Re: [Secdispatch] [Smart] New Version Notification for draft-lazanski-smart-users-internet-00.txt

Bret Jordan <> Mon, 15 July 2019 15:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 971F712015C for <>; Mon, 15 Jul 2019 08:07:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ixF1w-rWw6qt for <>; Mon, 15 Jul 2019 08:07:24 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 28B4F120167 for <>; Mon, 15 Jul 2019 08:07:24 -0700 (PDT)
Received: by with SMTP id az7so8432709plb.5 for <>; Mon, 15 Jul 2019 08:07:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=9An9YjiEvFHUQTK28Q5c1nYoLy5wPreotca4uLsJF6E=; b=XIVKhzCHmW32nTSlc6mhG1ZKcG2RDN6PIa9AcRcmxyeZSw/VWm1dyRRVxnitOBYfVs RLvyrpHUpbmvZ5gFjYedz+gr3ieW+6SItC0QalqUGRmRvbGXoatwmdWS3bfOnBqNaJEH J9u7v/4wmqzTj+iT4kju7K2EsIyeVIwW8yYQAewKFfchmY/knOXjO3VvKo+B2NSI1E1W eGuBaA/vWo/TW2BzO9bOys/lO67xb7wDWh5aXiibdLRpATBFg+1w97DEgjY0Vzs0H/94 oRANApc9BOuyY3JMHnIsF7CEY5fgnlcTFFveAXFWS20sER77/9JYaZKyZOfvprE+hTCd ywpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=9An9YjiEvFHUQTK28Q5c1nYoLy5wPreotca4uLsJF6E=; b=ZFAthBcpkvAHPCnvNgR9LNkQ5FFB2/WGCbJVNAlIUjaxcUv5dp/DDqjDhH4rb3XjKy 8DZp2eb7MxuIFQjpdaMKmSaOB5Jx6X7xvA9//vgxRS9eFgI8L+UiWyFRe7Bns3WyVtbW M8DNK+vnT8+4YD5W+2k9Fu+McxNGPDVXSTdErNe+2Ev6zQaMv8J1zDwc4mv8602jzEbd i2QOKM1MCEf+1F1RBLHUEaVAgvIgjSjxzx3KCNJihHJtkiUaUZ4bGKxtq9eebUAsVf+R Ul9vUQHa/aKxIfx41Jp6gFfqrL5T8L2N9Su/1r+hRTCOBgfks3y2Y2ljfeyBnrkYLUTl xJBg==
X-Gm-Message-State: APjAAAVDRgClM2mQgj1YOBGwq63YX/qB3sZ6gARZuwE+4dwzogqcH/aL fDVeA54dF9F47tVBmK4WOnA=
X-Google-Smtp-Source: APXvYqxGhwyHJJBn/hxtblcp/yUV+EtvlSt8CvCwGpjlclMa/I6HZkabNdtg85YyqOYtTQm0Ly9Frg==
X-Received: by 2002:a17:902:e287:: with SMTP id cf7mr28613368plb.32.1563203243740; Mon, 15 Jul 2019 08:07:23 -0700 (PDT)
Received: from ?IPv6:2605:a601:a990:4d00:c449:d519:8ae0:afe7? ([2605:a601:a990:4d00:c449:d519:8ae0:afe7]) by with ESMTPSA id p15sm16802880pjf.27.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Jul 2019 08:07:22 -0700 (PDT)
From: Bret Jordan <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D8AD0D2F-7809-4D28-807C-1CE9250CE918"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 15 Jul 2019 09:07:19 -0600
In-Reply-To: <>
Cc: Melinda Shore <>,,
To: Eliot Lear <lear@CISCO.COM>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [Secdispatch] [Smart] New Version Notification for draft-lazanski-smart-users-internet-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Jul 2019 15:07:28 -0000


However, many here assume that the endpoint can run security software, that security software is available for all endpoints, or that security software can be updated all at once across an organization/enterprise. Other also assume that if you just patched your software, you would be safe.  These assumptions are horribly wrong and goes to show the fundamental lack of understanding.

The reason I called them out the way I did was I was trying to be explicitly clear on where the attack was coming from and what role the endpoint had in that attack. I did not want to assume that everyone understood the attack surface and threat model. 

So a client may initiate the connection to a compromised site or content. This is a very common case for initial infection.  However, once the threat actor is in the network, they often move laterally through the network and compromise machines where the attack is not initiated from the victim endpoint, but rather initiated from a compromised endpoint. So what you can see and do to protect your network changes. 

All of this is pretty basic network/cyber security 101 stuff.  What the IETF needs to know is how SoC analysts need and require sensors on the network, network log data, and DNS data to help identify these attacks and find them. We always had a saying when I was on the other side of the fence, “operating systems and software can always be made to lie, but the network never does..” Network analysis and network forensics is a critical part of the day-to-day analysis in a SoC.  This is often how intrusion sets are detected and threat actors behavior in the network is tracked.  This is not about selling product as some believe. This is about organizations and enterprises protecting their systems, networks, and data.  

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Jul 15, 2019, at 2:01 AM, Eliot Lear <lear@CISCO.COM> wrote:
> Hi Bret,
>> 1) Is the content or content provider that the user is going to compromised and trying to attack the endpoint?
>> 2) Is the content provider that the user is going to a stage 2 delivery site?
>> 3) Is the content provider that the user is going to the location for outbound malicious content (data exfiltration, CnC traffic)
>> 4) Is the content provider that the user is going to adversely tracking and monitoring everything the end client does, aka active surveillance versus passive surveillance?
>> 5) Is the remote site that the user did not go to attack the end point.
> While we tend to think of endpoints as being equivalent in class, in which case your use of the term "content provider” would be somewhat redundant, from a scaling perspective I am far more concerned about unwatched unmanaged endpoints than I am about content services.  And again, to me it is a matter of what problems I think might be tractable.
> Eliot