQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=IKN5tD4mFjqFpaSexro5dBl9pPkXOuYeC5+m0QxFJ7Y=; b=LmeFPmaTj/nRI85EMA/X8KAs+GzXtIH6BIgz4E5PizAHVuly7w6cwF77rXLic9QtY/ Pbiv+uvwoLFF8Ryp00Rpci6/ipAchvMC+zNGI8Oynzlnr2hu2rYw5RGag0l0HfsmKVAE PXvkn9CwCoT9Z1+xmLT76twdUpEbLRpNOmaYh5/5B6P5P66yakKEE7BNi1FD9raoBHNJ C/3yxcLkwy8Ewj5gq9uFRrby4b+swCTFbjtiKGYUnIigwnh/JFwH85ekgoh/bB/P1IfU O0AcwXAfJP4Xf9dSZ56mi/xANvwVmjqh2M3YeC4StN2KpAMkD0Vqa0+7r5rm3XwRwMjS e5xw==
X-Gm-Message-State: ACgBeo02CEidFQPUKbYxKcrp1CJMzWfyzOSAWyBrxMhdKh4T00BFS0PD J3iT0hyfeR+/dr45FxbkEtuh/ExiPSuoB2DHwD7ASpCPvGY=
X-Google-Smtp-Source: AA6agR4NvAD+RU+muB6L0su3b5Q1ox5mFIrpxCiTTalk4tKP1Idk72fBpOgZihHNCzrgLLQM/wEB4lIym0VlepQslCw=
X-Received: by 2002:aca:3309:0:b0:343:58ca:6e20 with SMTP id z9-20020aca3309000000b0034358ca6e20mr2209946oiz.218.1660326700354; Fri, 12 Aug 2022 10:51:40 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Chris Box <>
Date: Fri, 12 Aug 2022 18:51:29 +0100
Message-ID: <>
To: Jen Linkova <>
Cc: opsec WG <>, OpSec Chairs <>,
Content-Type: multipart/alternative; boundary="0000000000002f905905e60eefc0"
Archived-At: <>
Subject: Re: [OPSEC] WGLC: draft-ietf-opsec-indicators-of-compromise
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Aug 2022 17:51:43 -0000

Hi security people

On Thu, 28 Jul 2022 at 00:32, Jen Linkova <> wrote:

> The chairs are looking for people who would review the document and
> respond to the list stating their support (or concerns regarding)
> advancing the draft.

I've re-read this latest revision from top to bottom. In general I see the
document as a valuable contribution to the fight against attackers that we
all face. Personally I would say it's almost complete. I have only noted a
couple of points to improve, below.

1. The definition of "Kill chain" can be misread as being about the
defenders' activities. It would benefit from a tweak to make it clear this
is the attacker's chain.

2. Later on it says "Broad coverage of the PoP is important as it allows
the defender to cycle between high precision but high fragility options and
more robust but less precise indicators."    The word "cycle" here gives
the impression that sometimes defenders are at the top of the pyramid, and
other times at the bottom. I don't know if this happens in real life but I
don't think it's useful to point people towards a behaviour that
contradicts the overall recommendation about covering a broad range of
IoCs. We want people to be effective in their defence, and that means
spotting IoCs at as many layers of the pyramid as you can.

If the above can be considered, and addressed or rejected (depending on the
WG's view) then I'll be happy for it to advance to the next stage.