[OPSEC] Review of draft-ietf-opsec-indicators-of-compromise
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 22 July 2022 22:01 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C35DC14CF01 for <opsec@ietfa.amsl.com>; Fri, 22 Jul 2022 15:01:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZvZIvjnh64i for <opsec@ietfa.amsl.com>; Fri, 22 Jul 2022 15:01:36 -0700 (PDT)
Received: from mail-vk1-xa30.google.com (mail-vk1-xa30.google.com [IPv6:2607:f8b0:4864:20::a30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9A2FC14F745 for <opsec@ietf.org>; Fri, 22 Jul 2022 15:01:36 -0700 (PDT)
Received: by mail-vk1-xa30.google.com with SMTP id b81so2645734vkf.1 for <opsec@ietf.org>; Fri, 22 Jul 2022 15:01:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=zeXAUJkun/9Nve4vC7XrNyTBKZz5n0jbv85vxnIYYL8=; b=M9zrTdQbYlKAEr98PTZ0e+W1JNzgbQR1AXtVgATY4MFHjRm7T1fv2c2rYU1mEaLZ/F FOAxOqRdlrXW93dJtC4rBTdTUbI4pjS3nYmThm/vwOzJNyOeRqTy+7Fu66ceJyMe/7Af pxsAztGajcV1gE1ngdp0ET+M9fVEdyimEgk7m8XzV+6Tx4weI+TWxs4qvdOVhZhiha/H YkhpmwveMOIHxX1WxN0+QSSqvVRUCSoVhB5P1FdeB3vCN9RgXpLSS8poFEaxkPrUCaHQ TSqoLT7GkEgPOMtpb9BoorBfWkSIAmUQurWjWgsYtH0MepmTWqAdoavHl1YZhjaOC4Gn nylQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=zeXAUJkun/9Nve4vC7XrNyTBKZz5n0jbv85vxnIYYL8=; b=HPIv5NalSdWBFGZxIE57ABuGFj5tBeaxNyMgJYNngdwWf7acGrFPD9XCWKzzzMy+Lo yhAq205R7MetiH2X5g/lJO+nQ5cYASgzFKjnhiYpEOGqF9Ip0Q+z7Pewoh4uLpkkFLDe 2TXpG/751h77rSL7j08IqkvMPMA+VuIPIfbNY0pHvWNpHVKKHo2KLpAc3R11BH687OhJ ag5UAj1S05LnlP1OzOoqrthtDk40iReMhY0rmeOBWquuP/TG6WN6CMHGUP463ylXIIfG 9RO7oIQmpZdLFaLRq6wD8T+tbBV3MEXZOGq3jGxjwSK7Umbq113ijRvBhbcgSOnaBtUG vNVg==
X-Gm-Message-State: AJIora++VX4D7HWIIfDbQg0OzaUqtlRVAa+3SBwvhhglmHTXTpCri4p7 wg/jFm/jnZBcPjGrjHVjTE7H+D/oM0AoSzh2IQbk402+
X-Google-Smtp-Source: AGRyM1vzvc7DSJawQE8h/NETWocir9VE6UbJB0wibHy4Hoj6A5iEK/fydEdrg+CMWEMMU5Va7TxPh6ljbCby8PKjbFc=
X-Received: by 2002:a05:6122:e77:b0:376:2e09:ec2 with SMTP id bj55-20020a0561220e7700b003762e090ec2mr733718vkb.9.1658527295319; Fri, 22 Jul 2022 15:01:35 -0700 (PDT)
MIME-Version: 1.0
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 22 Jul 2022 18:00:59 -0400
Message-ID: <CAHbuEH4xVWfG9xyWfwwvWih7QtX_NOn6KkLrzm+G55ahPkHgqA@mail.gmail.com>
To: opsec@ietf.org
Content-Type: multipart/alternative; boundary="00000000000049b10505e46bfa63"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/ZxEoBnzM2ng8G08BZb4YcyAGyVU>
Subject: [OPSEC] Review of draft-ietf-opsec-indicators-of-compromise
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jul 2022 22:01:38 -0000
Greetings! I have reviewed the OPSec draft on indicators of compromise and have a few comments to share, first a general one and then a few specific to sections of the document. draft-ietf-opsec-indicators-of-compromise is a well documented account and description of the use of IoCs to defend against attacks. 3.2.3 Accurately describes the general consensus on the value of sharing IoCs. My personal opinion informed from being the CTO for Center of Internet Security, responsible for the Multi-State ISAC, is that indicators are most useful when they can be applied to have a broad impact as opposed to being shared broadly. I have a blog coming out to detail this further and encourage improvement to models. I did notice some projected uses in later sections that would be good to see industry more fully adopt. 3.2.4 Deployment - This is good advice that I think should go a step further. Deployment should not rely on individual organizations, but rather the software teams or product teams that can make an impact. Having the ability to support IoCs in protocols would be a big step toward more effective deployment, enabling software or product owners to integrate IoCs when a patch to eliminate the need for them is not yet possible (resolve a vulnerability). Section 4.1.1 mentions the use of patching to resolve the need for IoCs when possible. Section 6.1 If you'd like to include additional examples where IoCs are used in DNS filtering, I am the CTO at Center for Internet Security. CIS runs the Multi-State Information Sharing and Analysis Center (MS-ISAC) and we offer a filtering DNS service to greatly reduce the attacks seen by our members, the US State, Local, Tribal, and Territorial (SLTT) organizations. The MS-ISAC vets 200+ sources of IoCs to compile what is used for our members via DNS and other services. This enables an at-scale solution to impact organizations who oftentimes lack the resources to secure their own networks. Additionally, the US Federal government announced they will be offering a similar service to the US Federal government agencies. Thank you for your work on this draft, documenting the active use of IoCs today and how they may evolve. -- Best regards, Kathleen
- [OPSEC] Review of draft-ietf-opsec-indicators-of-… Kathleen Moriarty