Re: [Smart] SMART Problems

Kirsty P <Kirsty.p@ncsc.gov.uk> Thu, 11 October 2018 08:58 UTC

Return-Path: <Kirsty.p@ncsc.gov.uk>
X-Original-To: smart@ietfa.amsl.com
Delivered-To: smart@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95EF7130DD0 for <smart@ietfa.amsl.com>; Thu, 11 Oct 2018 01:58:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.474
X-Spam-Level:
X-Spam-Status: No, score=-1.474 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.456, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3r47U9ib7ltk for <smart@ietfa.amsl.com>; Thu, 11 Oct 2018 01:58:46 -0700 (PDT)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-eopbgr100104.outbound.protection.outlook.com [40.107.10.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 599CC130DCB for <smart@irtf.org>; Thu, 11 Oct 2018 01:58:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=o9i5MoLP978crc8SZ8jl/T6pkQSWvY5zIr9H++lrZNE=; b=FknMLng94Ez7lktiknLoUADDRcfqfddPHEpVaHj2zVKpL23BbSrw2KZ7vPFW2mB0ta/uO4HyRkgZrutWdBMKga246qKE100Zvy4qewOEwXM+ZHQGp2KuNCnrgyhCCaAdht1/gTiGB1xUhHezx55IcvYlIdKmEqLfGzPobTb27NA=
Received: from MMXP123MB0847.GBRP123.PROD.OUTLOOK.COM (10.166.238.153) by MMXP123MB1103.GBRP123.PROD.OUTLOOK.COM (10.166.240.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1207.26; Thu, 11 Oct 2018 08:58:42 +0000
Received: from MMXP123MB0847.GBRP123.PROD.OUTLOOK.COM ([fe80::457a:fbc4:adfd:379]) by MMXP123MB0847.GBRP123.PROD.OUTLOOK.COM ([fe80::457a:fbc4:adfd:379%5]) with mapi id 15.20.1228.020; Thu, 11 Oct 2018 08:58:42 +0000
From: Kirsty P <Kirsty.p@ncsc.gov.uk>
To: "smart@irtf.org" <smart@irtf.org>
Thread-Topic: SMART Problems
Thread-Index: AQHUWYZv2o3Qonx/s0CZNYi8VGK0N6UZzcKQ
Date: Thu, 11 Oct 2018 08:58:42 +0000
Message-ID: <MMXP123MB0847F8E35DC83EF7294AD7E3D7E10@MMXP123MB0847.GBRP123.PROD.OUTLOOK.COM>
References: <MMXP123MB0847BB4C2D2B7E9FB2441383D7EF0@MMXP123MB0847.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <MMXP123MB0847BB4C2D2B7E9FB2441383D7EF0@MMXP123MB0847.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kirsty.p@ncsc.gov.uk;
x-originating-ip: [51.141.26.231]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MMXP123MB1103; 6:gka567HvXYpDdKkhZAUEfliipzh6PmDmiOrbUf/LjeAGnFZIwP/OQPKwjro30qEJCize2kbIXzS7H/MYUoQ1UCArQK1gO87UqwcM9ZPjdaxgHpnj3qgaSoumzdJuYeKaH1Vp/vxf8oP0EQR6wlJwJYo/opPZ6Cakds5Bvr/xp5SLGuwdLrQC3J02pMIkNgZqWboP/TYg+TcqcebWfZkgAmkFs7QLL84scjkF5uRYSW+foWrCCmcE0DFk64DlB0e+UJkIY6AAmHMpwoDVAkCrhDQfoSXAJsDjsTGnEZe+UEnBBB6VzagHHmkcha2DlFU41MTz/g89lg5naK89+5ymxo4O0fx4JuSLeEhKfK1P3MOZqywukZd32Sm1FO5loZ5zYIysLaRiDI+ls1S6MJeq69E2jPih3B9MfrP9xXkqsVzcrslW9MeFU8G8R09KiKDGBSoF3okKuQvRMmQlDjOWdA==; 5:hJFOQxb49AB5nGHLNU7zVys5oq9fharM6CGms4PBCOgt44qOjzTXk9j0U71sM+tgstNSrBKGvGbsuGzO+JPOrmxULWffIsgmSs7i9KB45iFvjHczEI0Sv5uOUVTHUELLAxYoJNqkklbg+dQAiLXM/yLTq52LG5pXYm8FtKbMemE=; 7:yymowl0Poovwl2rO7RBxCXoxVsfiHYTYwpa0zaMmihgesi1w+13p53agYvBBQBRn+3X3Pv3JhbjmpvYWvKTpWW6qTSFlZodrdO+fTtVc9uD4sy0C3vL1hO24sZHWR+pNrIRC7DZfMJzX+BOG3ZLAqS5RZy3udw+pcoYB1j1EgQVaOx1hmiLJZDbDqLqZtKC0H7iHPSpJA1/VYa46aM7E39H9hg4NqiWjH7SPygBo3pfbPn/JQ2ylVwYwb3F3IRzw
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 5b2a3383-64f8-4de5-6c35-08d62f57bec1
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:MMXP123MB1103;
x-ms-traffictypediagnostic: MMXP123MB1103:
x-microsoft-antispam-prvs: <MMXP123MB1103473F001060F56019605CD7E10@MMXP123MB1103.GBRP123.PROD.OUTLOOK.COM>
x-exchange-antispam-report-test: UriScan:(5213294742642)(192374486261705)(27231711734898);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231355)(944501410)(52105095)(3002001)(93006095)(93001095)(10201501046)(149066)(150057)(6041310)(20161123560045)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(201708071742011)(7699051)(76991055); SRVR:MMXP123MB1103; BCL:0; PCL:0; RULEID:; SRVR:MMXP123MB1103;
x-forefront-prvs: 08220FA8D6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(366004)(376002)(346002)(39850400004)(396003)(53754006)(189003)(199004)(19627405001)(486006)(1730700003)(476003)(186003)(26005)(8936002)(86362001)(81156014)(81166006)(25786009)(8676002)(5660300001)(7116003)(72206003)(68736007)(6606003)(7736002)(74482002)(11346002)(71200400001)(71190400001)(2351001)(106356001)(3480700004)(74316002)(14454004)(6916009)(105586002)(446003)(33656002)(6246003)(478600001)(53936002)(7696005)(2900100001)(99286004)(66574009)(2906002)(14444005)(256004)(3846002)(316002)(221733001)(5640700003)(6506007)(55016002)(53546011)(5250100002)(9686003)(66066001)(54896002)(97736004)(6436002)(102836004)(2501003)(6116002)(75922002)(229853002)(55236004)(76176011); DIR:OUT; SFP:1102; SCL:1; SRVR:MMXP123MB1103; H:MMXP123MB0847.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-microsoft-antispam-message-info: xT+ISFuCwpzKsZwTEpi0Z8Q7m/nYz8BeTGV7uFJ37wMAWsnRNRIFLyalvhVdG9kyDomM2UO0PE/8uvtzpqd0VDoO3Ov8sN+DwGM+hcIYJLOYrpcf04KNpAMdVybd+UmiJQ0/3R79jt9tOdSFugn1zg025Mz+sIPjS/yBrQgr4y7ZuDkKZiHhuVR3ynKFAtPvX0su8cLFKt3D2Ph9fVnJV22jE+7oJFy9UzqtnUvLnOM1UfyG/8t73msDUagOLlHKuYllC3ODHdL8h9L/7213mOXDmggRuMcaMcMnJy0ViBMX80o4I7Qm96mpoSj3tRBSAwCmAubNPX5JlQfvAHu+VqtznF2GBn3jCzUgpJvGgqY=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MMXP123MB0847F8E35DC83EF7294AD7E3D7E10MMXP123MB0847GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b2a3383-64f8-4de5-6c35-08d62f57bec1
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2018 08:58:42.6969 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MMXP123MB1103
Archived-At: <https://mailarchive.ietf.org/arch/msg/smart/fSSyPW0TMuYvphNzhGsi6g0F7hM>
Subject: Re: [Smart] SMART Problems
X-BeenThere: smart@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Stopping Malware And Researching Threats <smart.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/smart>, <mailto:smart-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smart/>
List-Post: <mailto:smart@irtf.org>
List-Help: <mailto:smart-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/smart>, <mailto:smart-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Oct 2018 08:58:49 -0000

