Re: [Smart] SMART Problems

Bret Jordan <> Thu, 11 October 2018 15:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 27076130EC4 for <>; Thu, 11 Oct 2018 08:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.017
X-Spam-Status: No, score=-1.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id akEFBKJX5aoG for <>; Thu, 11 Oct 2018 08:00:51 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::b44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 64BF9130E7C for <>; Thu, 11 Oct 2018 08:00:51 -0700 (PDT)
Received: by with SMTP id p74-v6so3710185ybc.9 for <>; Thu, 11 Oct 2018 08:00:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=5FftEKK5St9MZMOg/lSwE9xWF5jb9HJWU9OUdS+Ly4Q=; b=JgHGgr5uJF0fML4SJzWV0xi+QaXM0MpbLZEZfDsKJXDGGvRqIEphi+Uwzf8fMEIuhr Q0glxW0CdbUOZ200l70fazn+rlG6nEzeujzqi9ccX5XNJ4CWPs1R4lQS7+NTOs6psqR0 ljBcRd1PFE+bZOtzHiLCsP96tVVcMSeh/CJCd7vEGycslvPD3HXOXV1Vc3u7MdCw3H2d bJXxDYgf48k1mZzukwEUVECYLw85Pc5EqbKJi0gzV49J1vBiCzi5oAtn18mwx8ZxSNsn C0G0YZBZIpDAhLrimQ1wOb7fkrA1asya4PwvVmikxGfYOITB9xi3uXb85x2HGT1vlFRP 6L2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=5FftEKK5St9MZMOg/lSwE9xWF5jb9HJWU9OUdS+Ly4Q=; b=iAuFpkiFwEXzIPrcR0iMM3aQvA11JPAYoO21p9wLaNg1bv1QWyWCpVTbSsCsIOQdve XTG3ThY5otRtFF8UtQV9s8fNUqIYcDIxr8mYWquRGyN1Sn/9cvGG/4mH8HMO5/aetkyl ZvdiV8oQZFevHuFOXDa06C2EU13SjlerCFpMe5FDOaZuDt2O+ZsJNZxjYq4Flj1Qm/Mg qTIiBiY0eeOJgEOG+GABZCYIL2NBDT1mPvPzDCwSDvuqs8wsF76SMFCLNiulFPSjGsgR fWAaC7bk4C5NsJTgGF4/g0iNpQqIVyHlitWkk3dVH5l0yhY7Cqt+h7q/HwdW++wKl2MO oZbQ==
X-Gm-Message-State: ABuFfohRUSnju1occNnXEQeWE92mktBtADSkZrIhLTMX/rMY5QzK4caM +j1zf7ZFN8hN0I8ugFnI10g=
X-Google-Smtp-Source: ACcGV62M73MsWfrF8u5gYIX0pjl3zNjRTzQFqA06E/stDmwEz74nPMRADDarv+uAw1DSiJP0/NLSqA==
X-Received: by 2002:a25:4c05:: with SMTP id z5-v6mr1017794yba.196.1539270050582; Thu, 11 Oct 2018 08:00:50 -0700 (PDT)
Received: from ?IPv6:2605:a601:3260:266:7534:8ac9:bb4c:ce9d? ([2605:a601:3260:266:7534:8ac9:bb4c:ce9d]) by with ESMTPSA id n62-v6sm9060234ywf.105.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Oct 2018 08:00:48 -0700 (PDT)
From: Bret Jordan <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_863FBE37-8132-4BEF-886A-BE705BB7EAC8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Thu, 11 Oct 2018 09:00:10 -0600
In-Reply-To: <MMXP123MB0847F8E35DC83EF7294AD7E3D7E10@MMXP123MB0847.GBRP123.PROD.OUTLOOK.COM>
Cc: "" <>
To: Kirsty P <>
References: <MMXP123MB0847BB4C2D2B7E9FB2441383D7EF0@MMXP123MB0847.GBRP123.PROD.OUTLOOK.COM> <MMXP123MB0847F8E35DC83EF7294AD7E3D7E10@MMXP123MB0847.GBRP123.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [Smart] SMART Problems
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Stopping Malware And Researching Threats <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Oct 2018 15:00:58 -0000


