IETF Logo Mail Archive

Re: [OPSEC] WGLC: draft-ietf-opsec-indicators-of-compromise

Andrew S2 <andrew.s2@ncsc.gov.uk> Thu, 11 August 2022 11:26 UTC

Return-Path: <andrew.s2@ncsc.gov.uk>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86F04C14F737; Thu, 11 Aug 2022 04:26:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.589
X-Spam-Level:
X-Spam-Status: No, score=-8.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.999, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id emdNPXW9-XAt; Thu, 11 Aug 2022 04:25:56 -0700 (PDT)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-cwlgbr01on2137.outbound.protection.outlook.com [40.107.11.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C67AC157B5E; Thu, 11 Aug 2022 04:25:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Fz3NULkBpKWCLv2va+4LCiVgGplnDucSNVkAZjgM4uO2fOnCeubqvy4D7Hrc3QNP37mie0wfTB92/lkQQeR9JZwtwDI4Bamot9KsSRRQrPjBG46VifdeS88tfnkVsvaVQjViUtRTYpvVuC5VMoAJM0GM4RGHJT/YbdKYqlqtt801WhEH81AK2dV11aLElES/0C04+/WI9vedEjwrrYZxCEpyJHi3NPcJZ1NSCuvuMYNnar6rdXSmhxm7RDQ4HpAtZ8w9kEH6sZtPuLpfCLG0LpT8+GPJpX15I+V/ooC12bDPiHdfdeC+lgDPQQ6uR5bTZ+jm0Qs8WpB0VnaGw+gOsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=I4dW6jrw/ciaNHHx+uXKB8l6Y7MekzFpiSfJMg6mzWU=; b=Cp0n8x5ptKjnf/1iOb/6Ujy18lIsL6oH+uSX2amCUh32sOP5ZaPzGMetEpPToyYWwXBS35PBvktHeMQcA3yvXsU0fIGX6NvIejUDsecN49RVuiEFbSmIVXX3Wari4ALs7cNmFlvQpEOCJ7orfnIErha45KUtEy31DroSRVHfSVMBKX/p19ApIEFSajA896YUT5QWpksw4KNLhOyMuPfLpAV0hbp7EhVFmwc5JtknHDGnHZBXMuSOM1eqLF4EPbJeTlJ14v1LN3i3suXuGyibdSRG+O0FPZFudxSCySgwWR0A6n1m2gBWcU94mwwTWaNc/mE8J6UxRxFrEYYXMUhSHg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I4dW6jrw/ciaNHHx+uXKB8l6Y7MekzFpiSfJMg6mzWU=; b=YczAKL/yxavQAKGO4vcnExYH7UmodXj1Ho2tle7uft61EFV+LAOAQXzSgOG8h8pcQSk0yCH/SNm9cSBx9nhflnzMYXlXEXD6sBMjf81Bjr/L0KNaWul2IK04Tal7CweVxEbdP/LRjL5MNvWFsCAbi7nd++fPVDf4+IysSix5O17hCkiipF9vmblOchDh85QF2t9Q8y3o/nOd0AC2+8eE8HHYb9KZ81/y8Dj6bvYJU3anPbZIerF66eEJtRUYZ7Fd86AIwkMcvIsjpVvQf8B3eojqEr/Ysu4euhlDXiGXlYulXNI51FxevtkcV3Hz//kw+PTlqpFrJKUgfdmp20JkhQ==
Received: from LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:1df::13) by LO0P123MB5647.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:214::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5525.11; Thu, 11 Aug 2022 11:25:52 +0000
