Re: [OPSEC] New Version Notification for draft-paine-smart-indicators-of-compromise-02.txt
Ron Bonica <rbonica@juniper.net> Wed, 03 February 2021 17:04 UTC
Return-Path: <rbonica@juniper.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 271D53A0BEB; Wed, 3 Feb 2021 09:04:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.348
X-Spam-Level:
X-Spam-Status: No, score=-2.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=R37nDhkD; dkim=pass (1024-bit key) header.d=juniper.net header.b=hCfLix5z
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UiM5tJkd4JDM; Wed, 3 Feb 2021 09:04:05 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7C3F3A0B23; Wed, 3 Feb 2021 09:04:01 -0800 (PST)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 113GeEGn008053; Wed, 3 Feb 2021 09:04:01 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=uHBayNIqSRsQJUIPQ0o3CqWzlDWHf+e4I96JHlNtAgw=; b=R37nDhkDdWgixHi37oR8GLKKjPVqfoakpVw36jTRLVmwxYl0VD+HY3uyIm4KSePvdziz yvDG0eQG1YOoMQpEEfNzJk8l57H4Y8QQXSu+exmk1Ob8wkwb/pXqs+Xgoxk3dnBejO62 yKbE6sCL4g9wTLOEG4esK7UUccR+zMy209cbzIrdJazl+jF7PhwP6QCRoePckah7lg/c TJfW8aV6u0KUD+FYc7bxvujCwSWxNwqvvx6fJWB9iRCmhxXBk8ZU5VybjO3CEvyyH4rY waEtcaxHhw8xi5KVblm1yA+w2Uaulini9UCHfWb6g7ATNs4bonl7rR3ffVp+pKnpXDg0 0A==
Received: from nam02-bl2-obe.outbound.protection.outlook.com (mail-bl2nam02lp2056.outbound.protection.outlook.com [104.47.38.56]) by mx0a-00273201.pphosted.com with ESMTP id 36fg641j18-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Feb 2021 09:04:01 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bW6kLnW6y61dLk9SrP7iiNkt42xEz+XtQ/DqAPqC0kQkgGq7HrYDzT1jwgVfgpZ3gyu4z0M5eUD4bIvwjMhPDfmu04nZ1307Zw99O9Q05wWrNYKx97ng+whujCHNrbRWOnDBml3pnNdxhRT+ehk0joA7Pm3cMwJjAh7HAyeIj6RManrTFxSWGDTML7vAgLILZPdegGNg7LtaVS/5im+2DJbjSkx1JH7EQvIgGiEbMhRIfsAA0OHndfTSowQ3dKS2OYcaX2fIUCI76leSakWb586KpSV9wNyPV8B3sZZO49Lk8ALx4lGe/vduq8f2Ip5q0+VennWtLTOGLT2MXg0Q1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uHBayNIqSRsQJUIPQ0o3CqWzlDWHf+e4I96JHlNtAgw=; b=G1YiEtpkvp+HjjjRmJBHCOnE+xiNxMX0RitkZq5T+EJ1jqIiWFkn7oJRQtpnPfHsjrUggrV43KwFVLtZUjwe7oY3bzPmNy3oScPMYoSCU1X/4LfUKmPMkG6bDZGpXHZfOu1qi7MS7Kc77e0RzyivhC7adg+i4wc/9j3/HTLSI3F3bcorFtuRvmY1mcxsruDF/6XM5P4XKIMQT3z5A7DG9gga5Hii7Aap0PbuCvFpYrXC9i647bbgo5ksRrk5zdEnmOmhy/MANv/AGrz7JcyY1m+btwIxO3krliGK/H6furnPfwmxE1W3jIjZ0UvIFXm6okwF2nAUk0a8MJAsAS29TQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uHBayNIqSRsQJUIPQ0o3CqWzlDWHf+e4I96JHlNtAgw=; b=hCfLix5zgSN+SaDOuhNDVvKE2ztMERWO/KSQZfPwa8peyea9QZ80cCWTk3C3QeMjlmm0ZEg3rWRnLmJZJMn21MwolVZHWCk1m83D1TQAr/EhN0joCfnnNLIgZhb21Umx9rExkN0YzjfYE6PuTcDm5iFRjUxA9/h+ZCXXvR+kd8A=
Received: from BL0PR05MB5316.namprd05.prod.outlook.com (2603:10b6:208:2f::25) by MN2PR05MB6942.namprd05.prod.outlook.com (2603:10b6:208:188::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3763.8; Wed, 3 Feb 2021 17:03:58 +0000
Received: from BL0PR05MB5316.namprd05.prod.outlook.com ([fe80::24d3:61f2:4293:e825]) by BL0PR05MB5316.namprd05.prod.outlook.com ([fe80::24d3:61f2:4293:e825%3]) with mapi id 15.20.3825.017; Wed, 3 Feb 2021 17:03:58 +0000
From: Ron Bonica <rbonica@juniper.net>
To: Kirsty P <Kirsty.p=40ncsc.gov.uk@dmarc.ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
CC: Ollie Whitehouse <ollie.whitehouse@nccgroup.com>
Thread-Topic: New Version Notification for draft-paine-smart-indicators-of-compromise-02.txt
Thread-Index: AQHW6dOxYq/6wLx6q0SrOBrhyWTPK6o50IWWgAz4gTA=
Date: Wed, 03 Feb 2021 17:03:58 +0000
Message-ID: <BL0PR05MB53166A910D861850352243B6AEB49@BL0PR05MB5316.namprd05.prod.outlook.com>
References: <161055984315.25920.7578284983388559797@ietfa.amsl.com> <LO2P123MB35999C613671D92627878AD9D7BC0@LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <LO2P123MB35999C613671D92627878AD9D7BC0@LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.60
dlp-reaction: no-action
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2021-02-03T17:03:57Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=4f887f7f-9c65-4636-928f-dc823e263087; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none; dmarc.ietf.org; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [173.79.115.7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 1ec48cde-2055-4ae7-77a3-08d8c865b2a6
x-ms-traffictypediagnostic: MN2PR05MB6942:
x-microsoft-antispam-prvs: <MN2PR05MB6942177994E73EB285BB1CDFAEB49@MN2PR05MB6942.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qmHqKrYx2vobjNu8E9fUPmm5IUEHK1u+5OPjWBecG5tQ6Ve9v+8UJXk3xnRyOwSSsCpXPT7kBHaO4uv1823tFguz474qxP5dgK5DTqZtTm2dfiYstIX2SKKWt/J2cu4AJTn0eV42xT5/YuychIl6D8uf5lULebPoZ/Y02upQWSL3hto2Gu/cZm08S7J6FaqYzvTbR5aCTaB8N8a07xJ8wx1mAw0skKiVs5m11wdHehbvBq7s0Nlt9M18cPje1U3vinjcFn6Lvh6WYJyd1xxv2Uz8kWs9Et4+91LhjLPc0m4cZz1g2GcWzb/FJv7hoNjyBmZ2tRLMNkNDpENCiIypCjclJUz6JmOFhnEuMaVHb+BCzWFgdBbJn03yPYGQFaMam+8s+TVUk3cx+C06jOt8Yvxc40mDxGeB2AR9QvGNYm27ZDQIT2wyMS9ivmvxIqB3lgiC434IEllF/PAf3onyY/8T8i6/68bqKnmKFThXbByW1og6hQwHk2ELpVzTloICReg+BnvCkE5cJ9S1eOdn4SWusKzsPnAHFzuUq67Jc8BHKgi+Gs9O4kJaZ+C196a76Jy9LcRXYfSwIcAayDycIxH85EpwIAKUI3mmkAs8TY8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR05MB5316.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(396003)(376002)(39860400002)(136003)(66946007)(26005)(66476007)(76116006)(8936002)(5660300002)(71200400001)(86362001)(2906002)(7696005)(4326008)(478600001)(316002)(53546011)(15650500001)(66446008)(33656002)(83380400001)(166002)(186003)(8676002)(66556008)(6506007)(966005)(66574015)(110136005)(64756008)(52536014)(55016002)(9686003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: ZQFKC436mTBvbW2ZilTGB5lBKtOJ4JmHz8zKtb9aIClz0SV1wCNSEv6dnZh/g23AsrJOpEJS3N7xYIRoc3Nou53N25Xxafr3q+PKqVrfzpNi+fEvwHWlf4vQvEce4Ug54Hc1TmOZ1yOzgX0DpoCGv5LWEHtWka5Ec0iXlwuapslp7KucEEpcfIGpIFBliHvjHGSeGwCLH9Gb8GSYgyJMLSdkLAU/1WmOqjijoeOuLMDPiI7SrAMFbgveIU8/KJBSACrdt7Dp9N52HRWF6TtVTidBNKig29OAHyshYJ0N8PxiAv6DPvYmiwZuzhjwFwQ66G83SyL5tdF7BzLAZGZupwzCL8I4BFiDNogqnRX9qQOT12EDxRuZwHjJNgzInGs05p0+pihgzkzPS9iV9XNPCVC/JdFCgaSC69hkMn9mPlSjWgGsa9cGw1TsO4kUDRf4FcVd75TObi7/Rr2wwIpujzJOz/K84jjERlUm95X3ZhFb3+g7EPC4MhxUvx+e4un/s01PJ3/l615Lpdt4sLpw1JYlgugObZWc8VMWevdZNp5F5qoKBTEY77IuxOrxL2TKSU1foCXtpdJpNhavidA7Jfk+9eddNWg/0qTxH5GhgKM9o29T8ekc+2ozedafwlQMGU/zS9tU/3ON5uIrsibCNKdqfinPoB6R+zXKJq1F45aqj+SqltiJrjPqLnKSJAfWoNpySzhWgQPs2Bbsbzqftk/p4AJddMiPvrWNqvbaPQlXx/xCzq7TRSVxkpCrgq5RBsPYzfq2w1fWQSlFIa0P/fIrxshYXhtOF/W1ZVuhAjz33Q1lI0yvdAuFJiBegexeS6uPKQrbQYjO1pxCoxlFDgBe4YodBn4Jw66ujgGnizARbyZp0TYSuJ88JwEhsTrgnDwDLSlLHCpdbn4B4TQiK/keWdkUeAYtAJc8U07UjHNDoYymMf2eXoZd9R/OvQuSxRm3oPxV7zwrp/T705+sBc+ccIbLDGgvuIMpXqYiuDZTwv4sVnbRZ35PB+xIeFP5E/vvNqL3MSSj8iz4i9BgYbTh+ZnIvkwerYoAC7JLVyrlEXMg0p/TV2v/nZUkUZLbkw62LiTSIZ6e6Vz6cIJjDoel1rv04dDReFIyUawOWFW9q37MCl/12YWgfDiNYk6hqgHuDvD8Ps7DY7lG9zG9Foe+U/Y4xvemDrnB+EoIoxKgxVtdP4OZZE+Ib0xqA6A/77ahbvQ1pQMZgXUs2b+4V4/zkWxq1tNWFW6S1/SsvtLTbvfek+zSR83EB/4mn3ox3eI1pa4lm6oV/7Demqc70o+JlZwIw4X1lZDU7gG3QTg=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BL0PR05MB53166A910D861850352243B6AEB49BL0PR05MB5316namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR05MB5316.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1ec48cde-2055-4ae7-77a3-08d8c865b2a6
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Feb 2021 17:03:58.6252 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6EDOKQR4aTqj08hJOe2BMKPpzLbOIQo9NoSJQDSmV1oWl6SknL8U2TQ9WI6/ENdEJbeeRlRrI8it4DJ8Daf5rA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR05MB6942
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.737 definitions=2021-02-03_06:2021-02-03, 2021-02-03 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 phishscore=0 impostorscore=0 malwarescore=0 lowpriorityscore=0 bulkscore=0 priorityscore=1501 adultscore=0 mlxlogscore=999 suspectscore=0 spamscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102030100
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/vwDfKJNxodIsyEYIfd8yn2lECis>
Subject: Re: [OPSEC] New Version Notification for draft-paine-smart-indicators-of-compromise-02.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2021 17:04:08 -0000
Folks, This appears to be a well-written draft that reflects current practice. Could I ask for two volunteers to read and comment on the draft? Ron Juniper Business Use Only From: OPSEC <opsec-bounces@ietf.org> On Behalf Of Kirsty P Sent: Tuesday, January 26, 2021 6:19 AM To: opsec@ietf.org Cc: Ollie Whitehouse <ollie.whitehouse@nccgroup.com> Subject: [OPSEC] Fw: New Version Notification for draft-paine-smart-indicators-of-compromise-02.txt [External Email. Be cautious of content] Hi OPSEC, Please see below for details of our new draft on Indicators of Compromise (IoCs), updated based on previous comments. We think it might be suitable for OPSEC, but we'd like to hear your comments, discussion or feedback on this draft - please get in touch! Kirsty & Ollie ________________________________ From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> Sent: 13 January 2021 17:44 To: Kirsty P <Kirsty.p@ncsc.gov.uk<mailto:Kirsty.p@ncsc.gov.uk>>; Kirsty P <Kirsty.p@ncsc.gov.uk<mailto:Kirsty.p@ncsc.gov.uk>>; Ollie Whitehouse <ollie.whitehouse@nccgroup.com<mailto:ollie.whitehouse@nccgroup.com>> Subject: New Version Notification for draft-paine-smart-indicators-of-compromise-02.txt A new version of I-D, draft-paine-smart-indicators-of-compromise-02.txt has been successfully submitted by Kirsty Paine and posted to the IETF repository. Name: draft-paine-smart-indicators-of-compromise Revision: 02 Title: Indicators of Compromise (IoCs) and Their Role in Attack Defence Document date: 2021-01-13 Group: Individual Submission Pages: 18 URL: https://www.ietf.org/archive/id/draft-paine-smart-indicators-of-compromise-02.txt Status: https://datatracker.ietf.org/doc/draft-paine-smart-indicators-of-compromise/ Htmlized: https://datatracker.ietf.org/doc/html/draft-paine-smart-indicators-of-compromise Htmlized: https://tools.ietf.org/html/draft-paine-smart-indicators-of-compromise-02 Diff: https://www.ietf.org/rfcdiff?url2=draft-paine-smart-indicators-of-compromise-02 Abstract: Indicators of Compromise (IoCs) are an important technique in attack defence (often called cyber defence). This document outlines the different types of IoC, their associated benefits and limitations, and discusses their effective use. It also contextualises the role of IoCs in defending against attacks through describing a recent case study. This draft does not pre-suppose where IoCs can be found or should be detected - as they can be discovered and deployed in networks, endpoints or elsewhere - rather, engineers should be aware that they need to be detectable (either by endpoints, security appliances or network-based defences, or ideally all) to be effective. The purpose of this draft is to document both the operational issues, but also the best practices associated with use of IoCs today. This draft provides a foundation for proposals for new approaches to operational challenges in network security. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk<mailto:ncscinfoleg@ncsc.gov.uk>. All material is UK Crown Copyright (c)
- [OPSEC] Fw: New Version Notification for draft-pa… Kirsty P
- Re: [OPSEC] New Version Notification for draft-pa… Ron Bonica
- Re: [OPSEC] New Version Notification for draft-pa… Nancy Cam-Winget (ncamwing)
- Re: [OPSEC] New Version Notification for draft-pa… Ron Bonica
- Re: [OPSEC] New Version Notification for draft-pa… Fernando Gont
- Re: [OPSEC] New Version Notification for draft-pa… Ron Bonica