[OPSEC] draft-ietf-opsec-indicators-of-compromise
Andrew S2 <andrew.s2@ncsc.gov.uk> Fri, 10 June 2022 10:25 UTC
Return-Path: <andrew.s2@ncsc.gov.uk>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E26E5C14F73A for <opsec@ietfa.amsl.com>; Fri, 10 Jun 2022 03:25:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.531
X-Spam-Level:
X-Spam-Status: No, score=-3.531 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.677, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u2nswdac38UB for <opsec@ietfa.amsl.com>; Fri, 10 Jun 2022 03:25:06 -0700 (PDT)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-cwlgbr01on070c.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe14::70c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA61AC157908 for <opsec@ietf.org>; Fri, 10 Jun 2022 03:25:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fZFPl1yR1uC1OSyKGZyMJNLFFksCZD+pVSwNzZ407LXfK3knPwcmCKNN6JWeGZNFDJ4keKNMQMGNv8BTN3WeqVpDkiN4LG2ROfCltuzGncSCvBxWwgbG6Noz2j20RDzPjTexRfMeghjUv1XucxCVIsFxCHjBcK0dyHbM/4qOHya9d7E/bM+DHQ6JClEpN2SrZbWG4f5cGEiBPeYz+GzTbAGyuK/ISvAb8oC+QlZwSGrYjoXKfsbHMZabm3M9eb/HPX9jUuULYyU6jvxEBdpBkiaqycq+F2jCCbXb2h0MnUu5245cwCq9SUfjJsiWLdj5L+K/zCd1Zfop42wKekl3+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6hR+K7OgEDkFtej2gzsOJOhZlbyqJ3ACGWiqsbZrK28=; b=flF4bWT5AiVGvwWh4RRvpIqn4aXrzgbdDSTrUoVUSiKT36QRfRfm/Duek+v5FCZ5aoZ5ETtealzlPr1pnzbeqn+ZtyQ1wHaPK9ju3RoZZq8Sl3wyDNOOdsO9t2XrsBi0L0leGGrp2lNuwl7VR5Sm2LNUCKw2X3zzfbpq/WORY/+TIqi4kgEHZf4g7JBd3NbmsPcl/fo0D3B9HVgqflYfOdM6xstuJ61Uf5r+6ajsjadPvSAG2sM+KC1YhtELycKzb7FMk5oN5rHUfeIja6iBXJeeCDz4TKlLMtvhhpcpzyWf1qojxCGCPL4lFK8wyk/8uh2dk/CcXSyO1kj6UPmRxw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6hR+K7OgEDkFtej2gzsOJOhZlbyqJ3ACGWiqsbZrK28=; b=TtoAkZ+kTL94aebMCHbGp+xBtHT/S8l55/MAr764Gj4TZYqJ7FO80RAZSGte3T6vFWF0JiLm8P7J6wdwTaTYb1h0Ulihj31Djh658V3BYHn+7dQGwU3+CQKQh8GNDSjHvNxafkWsLvphcUTPL9s7kew0IyLPG9pGNbqQoJWqs5zrMkx7Ek2o0mK1lyctUNmhCc7SYMXF3Vd8PN1484mOcnaJFv29JDoxKdEmSH+bpp5dbwK3/QYNY85GmBMm/ueWKjQbjtUo0XmjzAfZV7V8VsKzSBHSg3VjQTX5iI0b+W56ToYgWfylWuwY4Bg/hRhLJ7urK6pWKxHVYguBBuABDQ==
Received: from LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:1df::13) by LO4P123MB4639.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:1ca::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5332.13; Fri, 10 Jun 2022 10:25:01 +0000
Received: from LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM ([fe80::6923:3088:5d83:da0a]) by LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM ([fe80::6923:3088:5d83:da0a%6]) with mapi id 15.20.5332.014; Fri, 10 Jun 2022 10:25:01 +0000
