IETF Logo Mail Archive

Re: [Smart] Fw: New Version Notification for draft-paine-smart-indicators-of-compromise-00.txt

Eric Rescorla <ekr@rtfm.com> Fri, 27 March 2020 13:07 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: smart@ietfa.amsl.com
Delivered-To: smart@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EA5E3A0883 for <smart@ietfa.amsl.com>; Fri, 27 Mar 2020 06:07:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pEsGv2ErCQCd for <smart@ietfa.amsl.com>; Fri, 27 Mar 2020 06:07:21 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 608DE3A083F for <smart@irtf.org>; Fri, 27 Mar 2020 06:07:21 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id p10so9890489ljn.1 for <smart@irtf.org>; Fri, 27 Mar 2020 06:07:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ah3FSXec4BT70r8LlONezvqRPvSHL1L6biFGr5POt+c=; b=1nP5nBHhh16NopK++q9vUxuqgZNUlFOi4IyaO2oP2HW7qdTAlGSe8CZ3gv40Z2SkEI LWKNgCgqZ4s9yS5qIkzQH+AzxPSG8fDtJGRYL9Az0DH59m8rb2vmqJ7pPdhsDV7xu8Aw zBaHeEqwjPaKOwi+yc0tyavyh4Yb36nI+UOZjfSuY4MgIBdvPmqNRkW4IhCOWZwULjum oHvcboMgk5fN6BPFa1aAKrn2jKuzrxp1+seBPFav2xxOuxpvuwmjNc/BI55/0j+4G1y+ OODVbzh7+tSZkCZ2CuXUEGbOlgKpw5FIzEzlIvL4JtTUNtUOZNXeSMRhqPbhE5UafYH3 tFYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ah3FSXec4BT70r8LlONezvqRPvSHL1L6biFGr5POt+c=; b=KD2VSMVbovIFnw8LtWWs/5k6FNfHKJHHf9ffqHx+/xEcZGF42XNASr5CnOwAjnonVQ ObBRQwRRYECUBumxhSGplokl6jGZ1AZP8kALSwcVkMstJowoyNWfr1MM2XgdS9DiFjtW GQNSiYtyo8OI8Ao3N0mm5h+CirrKMBZxte8ONUgPOeXoeExhK5RQL9wqBrg0hcL1gNQ/ e9u4d39AfS0LwdsaMiO4J3f98T95w1Ov6QFXMYneD1otg9aqBhJ4NPLHu2N+5RUZh+/J cSmZporsUKg0nJLGCfB+JEGZ3mrVGIfPkJqdt/5C0dTscvy3hju9epngVWGGLVqR3zyU PUcw==
X-Gm-Message-State: AGi0PuYb9FwHPNWwjEJywga61sJrOpZDWtzx9jAdvf2l3q060VvF/c/d sU3Em6vpaGFlk0lV2Gwy+ig/FCLg+03wApTQiOsJYTQ/Ud2Upg==
X-Google-Smtp-Source: APiQypIsNkgFBtevmQoKf14PyRJUlB/Dl52jaWpx7WC2HqVV1CC8mKy61ca2yf0JUqFq0ePz9RNscuwpAJh2liXJ+wE=
X-Received: by 2002:a2e:b0ee:: with SMTP id h14mr7141132ljl.35.1585314439253; Fri, 27 Mar 2020 06:07:19 -0700 (PDT)
MIME-Version: 1.0
References: <158349344094.2274.4065518603647811950@ietfa.amsl.com> <LNXP123MB23300837148D795BB004451DD7E30@LNXP123MB2330.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <LNXP123MB23300837148D795BB004451DD7E30@LNXP123MB2330.GBRP123.PROD.OUTLOOK.COM>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 27 Mar 2020 06:06:42 -0700
Message-ID: <CABcZeBN4e-dW__Si39trLf=epSZn+EYu1yztLBs3TgdWOjceOg@mail.gmail.com>
To: Kirsty P <Kirsty.p=40ncsc.gov.uk@dmarc.ietf.org>
Cc: "smart@irtf.org" <smart@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000000276eb05a1d5c876"
Archived-At: <https://mailarchive.ietf.org/arch/msg/smart/9Of3wMYBXoRD0Ahg5Po3AXfSgeg>
Subject: Re: [Smart] Fw: New Version Notification for draft-paine-smart-indicators-of-compromise-00.txt
X-BeenThere: smart@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Stopping Malware And Researching Threats <smart.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/smart>, <mailto:smart-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smart/>
List-Post: <mailto:smart@irtf.org>
List-Help: <mailto:smart-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/smart>, <mailto:smart-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2020 13:07:24 -0000

Document: draft-paine-smart-indicators-of-compromise-00.txt

Kirsty,

Thanks for sending this. I have attached some review comments
below.

To the SECDISPATCH questions, it's not clear to me that this fits that
well into any particular present venue. I agree it's useful to have
this information out there, but I guess my question would be: what do
you think the benefit of publishing this as an RFC is? Perhaps the
answer to that question would help us illuminate the best venue.

-Ekr

S 2.
   o  IP addresses

   o  domain names


   o  TLS Server Name Indicator values

"server name indication"

   o  certificate information

   o  signatures such as binary code patterns and strings

   o  hashes of malicious binaries or scripts

   o  attack tools, such as mimikatz [Mimikatz]

   o  attack techniques, such as Kerberos golden tickets [GoldenTicket]


This list seems like it would be clearer if it described where
things are found. Some of them (SNI) would be clear in context
but when you say "domain names" that's less clear. And I guess
"hashes of..." is on the device


S 3.2.