Zero Trust, Borderless Networks, Firewall-less networks (Google’s BeyondCorp), LTE5, Direct-to-net / Direct-to-Telco, Employee owned devices, SDN, TLS1.3, DOH + DNSSEC, QUIC, Cloud Services, MicroServices, etc are going to collectively wreck havoc with traditional network defense. By themselves they are all manageable and great additions to the performance, management, security, and privacy of the network, however, when you start connecting all of these technologies together as a single solution, it is going to pose some serious challenges.

In a past life we had a saying that  “endpoints, operating systems, and software can all be made to lie, but the network never does. At some point the traffic has to flow over the network”.  So making sure we understand the risks associated with assuming that all security can be done on the endpoint, would be good. 

Understanding the risks of overlay protocols. What happens if organizations, ISPs, Telcos, start wrapping some of our secure protocols with less secure protocols to make them work across their networks. 

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Oct 11, 2018, at 2:58 AM, Kirsty P <> wrote:
> Hi everyone,
> We've heard from a few people on these initial ideas, but more discussion is welcome - are there any problems we're missing and should be focusing on? 
> Kirsty
> From: Kirsty P
> Sent: 01 October 2018 14:22
> To: <>
> Subject: SMART Problems
> Hi SMART folks,
> I promised an initial problems list that the group could be working on, so here it is! Please comment and/or add your own research ideas/existing projects those we've sketched out below...
> Kirsty
> Assessment methodology: Systematic analysis of attack defence impacts requires an evidence-based methodology. Research will start with a survey of existing attacks and existing detection methods. The information used by each detection method from Internet protocols and other sources (such as endpoints) shall be identified. Further research will determine the relative effectiveness of each detection method against each attack. In doing so, this research will define methodologies for detection, as known attacks change and detection methods develop. These methodologies can be used to provide the basis of evidence for assessment of protocol impact.
> Certificate Transparency: Certificate transparency can be used to spot mis-issued certificates for domains. But do certificate transparency logs highlight malicious domains? More research is needed to determine the effectiveness of this technology in finding malicious sites.
> DMARC: Implementation of DMARC across government correlates with the numbers of phishing emails claiming to be from these domains dropping dramatically. Research is needed to ascertain the exact effects of implementing this protocol and to discover what impact, if any, this has had on the behaviour of the actors behind such phishing emails.
> DNS: As protocols to encrypt DNS traffic are implemented and newly-proposed designs surface, existing techniques for restricting DNS lookups to blacklisted domains may be impacted and could increase the risk from malware to a network. The IRTF can bring together network operators and protocol experts to research and discover new ways to provide this security as DNS traffic becomes encrypted.
> IPv6: Adoption of IPv6 is now widespread, with statistics from 2017 indicating that 23% of networks advertise IPv6 connectivity. Evidence-based research is needed to establish what benefits or risks come from IPv6 adoption in terms of attack defence, and to find recommendations to optimise defence protections.
> TLS: With a new version of TLS recently standardised, existing attack defence methods need to adapt as implementations begin to adopt it. This area of research needs to grow quickly, with key questions such as: “Can malware be detected when it uses TLS 1.3? If so, how?” The IRTF is the ideal place to stimulate this thread of work, to bring together members with protocol expertise and members with defence experience.
> UDP: Some firewalls and middleboxes simply block UDP, in their efforts to protect networks from malicious traffic – so much so that this issue was considered in the design of QUIC. When QUIC is standardised, UDP traffic will only grow in volume, and it will be more important than ever to research techniques for detecting malicious activity in encrypted UDP streams, enabling a better malware defence than simply blocking UDP traffic in future.
> This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to <> -- 
> Smart mailing list
> <>
> <>