Hi everyone,


We've heard from a few people on these initial ideas, but more discussion is welcome - are there any problems we're missing and should be focusing on?


Kirsty


________________________________
From: Kirsty P
Sent: 01 October 2018 14:22
To: smart@irtf.org
Subject: SMART Problems


Hi SMART folks,


I promised an initial problems list that the group could be working on, so here it is! Please comment and/or add your own research ideas/existing projects those we've sketched out below...


Kirsty

  *   Assessment methodology: Systematic analysis of attack defence impacts requires an evidence-based methodology. Research will start with a survey of existing attacks and existing detection methods. The information used by each detection method from Internet protocols and other sources (such as endpoints) shall be identified. Further research will determine the relative effectiveness of each detection method against each attack. In doing so, this research will define methodologies for detection, as known attacks change and detection methods develop. These methodologies can be used to provide the basis of evidence for assessment of protocol impact.
  *   Certificate Transparency: Certificate transparency can be used to spot mis-issued certificates for domains. But do certificate transparency logs highlight malicious domains? More research is needed to determine the effectiveness of this technology in finding malicious sites.
  *   DMARC: Implementation of DMARC across government correlates with the numbers of phishing emails claiming to be from these domains dropping dramatically. Research is needed to ascertain the exact effects of implementing this protocol and to discover what impact, if any, this has had on the behaviour of the actors behind such phishing emails.
  *   DNS: As protocols to encrypt DNS traffic are implemented and newly-proposed designs surface, existing techniques for restricting DNS lookups to blacklisted domains may be impacted and could increase the risk from malware to a network. The IRTF can bring together network operators and protocol experts to research and discover new ways to provide this security as DNS traffic becomes encrypted.
  *   IPv6: Adoption of IPv6 is now widespread, with statistics from 2017 indicating that 23% of networks advertise IPv6 connectivity. Evidence-based research is needed to establish what benefits or risks come from IPv6 adoption in terms of attack defence, and to find recommendations to optimise defence protections.
  *   TLS: With a new version of TLS recently standardised, existing attack defence methods need to adapt as implementations begin to adopt it. This area of research needs to grow quickly, with key questions such as: “Can malware be detected when it uses TLS 1.3? If so, how?” The IRTF is the ideal place to stimulate this thread of work, to bring together members with protocol expertise and members with defence experience.
  *   UDP: Some firewalls and middleboxes simply block UDP, in their efforts to protect networks from malicious traffic – so much so that this issue was considered in the design of QUIC. When QUIC is standardised, UDP traffic will only grow in volume, and it will be more important than ever to research techniques for detecting malicious activity in encrypted UDP streams, enabling a better malware defence than simply blocking UDP traffic in future.



This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk