[Smart] When we say 'cyber'...

Mark O <Mark.O@ncsc.gov.uk> Thu, 04 October 2018 15:44 UTC

Return-Path: <Mark.O@ncsc.gov.uk>
X-Original-To: smart@ietfa.amsl.com
Delivered-To: smart@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F633130E65 for <smart@ietfa.amsl.com>; Thu, 4 Oct 2018 08:44:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.446
X-Spam-Level:
X-Spam-Status: No, score=-2.446 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.456, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_p1OAes2M1e for <smart@ietfa.amsl.com>; Thu, 4 Oct 2018 08:44:42 -0700 (PDT)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-eopbgr110094.outbound.protection.outlook.com [40.107.11.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A688712008A for <smart@irtf.org>; Thu, 4 Oct 2018 08:44:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q/Ft18nW1KIxIrlCDt/ZsMnXgmuOLx/eDLPuWwGpKe8=; b=Ie7iJn9heLl7BrBqfX2PDD985N3XhOnQSXMfekpbcAGjBDiuPZ7RKkp6RFFln1bVYvceKsgEdhygMawYFaKEEphxdxKmOOlXDV4yOb1KrmiiwlDmj+/7HjHtA5IgTt6YeA+7apIWZIG6h7qtWGUr0rwDkBjB1tgAl2+yxYRZDws=
Received: from LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM (10.166.255.18) by LOXP123MB1366.GBRP123.PROD.OUTLOOK.COM (10.166.254.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1207.23; Thu, 4 Oct 2018 15:44:38 +0000
Received: from LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM ([fe80::d433:d1b5:fa5b:e1df]) by LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM ([fe80::d433:d1b5:fa5b:e1df%5]) with mapi id 15.20.1207.022; Thu, 4 Oct 2018 15:44:38 +0000
From: Mark O <Mark.O@ncsc.gov.uk>
To: "smart@irtf.org" <smart@irtf.org>
Thread-Topic: When we say 'cyber'...
Thread-Index: AdRb+MuvGdbud9dwRr+3TL9bSAhVog==
Date: Thu, 4 Oct 2018 15:44:38 +0000
Message-ID: <LOXP123MB14168BB24E88B846C5055842D3EA0@LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Mark.O@ncsc.gov.uk;
x-originating-ip: [51.140.114.144]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; LOXP123MB1366; 6:pq6Cf/gBCsQVxOMHqwy9bT5l7ZYLpcDSyzPwpKFQahvvccQU9bcStUPqWtWfK1m5faYaijlne5EVnDJutiXvaJ+Zhey9NSa1Et5NDJCImcw1ttK9fw9cNirsD2j4Jlq9CLDpfHh6qQp0Bbo2tSS2WarWvamQP6T7N9CakmheyuWTJanJ5Lu7hGadNs9yyQbNeNk0JT/sSrFxJ3MsIrEq5pT7rnlKKnpBZhTgX4GoTO5TyzWEF63GD12VkNgNlUobpqFN0L8zyfsi6wF4LsbcUsg9XlXlzC+NHg4sHwJ/nPqhoKlb02cNzaw3wtUdD0TPnb12VMxeKKDZ3gg0Nw2PDsSIbM/Qauz4xTieXYzccFBf/Vu76Kf+BjYg0V+d4cX24w0tuy3W9SJ/ynnc7VNXbKDWJAzs/GW82m0V23R/bxGe7utzQjzXflmpTaQ62F6yG+B70xmwvQKMqQj7GK6M7A==; 5:Tq0skPzYgPAA9W2a1SOx4ig0xFBCF1hcC06Bm/NCjy6mXEmFH54wqItIcIW4ml7e9C7fzZ3XdSwPBGl/yOS5EpUmlCpIUYa4ndtGPRSwHi6G9vhedX8mRiUAWMt8SOoMIydXTyo2UsfyAjYpYDSxeLq5nPtJ+ktlV1JdnwRukaQ=; 7:GMeklc4dpDFRS665LsrqU6iB85nJw5AGyjtIJM1kZeezNZZyaaeGT8PhnELKFr7a/ZcjanSXJkQ2XMXinJRcfg/ydJzkwcU6m3OO5kTvfl0xDON/Ihv3dxNnqSfJh+9iw2JFcdekR/emJYx5XraEWy3b81xDzkHjsomK4zVZGUxHwymaoDKTykIgx5nK30j8vCpJeIOCNI0zAqZvtJpCUrhwGWo1D6ESEEkequDaLdtHiTWY724VWRqKT+sgLi3S
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: ff5fd08b-dcf9-4fbe-b029-08d62a104b13
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:LOXP123MB1366;
x-ms-traffictypediagnostic: LOXP123MB1366:
x-microsoft-antispam-prvs: <LOXP123MB13667CC36F7B9F5A833A2B8DD3EA0@LOXP123MB1366.GBRP123.PROD.OUTLOOK.COM>
x-exchange-antispam-report-test: UriScan:(192374486261705)(27231711734898)(21748063052155)(28532068793085)(190501279198761)(227612066756510)(66739203006769);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(3231355)(944501410)(52105095)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(20161123560045)(20161123558120)(201708071742011)(7699051); SRVR:LOXP123MB1366; BCL:0; PCL:0; RULEID:; SRVR:LOXP123MB1366;
x-forefront-prvs: 0815F8251E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(396003)(366004)(39850400004)(376002)(346002)(189003)(199004)(5660300001)(99286004)(2351001)(86362001)(66066001)(106356001)(476003)(316002)(55236004)(33656002)(7736002)(74482002)(97736004)(5250100002)(6506007)(7696005)(606006)(105586002)(186003)(486006)(2501003)(102836004)(75922002)(26005)(6916009)(5640700003)(55016002)(81166006)(81156014)(6436002)(2906002)(2900100001)(9686003)(66574009)(54896002)(6306002)(478600001)(236005)(8936002)(53936002)(72206003)(14444005)(71190400001)(71200400001)(68736007)(5630700001)(3846002)(790700001)(6116002)(1730700003)(256004)(74316002)(25786009)(14454004)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:LOXP123MB1366; H:LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 0KZxsf4tDGW1cHJzR1N5NW8gl/Yi+etrMuUBB6R9XdLSqo+ekJn/DYhXl1XT9BRXbKiJKMfEvFBoerGJkUQpqn+BetcgSLDvygyD1PnsA8Xsi/O1pStuKijOWxhGUJp5F/71052HTtJuxYKoC9kXFkjEt4t/kE4JwgJqiki5DV8EpCFfNNOQ5/D96OHX+gOhvyKiFR6K+a5FywFxQJAET5/XTgjeQg5yk5dPCG8O/3hedfSAFFbKYMOqKnph035q0yQwW4Q8gKoHUZ8HAIAmEfl83iuznPQKY1Xp0FlBEpF+ZqzKKpX2dSYsN6acojDdf/l1jWrfcZyxENiWhMgc4IGjmlRCd2J3QG7cqJFFgvM=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_LOXP123MB14168BB24E88B846C5055842D3EA0LOXP123MB1416GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: ff5fd08b-dcf9-4fbe-b029-08d62a104b13
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Oct 2018 15:44:38.5967 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LOXP123MB1366
Archived-At: <https://mailarchive.ietf.org/arch/msg/smart/2_B0vEp1O1bs8Wm0NEas0Qgf-6c>
Subject: [Smart] When we say 'cyber'...
X-BeenThere: smart@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Stopping Malware And Researching Threats <smart.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/smart>, <mailto:smart-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smart/>
List-Post: <mailto:smart@irtf.org>
List-Help: <mailto:smart-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/smart>, <mailto:smart-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 15:44:45 -0000


