IETF Logo Mail Archive

Re: [OPSEC] WGLC: draft-ietf-opsec-indicators-of-compromise

Jaimandeep Singh <jaimandeep.phdcs21@nfsu.ac.in> Fri, 05 August 2022 02:31 UTC

Return-Path: <jaimandeep.phdcs21@nfsu.ac.in>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AD30C14CF11 for <opsec@ietfa.amsl.com>; Thu, 4 Aug 2022 19:31:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nfsu.ac.in
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kV1bWJpFKi7r for <opsec@ietfa.amsl.com>; Thu, 4 Aug 2022 19:31:38 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07E2DC14F73F for <opsec@ietf.org>; Thu, 4 Aug 2022 19:31:37 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id o123so1285374vsc.3 for <opsec@ietf.org>; Thu, 04 Aug 2022 19:31:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nfsu.ac.in; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=mnft17IG45O4IudcBg/TSEyeWZrZdfm8/bF8PKen9SY=; b=TYibxx5IsGpVBYfDyjV+raSJ7dHSDcSFoi4voM4BROeDQqVj83bQeRTLJzuJOkhhcQ 0jaRFGtrhPLecYzppdbAUOzqYqZ3Gl0q3lkrzO3qFtsNVTnksf/PQvN4O0rG/vwK9Wt9 Q7Vsl9Q30Toay5MsVYYENGBlgwgJ2gRpcORtA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=mnft17IG45O4IudcBg/TSEyeWZrZdfm8/bF8PKen9SY=; b=epnepfUyLgqvLlmrIywADXFXueO7BPvb79uTgXokqUaG8qHx1tPAKbRmvthCTPBTuv CMJGSIOcSJFGWM28jJAdL/gvCHbRomDrafgh1z5Aui2Jza2sONy2SjsXqbXIltB9tnO5 CcCLxTOYLYI51Ei4+rUUjIl9i3djS6ChSuXNvqNwoqXepxpCJknJRG0c7qQQXRSmGdUg Gi+PF7hsKK383/qSCXdcYsuFzXx6FmMA/BKpuh9oQUHAJ3yosZpFpRJWHaXOc5fFUwwz WqNaD27g9hbr3XObnZfMGp6NlAfzEPY8adB7clNrzpo4lGGAirsUYu/ZOZRVQY2CX/MV dHTw==
X-Gm-Message-State: ACgBeo0FTip9gNkHdkPh7f2LRgHPNAca4dAz6uSNJRh6ILq5RR9MD0Hi 2QiPAzeX4BH92u4ZRdzLbw3Qo+YvUhQIRXyMn0WVLg==
X-Google-Smtp-Source: AA6agR7fnqDZp37ll/vnhet3mayrFpnnZSP8JjVyab78RWDUKGhkwwhHuKGlwWnzlheyAyd6tpINaSwCS6+5QaSUP0A=
X-Received: by 2002:a67:f647:0:b0:387:a49a:7cc6 with SMTP id u7-20020a67f647000000b00387a49a7cc6mr2130740vso.81.1659666696871; Thu, 04 Aug 2022 19:31:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAFU7BATX2bDZkhm3cZJz5nkrOshouASDcy1c+b4QdwJW2EnJYA@mail.gmail.com>
In-Reply-To: <CAFU7BATX2bDZkhm3cZJz5nkrOshouASDcy1c+b4QdwJW2EnJYA@mail.gmail.com>
From: Jaimandeep Singh <jaimandeep.phdcs21@nfsu.ac.in>
Date: Fri, 05 Aug 2022 08:01:25 +0530
Message-ID: <CAODMz5GsaqWGvkwcpGAum_-EWh=nzPYeQ5MFspUhTdsfx9fXnA@mail.gmail.com>
To: Jen Linkova <furry13@gmail.com>
Cc: opsec WG <opsec@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>, draft-ietf-opsec-indicators-of-compromise.authors@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e9bd7105e575433e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/cRYVx2WJRbreD_jcIHyZ52GAPxQ>
Subject: Re: [OPSEC] WGLC: draft-ietf-opsec-indicators-of-compromise
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2022 02:31:42 -0000

Dear All,
I am not in favour of adopting the draft at this stage because of the
following concerns:

1. In my opinion, the draft falls under the category of *Taxonomy and
Problem Statement Documents, *as it is mostly filled with definitions and
theory.

2. It does not provide for any protocols, tools and technologies that are
used to address the threat except for *hashes of emails/IPs/Domain Names*,
which are already well established and do not add any additional value to
the draft document.

3. The examples of Cobalt Strike and APT33 bring out no concrete ways in
which the IOCs could be extracted. It is the same old technique of *hashes
of emails/IPs/Domain Names.*

In my opinion, there is a definite requirement of working and brainstorming
on the issue before the final call for adoption. We can look at picking up
specific protocols such as HTTP/1/2/3, OAuth 2.0 and then work on the IOCs
that can be extracted from these specific protocols.

Regards
Jaimandeep Singh

On Thu, Jul 28, 2022 at 5:02 AM Jen Linkova <furry13@gmail.com> wrote:

> This email starts a WG Last Call for
> draft-ietf-opsec-indicators-of-compromise
> https://datatracker.ietf.org/doc/draft-ietf-opsec-indicators-of-compromise/
>
> The WGLC finishes on Sunday, Aug 14th, 25:59 UTC.
>
> The chairs are looking for people who would review the document and
> respond to the list stating their support (or concerns regarding)
> advancing the draft.
>
> Thank you!
> --
> SY, Jen Linkova aka Furry
>
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec
>

v2.23.0 | Report a Bug | By Email