From: Andrew S2 <andrew.s2@ncsc.gov.uk>
To: "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: draft-ietf-opsec-indicators-of-compromise
Thread-Index: Adh8seoO/vwbepR1TFCVgg28oHyJIA==
Date: Fri, 10 Jun 2022 10:25:01 +0000
Message-ID: <LO0P123MB4843A21039D5B76BF580F3C8E3A69@LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d45724ce-cdd1-4024-a927-08da4acb7a55
x-ms-traffictypediagnostic: LO4P123MB4639:EE_
x-microsoft-antispam-prvs: <LO4P123MB4639400C0BB57C03EBAA1A76E3A69@LO4P123MB4639.GBRP123.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JZS24ueU41xNw4s+641d23I+XQ0lVa2gUEynpxMHHhzCs21PtDKqL/xZpyPCr7EBtChaYGA/ekhHJxi2KAZ6PBdAD1iKHxmDbr7z4bcCWuCCXnPu3RWV4FFlpGy2QnjaSWK0WQwcRiI6UYE7MRW8z7tLpyF3MwvJhumNU7ipvsqj/57q06seiadtITfARbSB3rVnAgn8WD8kT4kXVEC0bwZgSYZQ+/yQBIl8V7QUlsOWOxUhf4c6XI9qVkk2RmAVHVqvRg+SC+Vh2K8uV1h4VEDEs1XDGLWqg0H5CZuiY/xiRY2p813/pIwqowGqOC74IXbmci4sOOt7tnWhay/D3KkB1A+hm++BKEJRccRQevVOVOeMBt4vm8To4y2cTedHMi3+58UDQebM/BVRxQXzgr+rfQEHG8bh4/oUaJZZFEnGSb/XgbXab58HDNP0s2pAECU0Iey76QtZQhbggnGqVNQvBtKp8vePd9nvBynUD+pxyMRfI2C/G1lQSkkxcU/kYlpB+QZn+wTzWywS5imR2+f42iVf5Q91AzBO1skuZfF7RIlXQrM7AGdwmk8vDhQ49U8LPc14dKFYW1TP4q/XRBDBda8CocaSGnrxWsA3Gao066A59Jz7T7vwxQWLoLLs3TtdrsH4EsoQPOlGCxnGvbE5Rdo5Uuw8J4J+kYGLIzlLnN5A7vFIyFbiA7R9T6GxWQkoJ26ttf6BzbecY5Pzrd0kTKsm5nIBnP0c/tbjSwYTX74sC2KcNXS8O/cXnkFi
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(71200400001)(5660300002)(316002)(76116006)(82960400001)(7696005)(6506007)(8676002)(66946007)(66556008)(66476007)(66446008)(64756008)(122000001)(6916009)(55016003)(9686003)(86362001)(26005)(83380400001)(33656002)(186003)(2906002)(8936002)(52536014)(508600001)(38100700002)(38070700005)(4744005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 69xZGh1HVneBHbB6PkxTYydf4DT0LbbbIyvVEIQAy0PS3pTZbW0l6HM0eZiNf9hHw2wSCAgVdxggWOVxeKFCP/nTtvdegbY05mk4CSO7E2yYd+M2G1AP+ubbq8jL91/SLYhGcwODdyvHhN/0YQl8gz+GgsqeYmUf/Si61Ll8WKUhPUDhartY0aXlOSg8nIz2nNKgXi2Anu5jPkxAY/dptmx053NFzzxihWJ4BAenaVFdui1qiOYqMwOPQZamD/MsmhD6p5QQdO583kFB/JfQYaW6B6nF3KZ8lRsNKopxNWfSHRejLCKcaCjh9IlCx8iXKAbAcqO3jEXBdCTLRnvJBPzFY2EXs5NAeTSdkHctTtJnq5r5FKjlwPi+0St39PzsMowY7JYi/bRnLf6e1avHvPZTrZ5PHk/p3CuIzELgEuJH2qwxmUzoOfwEfJZrOy0ILYpyEK9FW3BAXkw9aHJ/eHAzUSLwmyVLaU+gTBapZ4jeLyrbD4q28+/kkfyW2jBMqBtj8ygSTlkuUFUekcen5ZEqR9Sb3i2JaR6ov9bpzCWTHLhEe6Pp7U/J1C8sgHjMAW7ZdgTnTPN97lLE+PhP9TU2x6EqosMCmjvTgc5xODuPU0NNZrtlcUI5zyASPPQ5+rg7hjIwCFKKfCXBTYr/xDkFdYqzisQY1jB5TXWDbxVeinzj9VUWlXM6fakSaFYNQeIqKC35+2QCfCRN/YvO13YGMm6WamEBCeZ+R2nilsU4YLXirmn2AOIchgcwWzWqFR9YnyeZQvQn3EMWHleBuz6xIZ8oVW/FPP4Lwrp9QHpCvrsuytMfo0wjCgLCJCD+3lURi+jtEUXxf0M7e2UqsAIPEgZJE6p3E2qLKZfcbB7qAgjCXmTZI2FkhWcMTtJvkrlsUZs4/hfMu3DImQTFNWqfG76uk8Jtgsm9wgSQ0YUyIyZ/3TZetwKBZL0B5JfE3BZzb0/m5DUDh7WvyMvkr1JedRPPIGWHyZJ/071ij1NpWMIFSNVpi7IexbZC6w3LkUGkSyfQ+tJ9sbpDaYkO11dGaGDSzkipfZ2FOVg/m0KNr+bKrV05iZzuffta/jvJIrf5f7xaKyZQaBR44Y/8KkW++U4i8PMvyr4s4ONjPfGcufrx0KrVoNf2NWD0Hri1NU8oWTnHJAB8q18pMesFM9/sdnPZhx2LDg3zz6+5g8C2vLXGwcfn0p4GRuVKcxdd0v2vLUtsn4EzQP7KTsLf5en4bAGyqezn7buttj5HJ2DlUCrLDzJdM2YxtlFO/zEMSyIpzs+fER2FOnNTVMBK2lc/BGh3iGFAn1c7bec9WRJHmRZV8qIYFE4bVBxrxkPLiD9I9gwoTQx0clR6QFjzfTco17usq5Z8HRpKemGts4c03VkMsCX6j82/EC2v4BHE32c7T3y4EJMQFnMsgwf9iih59YhPhOt3VvEBuPwrd4W23daA0nbngeTPhJxNXSYdnwSrgJzXj0B4dLmEW3JTcIwFtoEyiA+/SK4RJgnKEz9GXz1jOMTFTPkFWura7ybGGJgWipFZdwAhN8/rGwZ4fV84tefxH8U+CVojXl+1a3T4GIk7b6zwkDwdyE7KZRdjoU4cK2H8SQK35uOugiv3r2wF6fKgcWNNuYxJatvaU/hqSZE6kxfdJKgGDPFc6+5FMh6KkRBa0HBuwqVBPJFk9MYmEXTwL+H2rKqUEgGWqGCW4HEVzw0cTxGeGdsFHRg3yG4b1r/U4TqVP3A/kgSZBw==
Content-Type: multipart/alternative; boundary="_000_LO0P123MB4843A21039D5B76BF580F3C8E3A69LO0P123MB4843GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: d45724ce-cdd1-4024-a927-08da4acb7a55
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jun 2022 10:25:01.7284 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KoPP4QlpGnMHAXv/FByPFBXkNccypWSWQtN0V27Y/Kk9SzY4I9LY3932g5C/bi+lMOx/QoEb9wg5OfXyXEMV0A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO4P123MB4639
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/i0c7uM0beP_IHg0x4j2sdxkeQFM>
Subject: [OPSEC] draft-ietf-opsec-indicators-of-compromise
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2022 10:25:10 -0000
Hi all, Our draft, Indicators of Compromise (IoCs) and Their Role in Attack Defence, was adopted by the WG earlier this year. The draft covers what Indicators of Compromise are, how they're used in cyber security (with some real world examples) and some best practice for using them as part of a network defence strategy. We'd be really keen to get some more reviews from the group. We plan to present the document in the WG meeting at IETF 114, so we'd look to address any comments and improve it before then. Very happy to receive comments either on list, or by email direct to the authors. Many thanks, Andy This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright (c)