   The correspondence is one-to-many: simply blocking one IoC may
   protect thousands of users within an organisation.  Discovering one
   IoC can be intensive, but sharing IoCs via well-established routes
   such as the Malware Information Sharing Platform (MISP) [MISP] will
   protect thousands of organisations and end users.  The shareability
   and reproducibility of IoCs is a huge advantage; it allows a threat
   defender to look for things consistently and automate the process of
   defending their networks.  It doesn't require intensive training (as
   needed to, for example, manually analyse tipped machine learning
   events), nor does it require time-intensive resource to deploy IoCs.

This text seems kind of confusing, as it seems to conflate two
activities that might be termed "discovery" namely discovering new
IoCs and discovering that they are in play in a given network. For
instance, it's one thing to discover that attacker.com is run by an
attacker and thus that connections to it are probably an IoC and
another to discover that your users are connecting to attacker.com. I
think what might help here would be to have some kind of overview of
an IoC lifecycle. This isn't my area of expertise, but this might look
something like:

- Discovering that a given feature is an IoC
- Sharing that IoC to other entities via MISP or the like
- Deploying detection for that IoC
- Detecting IoCs on user computers
- Investigation, etc.


S 3.7.
   As an example, open source malware can be deployed by many different
   actors, each with their own "Tactics, Techniques and Procedures"
   (TTPs) and infrastructure.  However, if the same executable is used,
   the hash remains the same - and this IoC can be deployed in endpoints

Is there a reason you specify "open source"? Can't closed source malware
also be deployed by many different actors? Maybe you're connecting this
to the idea that you could recompile it with a different hash, but
one can actually quite easily change binaries to have the same function
but with different contents, which obviously changes the hash.


S 4.1.
   IoCs form a "Pyramid of Pain" [PoP] that can be used for prevention,
   detection and mitigation.  This represents how much pain it is: to an
   adversary to change and for the defender to gather.  The layers of
   the PoP range from hashes to TTPs and the pain ranges from
   recompiling code to creating a new attack strategy.

This seems to claim that there is a correspondence between how
easy it is for an adversary to change an IoC and a defender to
gather that IoC. That might be true, but it's not immediately
clear that it is in fact true. To take a concrete example,
gathering domain names seems much easier than gathering
hash values, though I agree with you that it's easier to
change hash values. It does seem like the fragility/precision
axis is more likely to align, but I haven't thought about that
too hard. In any case, if you think this is a deep connection,
I would encourage you to make that argument more explicit
rather than just providing examples.

S 4.4.
   contexts where ensuring endpoint security isn't possible such as
   "Bring Your Own Device" (BYOD), IoT and legacy environments.  Using
   these network level IoCs can also protect against a compromised
   endpoint as, even if the compromise passes unnoticed, the IoCs can
   still be checked against network traffic, allowing detection of the
   attack.  For example, in a BYOD environment, enforcing security
   policies on the device can be difficult, so non-endpoint IoCs and
   solutions are needed to allow detection of compromise even with no
   endpoint coverage.

It might be helpful here to note that a lot of those BYOD endpoints
already have their own mechanisms for processing and blocking IoCs
(this goes back to my point above about the various activities
one might have). For instance, Windows defender ships with
Windows and most browsers have some sort of safe browsing type
technology.

S 5.
   queries) for the organisations signed up to the service [ACD2019]. 28
   million of them were for domain generation algorithms (DGAs),
   including 15 known DGAs.  IoCs such as malicious domains can be put

This seems to be the first time you mention DGAs, which don't appear
in your pyramid of pain. i think it would be helpful to place them
there.









On Fri, Mar 6, 2020 at 4:29 AM Kirsty P <Kirsty.p=
40ncsc.gov.uk@dmarc.ietf.org> wrote:

>
> A new version of I-D, draft-paine-smart-indicators-of-compromise-00.txt
> has been successfully submitted by Kirsty Paine and posted to the
> IETF repository.
>
> Name:           draft-paine-smart-indicators-of-compromise
> Revision:       00
> Title:          Indicators of Compromise (IoCs) and Their Role in Attack
> Defence
> Document date:  2020-03-06
> Group:          Individual Submission
> Pages:          15
> URL:
> https://www.ietf.org/id/draft-paine-smart-indicators-of-compromise-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-paine-smart-indicators-of-compromise/
> Htmlized:
> https://tools.ietf.org/html/draft-paine-smart-indicators-of-compromise-00
> <https://tools.ietf..org/html/draft-paine-smart-indicators-of-compromise-00>
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-paine-smart-indicators-of-compromise
>
>
> Abstract:
>    Indicators of Compromise (IoCs) are an important technique in attack
>    defence (often called cyber defence).  This document outlines the
>    different types of IoC, their associated benefits and limitations,
>    and discusses their effective use.  It also contextualises the role
>    of IoCs in defending against attacks through describing a recent case
>    study.  This draft does not pre-suppose where IoCs can be found or
>    should be detected - as they can be discovered and deployed in
>    networks, endpoints or elsewhere - rather, engineers should be aware
>    that they need to be detectable (either by endpoint security
>    appliances or network-based defences, or ideally both) to be
>    effective.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
> This information is exempt under the Freedom of Information Act 2000
> (FOIA) and may be exempt under other UK information legislation. Refer any
> FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown
> Copyright ©
> --
> Smart mailing list
> Smart@irtf.org
> https://www.irtf.org/mailman/listinfo/smart
>

v2.23.0 | Report a Bug | By Email