There's been some discussion on the list about what to call the main topic of our research. We settled on the name 'SMART' - Stopping Malware And Researching Threats - for the list because it covered a couple of our major aims and made for a handy acronym. But it's not the whole of our ambition.



When we first mooted the possibility of a research group at the SAAG open meeting in Montreal, we referred to 'Cyber Defence'. That's [part of] what we do at the National Cyber Security Centre - we have an Active Cyber Defence<https://www.ncsc.gov.uk/active-cyber-defence> programme, aimed at improving the resistance of UK infrastructure to cyber attacks. So the word 'cyber' trips easily off our tongues. It's not just us - large parts of industry and academia refer to 'cyber security' and 'cyber attacks', as do the media. But we're also aware that 'cyber' means different things to different people, it's a buzzword, it's generic, and it can raise hackles in some. Earlier versions of the draft charter referred to 'cyber security', 'cyber defence', 'security operations', and the current version refers to the rather plain 'attack defence'. Hopefully without getting side-tracked - what speaks best to most people?



Ultimately, we don't have a strong view on what phrase is used - the important point is that it's clear and obvious what type of threats we're trying to defend against (without being prescriptive). So it's probably more helpful to try and build a list of the kind of threats we're meaning.



As a general theme, the threats we're considering:

  *   have malicious intent - as opposed to accidental threats (e.g. hardware failure causing data loss);
  *   involve active interference with data, users or the network - as opposed to passive wiretapping and offline attacks; and
  *   result in harm.



We probably will need to reference a taxonomy of threats, and we needn't reinvent the wheel here - that work has been done before. ENISA has produced one such threat taxonomy<https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring-threat-information> which I've used to construct the list below. This is just a starting point - there will be some things I've missed off, and I certainly can't promise that we'll be able to address all of them:

  *   Unsolicited e-mail - spam and infected e-mails; links to malicious websites
  *   Identity theft - stealing credentials
  *   Denial of service - DDoS, network and application layer, amplification attacks
  *   Malware, worms, trojans, rootkits, injection attacks, viruses, exploits
  *   Spyware, scareware, ransomware
  *   Social engineering - phishing, spear-phishing
  *   Fake certificates, MITM, signed malware
  *   Manipulation of hardware and software
  *   Manipulation of information - hijacking, routing table manipulation, DNS poisoning
  *   Misuse of audit tools to discover security weaknesses
  *   Unauthorised access, network intrusion
  *   Unauthorised installation of software, web/browser-based attacks, drive-by downloads
  *   Data breach
  *   Remote execution, botnets
  *   Advanced Persistent Threats

Note that 'cyber' doesn't appear in the list once - and that's OK.



Is that what everyone's expecting? This is still up for grabs and we'd like everyone to have the same, clear view of what we're trying to achieve.



-- Mark



This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk