Independent Submission                                      D. Lazanski
Internet Draft                                         Last Press Label
Intended status: Informational                            January 6, 2023
Expires: July 6, 2023

                   A User-Focused Internet Threat Model

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on July 6, 2023.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.

Lazanski               Expires July 6, 2023                [Page 1]

   Internet-Draft A User-Focused Internet Threat Model      January 2023


RFC 3552 introduces a threat model that does not include endpoint
security. Yet increasingly protocol development is making assumptions
about endpoint security capabilities which have not been defined. RFC
3552 is 17 years old and threat landscape has changed. Security issues
and cyber attacks have increased and there are more devices, users, and
applications on the endpoint than ever. This draft proposes a new
approach to the Internet threat model which will include endpoint
security, focus on users and provide an update to the threat model in
RFC 3552. It brings together Security Considerations for Protocol
Designers draft-lazanski-protocol-sec-design-model-t-05 which is a
comprehensive document that lists threats, attack vectors, examples and
considerations for designing protocols, as well as draft-taddei-smart-
cless-introduction-03 which lays out security concerns, capabilities
and limitations for endpoints in general and draft-mcfadden-smart-
endpoint-taxonomy-for-cless-02 which outlines a clear taxonomy for
endpoint security and identifies changes in technology, economic and
protocol development that has impacted and changed endpoint security.
Taken together these drafts reflect a comprehensive and clear set of
security threats and design considerations for the Internet.

Table of Contents

   1. Introduction...................................................2
   2. A History of Data Breaches.....................................3
   3. Botnets........................................................6
   4. Emerging Threats...............................................7
   5. Impacts........................................................8
   6. Guidelines.....................................................8
   7. A New Internet Threat Model....................................9
   8. Way Forward....................................................9
   9. Security Considerations.......................................10
   10. IANA Considerations..........................................10
   11. Conclusions..................................................11
   12. References...................................................11
      12.1. Informative References..................................11
   13. Acknowledgments..............................................13

1. Introduction

   Data breaches continue to be on the rise: personal data is stolen
   and often leaked or sold on a never-before-seen scale. Malware and
   ransomware attacks impact the most vulnerable in our global
   societies today. Better security results in better privacy through

Lazanski               Expires July 6, 2023                [Page 2]

   Internet-Draft A User-Focused Internet Threat Model      January 2023

   prevention of these breaches. However, even though the IETF is
   privacy-focused, Internet architecture has radically changed without
   much consideration during the protocol development process for cyber
   defence or its outcomes.

   In recent years, this has obsoleted many systems, technologies and
   programmes which use Internet protocols for prevention, detection
   and mitigation of cyber attacks. RFC 7258 established that
   "Pervasive Monitoring" is an attack on privacy that needs to be
   mitigated where possible. Furthermore, RFC 3552 assumes that the
   endpoints involved in a communications exchange have not been
   compromised, but that the attacker has near complete control over
   the network between the endpoints rather than the endpoints
   themselves.  These assumptions have led to a focus on communications
   security and the development of protocols that place this kind of
   security above all else. Ironically - or coincidentally - as the
   development of these protocols have taken place over the last
   several decades, there has been and continues to be a sharp rise in
   cyber attacks. The Internet threat model in RFC 3552 does not even
   mention that the greatest threat to the Internet is the growing
   scale and variety of cyber attacks against all types of endpoints
   that is resulting in significant data breaches. This now needs to

   The rest of this document is as follows. Sections 2 and 3 focus on a
   sample of the most recent data breaches in order to demonstrate how
   cybersecurity issues have changed in over 15 years. Section 4 lays
   out a few of the many emerging threats while section 5 discussions
   impacts. Section 6 proposes updating the threat model and finally
   Section 7 discusses work underway and a way forward.

2. A History of Data Breaches

   A data breach is an incident where data is inadvertently exposed in
   a vulnerable system, usually due to insufficient access controls or
   security weaknesses in the software.[1] In the first six months of
   2018 alone, Gemalto reported that there were 945 data breaches
   resulting in 4.5 billion records being compromised.[2] This section
   describes some recent cyber attacks on the Internet that led to data
   breaches. But these are only a handful of breaches that have been
   made public. So many more go unreported in the public. Data breaches
   are one of the top issues in cybersecurity today. IBM's 13th "Cost
   of a Data Breach" study found that the global average cost of a data
   breach in 2018 was $3.86 million.[3] That is the average cost of one
   - not many - data breaches.

Lazanski               Expires July 6, 2023                [Page 3]

   Internet-Draft A User-Focused Internet Threat Model      January 2023

   In October 2013, Adobe announced that hackers had stolen nearly 3
   million encrypted customer credit card details and the IDs and
   encrypted passwords of 35 million customers.[4]

   In December 2013, the retailer Target announced that 40 million
   credit card records and personal details for a further 70 million
   customers had been compromised. A report from Verizon indicated that
   after one week, 86percent of passwords used by Target had been
   cracked and Verizon's security consultants were able to move about
   with complete freedom on Target's internal network.[5]

   In May 2014, eBay notified 145 million users to change their
   passwords following a cyber attack that compromised encrypted
   passwords, customer names, email addresses, mailing addresses, phone
   numbers and dates of birth.[6]

   In July 2015, a commercial website that enabled extramarital affairs
   (called Ashley Madison) was breached; a month later, more than 25GB
   of company data, including user details, was leaked. The ethics and
   impact on human rights of this breach are particularly notable, as
   it resulted in at least one confirmed suicide.[7]

   In 2016, Uber was breached, giving hackers access to the names,
   email addresses and phone numbers of 57 million riders and drivers.
   600,000 US drivers had their names and license plate numbers stolen.
   The current assessment is that other personal data, including trip
   location history, credit card details, social security numbers and
   dates of birth were not downloaded. [8] Also, in August of 2016,
   Dropbox was hacked to release over 68million user email addresses
   and passwords onto the Internet. [9]

   In March 2018, as part of a coding review, Google uncovered a coding
   glitch that potentially exposed the personal data of up to 500,000
   Google Plus users, including their names, email addresses,
   occupations, genders and ages.[10] Google could not confirm which
   users were affected by the security flaw as they keep API log data
   for only two weeks (and, presumably, log data analysis was lacking
   or insufficient to detect the breach as it was happening).

   In May 2018, Twitter advised all 330 million of its users to change
   their passwords after a software exposed them in plaintext. [11]
   Additionally, in September 2018, British Airways announced that
   personal and financial details of up to 380,000 customers who had
   booked flights over a 16-day period had been stolen. This breach was
   traced to a rogue script that had been installed on the third-party
   payment supplier used by British Airways.[12]

Lazanski               Expires July 6, 2023                [Page 4]

   Internet-Draft A User-Focused Internet Threat Model      January 2023

   Also in September 2018, Facebook suffered its worst security breach
   ever; the exploitation of several simultaneous software bugs gave
   login access to as many as 50 million accounts.[13] April 2019, a
   146GB data set containing over 540 million Facebook records were
   found exposed on AWS servers, as two third-party companies had
   collected Facebook data on their own servers.[14] In November 2018,
   500 million Marriott International customers had their details
   stolen in an ongoing breach since 2014. Approximately 327 million
   hotel guests had a combination of name, address, phone number, email
   address, passport number, date of birth, gender and
   arrival/departure information stolen.[15]

   In January 2019, the personal data of more than 3500 people living
   with HIV in Singapore was leaked in Singapore, allegedly by an
   insider with access to sensitive records.[16] Also in February 2019,
   a file containing 2.2 billion compromised usernames and passwords
   was found on the dark web. This 600GB file was a collation of
   previous data breaches, truly demonstrating the scale and severity
   of the data breach and cyber defence problem in totality.[17]

   In the first half of 2020, as the Covid-19 pandemic grew, so did
   cybercrimes some which are were  data breaches. According to
   Interpol, due to the shift of focus to public health, many criminals
   are taking advantage of the vulnerability of society to launch many
   types of attacks. The FBI reported a 300% increase in reported
   cybercrimes since the beginning of the Covid-19 pandemic. Interpol
   published three attack scenarios to watch out for:

     . Malicious domains - these domains may be found when searching
        for phrases like "covid-19", "covid19", "coronavirus" and
        related. A user clicking on a malicious domain man be subject
        to malware, ransomware, phishing or other socially engineered
        cyber attacks. Many countries have reporting tools to report
        such issues, like for example in Estonia. [18]
     . Malware - malware has been found in coronavirus maps and
        information websites.[19]
     . Ransomware - ransomware is on the rise in hospitals, clinics
        and treatment centres since focus is less on the networks and
        endpoints and more on treating patients. [20]

   On 7 July 2020, through civil court procedure in the US, Microsoft
   seized malicious domain names that have been used in large scale
   phishing attacks with a Covid-19 theme. The attacks tricked users to
   revealing their login details.[21] The Microsoft Digital Crimes Unit

Lazanski               Expires July 6, 2023                [Page 5]

   Internet-Draft A User-Focused Internet Threat Model      January 2023

   note that attacks are changing in order to take into account current
   events that users might be interested in.

   It is unthinkable and unrealistic that any revised Internet threat
   model does not highlight and prioritise the most impactful threats.
   Threat actors are making full use of the Internet technology that
   allows them to hide on endpoints and perform such large data hacks
   that mostly go undetected.

   Internet security researchers and developers must accept the reality
   of all the security issues in the Internet ecosystem. Decisions
   being made in the name of privacy are sometimes leading to larger
   inadvertent security and privacy losses.

3. Botnets

   A botnet is a string of connected computers used, in this case, to
   perform a malicious function against an end user, organisation or
   series of users.[22] Though computers working together to increase
   computing power for functions does not constitute a botnet in itself
   (and is used often in data centres for chat rooms or email services,
   for example) botnets are a specifically used for malicious intent.
   There have been a number of recent, high profile botnet attacks and
   only a few will be described here as examples.

   In 2000, EarthLink Spammer sent 1.25 million phishing emails over a
   year and made $3 million in profits by using fake websites and
   domain names to accomplish this. Subsequently the spammer was
   convicted and Earthlink won $25 million in damages.[23]

   Created in 2007, Cutwail was the biggest botnet on the Internet by
   2009 by number of infected computers or hosts sending email. It was
   sending 51 million emails every minute.[24] By 2010, however, it
   started a DDoS attack to nearly 300 major sites including PayPal and
   US federal agencies. By 2013 it was the botnet to use for sending
   spam, but over time its use declined through targeted attempts to
   take it offline as well as the expiration of email addresses. Though
   not as popular and sending far less than it once did, Cutwail still
   sends spam to this day.[25]

   A more recent botnet was the centre of one of the biggest outages of
   the Internet network. The Mirai botnet was first identified in 2016.
   The Mirai botnet as well as variants infect Internet of things
   devices and those infected devices scan the Internet for IP
   addresses of other Internet of Things devices, thus creating a
   multiplication of IoT devices which are infected. Though the bot
   still exists in various forms, the most serious attack took place on

Lazanski               Expires July 6, 2023                [Page 6]

   Internet-Draft A User-Focused Internet Threat Model      January 2023

   21 October 2016 when the Domain Name System (DNS) provider Dyn was
   attacked by DDoS using a coordinated system of infected IoT devices.
   Much of the Internet was unreachable after three attacks occurred
   during the day. Though eventually resolved on that day, the sheer
   size and scale of the attack is still viewed as one of the biggest
   attacks on the Internet to this day.[26]

   According to Kaspersky Labs, there were just over 15,000 botnet
   attacks in 2018.[27] Worryingly, of those attacks, approximately 40
   percent were new in both type and the target. Again, as IoT devices
   increase and as networks expand coverage and ability to handle even
   more devices and data, it is likely that botnet attacks will
   continue to be seen on such a scale. It takes approximately 5
   minutes after connecting for an IoT device to be attacked and up to
   24 hours for an exploit to be stopped. [28]

4. Emerging Threats

   Older methods of cyber attacks are still happening and causing
   breaches, as endpoint security remains incomplete and not up to
   date. Servers remain unpatched and vulnerable and client devices
   become legacy or unsupported, to name just a few issues. In
   parallel, new categories of attacks are emerging.

   Software updates are a new attacked vector. In March 2019, Kaspersky
   uncovered the ShadowHammer supply-chain attack which injected
   malicious code into the ASUS Live Update Utility. This attack
   involved signing malicious code using stolen certificates and was
   estimated to have affected half a million users.[29] As a result of
   the ShadowHammer attack, public focus turned to how and what could
   be the point of infection. Suggestions were that the IP addresses
   could have been the point of origin of the attack while others
   suggested that the malware itself was dormant and inactive until a
   certain update triggered the malware.

   In July 2019, Godlua became the first publicly known malware to use
   DNS-over-HTTPS to avoid DNS-based malware protection security
   systems. [30] The malware uses DoH requests to determine where the
   active URL originates and where it will make a connection. The
   malware takes advantage of this information in order to initiate a
   DDoS attack. The malware attacks both windows and linux systems and
   takes advantage of a backdoor exploit. [31]

   Attacks on individual consumers have dropped by nearly 40 percent,
   due to the fact that attacking one person is largely not financially
   viable, but attacks on business organisations have increased year on
   year.[32] Ransomware is on the rise, motivated by economic gain and
   the weaknesses in endpoints. Malware is freely available and the

Lazanski               Expires July 6, 2023                [Page 7]

   Internet-Draft A User-Focused Internet Threat Model      January 2023

   vulnerable attack point of an endpoint can be found. Botnets are
   increasing in size and scale as well as ease of use.

   There are other emerging threats that require more research to
   collate fully and this section is a starting point.

5. Impacts

   As noted in draft-arkko-farrell-arch-model-t-03 there is a difference
   between user interaction endpoints and system endpoints.
   Acknowledging that the end-to-end model supports permissionless
   innovation, it is imperative to ensure that the open and innovative
   nature of the Internet continues. However, a taxonomy of endpoints
   and agreement on those which have had the most security impact in
   the last 15 years in necessary to continue this work.

   This document and draft-lazanski-protocol-security-design-
   considerations-01 show the impacts on individuals, companies and the
   Internet itself. Though the impacts can be personally and
   economically damaging, there are also ways to design protocols to
   mitigate the severity of attacks.

   Another major change to the Internet over the last 20 years is the
   consolidation and the impact on Internet protocols and architecture.
   The expired draft draft-arkko-iab-internet-consolidation-02 shows
   the potential impact consolidation could make on technology choices,
   users, protocols and Internet architecture more generally. It goes
   on to note that permissionless innovation may be at most risk.

   Consolidation could impact security, making it easier to launch an
   attack. Similarly, mitigation and defence could be affected, by
   making it difficult to be agile and losing the reliance offered by
   decentralization. The Dyn attack showed us that decentralisation
   supports a resilient Internet. [26]

   Work is underway in draft-lazanski-protocol-security-design-
   considerations-01 to attempt to catalogue the most well-known
   threats and considerations to be taken for protocol designers in
   light of these threats.

6. Updating the Internet Threat Model

   Many endpoints are vulnerable; CLESS began a much needed research
   programme to demonstrate what capabilities and what limitations can
   be expected at the endpoint and from a variety of types of
   endpoints.[33] Endpoints have changed since RFC 3557 was published
   17 years ago, but assumptions about endpoints in the IETF hasn't
   changed in that time.

Lazanski               Expires July 6, 2023                [Page 8]

   Internet-Draft A User-Focused Internet Threat Model      January 2023

   The problem statement from draft-mcfadden-smart-threat-changes-01
   clearly articulates and lists the changes in the last 17 years. that
   the view of Internet security is too narrow, specifically in BCP72,
   and an update on Internet security threats is long overdue. Namely,
   endpoints, applications, data and devices are all connected to the
   Internet now at a growing pace and this needs to be reflected in
   both Internet security threats and protocol design.

   Security Considerations for Protocol Designers [34]is a
   comprehensive document that lists threats, attack vectors, examples
   and considerations for designing protocols. This document is growing
   as new threats emerge and is a reference for protocol designers.
   Additionally, draft-taddei-smart-cless-introduction-02 laid out
   security concerns, capabilities and limitations for endpoints in
   general while draft-mcfadden-smart-endpoint-taxonomy-for-cless-01
   outlines a clear taxonomy for endpoint security and identifies
   changes in technology, economic and protocol development that has
   impacted and changed endpoint security as well as architectural
   development and protocol design. Taken together these drafts reflect
   a comprehensive and clear set of security threats and design
   considerations for the Internet and the changes to security on or
   connected to it.