Received: from LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM ([fe80::30e3:bc80:2d22:a927]) by LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM ([fe80::30e3:bc80:2d22:a927%3]) with mapi id 15.20.5504.020; Thu, 11 Aug 2022 11:25:52 +0000
From: Andrew S2 <andrew.s2@ncsc.gov.uk>
To: Jaimandeep Singh <jaimandeep.phdcs21=40nfsu.ac.in@dmarc.ietf.org>, Jen Linkova <furry13@gmail.com>
CC: opsec WG <opsec@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>, "draft-ietf-opsec-indicators-of-compromise.authors@ietf.org" <draft-ietf-opsec-indicators-of-compromise.authors@ietf.org>
Thread-Topic: [OPSEC] WGLC: draft-ietf-opsec-indicators-of-compromise
Thread-Index: AQHYohExF3SRCjM0tkubLElGgjDr4K2fosiAgAoCTAA=
Date: Thu, 11 Aug 2022 11:25:52 +0000
Message-ID: <LO0P123MB4843C60A6C46A8A38F2158B3E3649@LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM>
References: <CAFU7BATX2bDZkhm3cZJz5nkrOshouASDcy1c+b4QdwJW2EnJYA@mail.gmail.com> <CAODMz5GsaqWGvkwcpGAum_-EWh=nzPYeQ5MFspUhTdsfx9fXnA@mail.gmail.com>
In-Reply-To: <CAODMz5GsaqWGvkwcpGAum_-EWh=nzPYeQ5MFspUhTdsfx9fXnA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4a05c121-6460-4811-924a-08da7b8c3ff5
x-ms-traffictypediagnostic: LO0P123MB5647:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3QlRwipd5xgNxgl/kQ/keZWQ1/BW1IBrrCOjzBZ939EWJMLb3SUuGjXpO6ypTzhd7TXSIhf4YvHFOp0HX98zODTbT9T9t1qtOQuilenIzCwTwh4uu+Ur5ABOeOMGgeS0fEL20H1hr+tnJIYEBASmYXmZrRWJzrB4zl8aqfrCjF9Sqkbl/zJ2FRPtFuAfxBjLvqgF/mrs8wrzEz1Renw878iFvXlrjcvcdE8u/sScHXUAGR19R4SCP8LgjQJKRRNZQ3N0ks/BQ46JhQej/X8u+HErYklco7Lgp1P9lB6JsuNygFChO/z+Fy46f4j3zsPdPXCPmAg3w5cE84uo9h78feblydWJZPtBaNm+xgfk7haSv2TZs30S+P58n55RTkSh0FXGYE4C2lxlIh1Z68XlGFFEhwdnFzPZ8VH7HD8leaTfHFgF9oyzzMWikU7/46gHwECzpyRWQCsOLzkAMuE5+kYvn0wZzHdX+us+uF7VN2X7Gw55PYDwXIFAm2LyoSZ0HMx/OIoUPhUrpCYAK6uFiHFIDY2fNV7XuoBWCPW9OPu7qQAfcf99CQz57uofM/EcmsQ+WUmFAqX/cBa5qPFd8Z9KPz9O17JLK+ZjgIv85/7nQ9ZFt4kwkwNhOe63vG22LaUQnurTUZ6QdWNJt0FlArgDBj0djbgS3WInFEjn7RVh43pgutyrNM8FBwT+RktRAcTVBWDQ6Lk113pv2vsOOeTCQhxDexjOs48oBxcoVC974W6A+XqV4vgN3yrc7R+VqM2yNEa5b5qLnDtFyG4UIzDK1+gMA1trZA/Qi/VcMk+9M6pezIaVBSbfmP9dmfBk
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(39860400002)(346002)(376002)(396003)(366004)(136003)(478600001)(9326002)(5660300002)(966005)(33656002)(2906002)(66946007)(64756008)(66446008)(66476007)(38100700002)(122000001)(66556008)(52536014)(38070700005)(8936002)(82960400001)(166002)(8676002)(26005)(9686003)(7696005)(6506007)(86362001)(55016003)(186003)(71200400001)(53546011)(41300700001)(54906003)(316002)(76116006)(4326008)(83380400001)(110136005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 89mhkc9D24jqnDualPvG2+9WwiL7w+WA/R8YbjavK3sNnZzfl+NhK48DrkNrI2Z0xu657M6IvqlI/dYmHr7N1tHnXd//fIDyXtEm6uQQbMTpoBLTtt8U+HODF9M3VJQUalfCT9xupxQCkXE9aag69eVopJ5NElEhsE6H0YRS5DEHFRBjjfC/+T2iqfAbUmaUtE+1DE9g9q0Qh7tUfgZRLMJjdAMvbu/DMKiWprVdQJufJirPpymAO6QwmcNZ6ngMLDEXdYl3aJlbB2jJFlWmVnpH/uSTSIDj7NvrNz/guipmi+4N37TV2puyl0HAdkBmuLVJLAMsIeVEnUVg+dbw1205PhPOdYZphPQWcF+sBiQLoT4kfRWsR6CQijZn6lN6bRyFdnrTdF6E7GlDdXCOC6xX/GOnmlVMhKywz3DvcIJNu8dXzgeIXi6VQzUGMa0yLbtBY53MMeIrmkTpCYMj2bXJwBxdOBw+N9QalQvSm+YowNRNjiA2jIzaCOpYwzQFB7XsewGQfvG5cafb8mLwkbH65X3c65NQj2kGR4xzMex6k4OWs+0INjgOq/bEMw4O/2uc2lnKYVVpbYGPjSY2UlZqhuXeqFK04jK/t0dUCQPXXPUwv9sfVYlOZUNvl6+oV8xdy1bhAtGIjATMwrzVZmamW+f/ildwFltxkgipa4/HIf0p2Nk4isuI2/WUKmZBSIme3DFoylQ7n8eqcRCAWnKypqZ6DYUwOY8bIdU9O6koQXDBFBGQ1NY4kLSRCXUvvea6V7dJP3VCDTZRtCnspBWYGZ+wFnEF3zj+ActRvB24l39tPU1sW+919f63y0cErU8Hvr4RLNH61ggpaGLQHWKzJStf+hFN/A4/cifzZLadtVFQTKMy0FsrRgG7z4eWyr4qWcqFkjNYM8UwPn/S/bm8xh5syJVZGBfkl9b/vIZQavGrRiPeIfzbByKMXZrvUmDVoH2un8o9JclIl9w1izk6Bb165yEraAnv/zD6CfHPuyEV8/ZvFj8YZrftkUUKZtqlLJPE6fP2ohY93Zu+eLE4RRdy7k/qRNeNcQ6Zpd2/lWh12NyVIMYO0EG792DkDH2DzZacW46JaJLhedaPbvPmyoTNcWd5Q10QK/4/5f5CS/tqIT9bsq7gXvt3KluyTk6J6+ai+EublANVmIjiVUf3DJflWy372jBevwuveh/DS/osvy2Gha9E2q5hIo+dr21rAN76fJrEm7d5ZNelXGioTPhrHYD4mr5lk5ZT3hwDoIdsuWCuaP/RK25DyISSn62rGhWk6lTLT1o7p84DWCh+hQlumFoYtL/dfjalU1bhEnurrFJ+zACZDYLhTBF8ekp4DAX9gu/YGQaoOQngaCHmC35lfKwoJn4NGJ8oEwwyYAXsR7RH8iFzDix52Y1c+0BxppBlbiA/bSxe4evSgPpY/p5vR0xrZP7zcid/Tw2EW3EMlq65kOGXGD3qnn1LKkvkl1HO17XbT01txwn9x+J03G/VZEpkv++sLyH/ZLzdpKfVgAvYi/q7WGypccTmtMuw66zMC/uFCfuiMVoG6cJyaKwGLAjErncuyPNhloU/O/JTVYglbgpuzl+9Du0m
Content-Type: multipart/alternative; boundary="_000_LO0P123MB4843C60A6C46A8A38F2158B3E3649LO0P123MB4843GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4a05c121-6460-4811-924a-08da7b8c3ff5
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2022 11:25:52.4574 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NUwZ5xiTXlB42F/cB+2tNUIQsmZGsAhxayQCCy8fzXqxrFeVvxQn08S6HnDY3/1D7J1WMUtKpE3/42bAL/x8ig==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO0P123MB5647
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/l6i0rmtZVfTQRo2WDDBO_bPkuZQ>
Subject: Re: [OPSEC] WGLC: draft-ietf-opsec-indicators-of-compromise
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2022 11:26:00 -0000