7. Way Forward: A New Internet Threat Model

   Many endpoints are vulnerable; Endpoints have changed over the last
   17 years as shown in  draft-mcfadden-smart-threat-changes-01, but
   assumptions about endpoints in the IETF hasn't changed in that time.
   Draft-iab-for-the-users-04                                   discusses that end users are beneficiaries
   of the IETF standards. End users use endpoints which have new and
   emerging threats. Even the user is not often in full control of what
   happens on their endpoint and what security protections apply to
   their own data a model where the Internet is user-centric would give
   more control to the user. The user is both the home Internet citizen
   and the organisation administrator seeking to protect against data
   breaches; both need the power to control where their data goes and
   choose their security protections. So while endpoints are the focus
   now, does the Internet need to be user-centric in the future? Won't
   that give users even more assure privacy?

   ATT&CK versions of methods, when categorised by type, show that
   endpoint methods of compromise are increasing faster than network
   attacks.[34][35] This may be due to more variety in endpoints,
   substandard security in many endpoints or the difficulty of
   attacking a network compared to an endpoint. Whatever the reason,

Lazanski               Expires July 6, 2023                [Page 9]

   Internet-Draft A User-Focused Internet Threat Model      January 2023

   the logical conclusion is that the current Internet design is not
   stopping cyber attacks. Perhaps a fresh approach is required.

   As more power and control has shifted to endpoints - and even to
   only a select few applications on endpoints network defences can
   protect fewer and fewer endpoints; concurrently, attacks have
   increased and attacks have increased.

   The existing Internet Threat Model of RFC3552 makes the general
   assumption that end-systems have not been compromised and that while
   end-systems are difficult to protect against compromise, protocol
   design can help minimise the damage.Revisiting this general
   assumption in the light of the magnitude of an increase in data
   breaches and their subsequent negative results is a good starting
   point for a new Threat Model which can result in protocol design
   that helps mitigate end-system compromise.

   RFC 3552 will need to be revised in light of the development of the
   threat landscape that has changed and grown in the 17 years since
   RFC            3552 was published. This draft highlights a selection of attacks
   and data breaches over the last decade and a half. A revision to RFC
   3552             would need to include all known and potential attack surfaces
   taking               into account mobile network development, new and emerging
   devices                which are connected to the Internet and the proliferation of
   users, devices and applications on and over the Internet, as
   mentioned above.

   Work is well underway in the IETF and the progress has been slow but
   insightful. However, the work needs to continue to develop with
   continued collaboration. There is much to do. This draft continues
   to highlight the importance that any threat model must be based in
   evidence about data breaches. This draft continues the discussion
   which focuses on the user, identifies the current threats and
   proposes mitigation of those threats.

8. Security Considerations

   This document proposes a new way of thinking about developing
   Internet security protocols and does not create, extend or modify
   any protocols. The intent is to continue discussion and bring in a
   cyber defence viewpoint.

9. IANA Considerations

   Upon publication this document has no required actions for IANA.

Lazanski               Expires July 6, 2023               [Page 10]

   Internet-Draft A User-Focused Internet Threat Model      January 2023

10. Conclusions

   The Threat Model indeed needs revisiting and changing, because cyber
   defence threats and attacks are increasing, yet the responsibility
   to help mitigate these threats and attacks is largely unrecognised
   in the IETF community.  These threats and attacks should be given
   the attention they deserve and a way forward is proposed.

   Further, it is imperative that new conclusions and recommendations
   from a revisited threat model are backed up by research, case
   studies and experience, rather than bold assertions. Research and
   evidence is important to achieve effective security, unsubstantiated
   guesswork is not. Work is already underway and should now continue
   as described in this draft. Section 8 shows the way forward.

11. References

11.1. Informative References












Lazanski               Expires July 6, 2023               [Page 11]

   Internet-Draft A User-Focused Internet Threat Model      January 2023

















Lazanski               Expires July 6, 2023               [Page 12]

   Internet-Draft A User-Focused Internet Threat Model      January 2023





   cybercrime-tactics-and-techniques-report-finds-businesses-hit- with-


   [34] draft-lazanski-protocol-security-design-considerations-01

   [35] Pastor, Antonio. "Applying AI to Protect 5G Control Traffic",
   ETSI Security Week, 19 June 2019, ETSI, Sophia Antipolis, France.

12. Acknowledgments

   This document was prepared using

Authors' Addresses

   Dominique Lazanski
   Last Press Label
   London, UK

   Phone: +447783431555

Lazanski               Expires July 6, 2023               [Page 13]