Hi Jaimandeep,

Thanks very much for your feedback on the draft. My replies to each of your points, and some questions, are below.

1. The draft has been adopted by the OPSEC WG as a working group document, and we believe it meets the group's charter as it documents current best practice around how IoCs are used and shared. It's not designed as a taxonomy or problem statement.

2. You're right that use of those more fragile IoCs is well established amongst those defending networks, but is not necessarily generally well known in the IETF community. We don't think there is a previous document that captures that best practice.

3. Exactly how IoCs are extracted will depend on the organisation and the tooling being used (and may rely on manual analysis), so we see that as out of scope for this document. This document focuses more on using and sharing those IoCs. Would a more detailed treatment of what might constitute e.g. attacker TTPs and tooling, and how you might be able to find them, be helpful?

With regard to your final point on specific protocols, do you have a specific area of concern or detail that you think the document should cover? We were aiming this document more to be a reference for the general technique of IoCs and how they are best used in current practice. Hence we had tried to keep the document relatively protocol agnostic, rather than cataloguing all of the different types of IoC in use that are drawn from IETF protocols or providing detailed guides on how to extract them. In particular, we think a more general overview is a more useful reference for those designing protocols when thinking about what metadata, that could be used as IoCs, their design may include.

Thanks,
Andrew

From: OPSEC <opsec-bounces@ietf.org> On Behalf Of Jaimandeep Singh
Sent: 05 August 2022 03:31
To: Jen Linkova <furry13@gmail.com>
Cc: opsec WG <opsec@ietf.org>; OpSec Chairs <opsec-chairs@ietf.org>; draft-ietf-opsec-indicators-of-compromise.authors@ietf.org
Subject: Re: [OPSEC] WGLC: draft-ietf-opsec-indicators-of-compromise

Dear All,
I am not in favour of adopting the draft at this stage because of the following concerns:

1. In my opinion, the draft falls under the category of Taxonomy and Problem Statement Documents, as it is mostly filled with definitions and theory.

2. It does not provide for any protocols, tools and technologies that are used to address the threat except for hashes of emails/IPs/Domain Names, which are already well established and do not add any additional value to the draft document.

3. The examples of Cobalt Strike and APT33 bring out no concrete ways in which the IOCs could be extracted. It is the same old technique of hashes of emails/IPs/Domain Names.

In my opinion, there is a definite requirement of working and brainstorming on the issue before the final call for adoption. We can look at picking up specific protocols such as HTTP/1/2/3, OAuth 2.0 and then work on the IOCs that can be extracted from these specific protocols.

Regards
Jaimandeep Singh

On Thu, Jul 28, 2022 at 5:02 AM Jen Linkova <furry13@gmail.com<mailto:furry13@gmail.com>> wrote:
This email starts a WG Last Call for draft-ietf-opsec-indicators-of-compromise
https://datatracker.ietf.org/doc/draft-ietf-opsec-indicators-of-compromise/<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-opsec-indicators-of-compromise%2F&data=05%7C01%7Candrew.s2%40ncsc.gov.uk%7C63388e3c00ad41dd742e08da768aa741%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C637952635142213230%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ie9YapmWEVqKTkiV5R5%2FlxzBMg67yAOqcsXjChMBbSM%3D&reserved=0>

The WGLC finishes on Sunday, Aug 14th, 25:59 UTC.

The chairs are looking for people who would review the document and
respond to the list stating their support (or concerns regarding)
advancing the draft.

Thank you!
--
SY, Jen Linkova aka Furry

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org<mailto:OPSEC@ietf.org>
https://www.ietf.org/mailman/listinfo/opsec<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fopsec&data=05%7C01%7Candrew.s2%40ncsc.gov.uk%7C63388e3c00ad41dd742e08da768aa741%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C637952635142213230%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NEIFywLjJZkDO5R9aLtkwL5%2FxqKtNalCnJvAFTcfdj4%3D&reserved=0>
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright (c)

v2.23.0 | Report a Bug | By Email