Minutes IETF104: smart
minutes-104-smart-00
Meeting Minutes | Stopping Malware and Researching Threats (smart) RG | |
---|---|---|
Date and time | 2019-03-25 15:10 | |
Title | Minutes IETF104: smart | |
State | Active | |
Other versions | plain text | |
Last updated | 2019-03-28 |
minutes-104-smart-00
# SMART meeting minutes ## Chair Setup Time Kathleen and Kirsty Kathleen and Kirsty introduce the session as not yet a proposed RG, hence an IAB sponsored session. Recap of Note Well would like SMART to be friendly to newcomers to the IETF and to the group. The goals of SMART are: To be the advisory research group on attack defence in the IETF/IRTF To research methods to efficiently detect, mitigate, prevent threats To guide protocol development. This is so when protocols are being designed, engineers are better informed about attack defence. Research SMART would like to see/do may seem broad because the threat landscape is broad. Some examples are: threat detection on encrypted traffic; best practice to prevent phishing; endpoint detection capabilities and limitations. The draft charter is on Github feedback is welcome. Kathleen presents CARIS2. This was an ISOC-sponsored workshop on Coordinating Attack Response at Internet Scale run at the start of March to seed research ideas for SMART. This was two days packed with brainstorming activities to generate ideas, based on papers brought forward to the workshop. Emphasis on the importance of coupling people together worrying about privacy and network management, to avoid a constant arms race. Lots of creative thinking about what factors are helping/hindering incident response. Problems in incident response were highlighted, for example that Incident Responders are isolated into small groups about how they exchange data. We (the whole community) need to flip how we do incident management; as we are never going to fill the gap with training information security professionals. Attack coordination and automated security is always an ongoing theme. So a question is: how do we bake more security into existing protocols? Some other research presented/discussed at CARIS2 included: OpenC2 indicators of compromise and how you respond NICT automation and visualisation, key learnings were deficiencies in standards and their adoption, key areas where they were hindered in their abilities and further research would shed light Incident response coordination both official and community-based CERT-type groups and working together IPv6 from MAPRG this is a good example where researchers are looking at measurement and considering privacy within that, which is better than an arms race. More projects listed for further research, such as SNARC which had a lot of traction from people to work on after CARIS2. Question: What kind of group does SMART want to be? It's not clear. A: If we have a choice, we would be an IRTF research group. We could be a mix of research with hand-offs to IETF security area/secdispatch for more tactical work. ## Arnaud Taddei, Symantec, Threat Landscape report ISTR is Symantec's annual report with breakdown by country, threat etc. This presentation shares the trends in threats by category Formjacking use of malicious forms; difficult to detect by end users; this has emerged over the course of the year Cryptojacking this has declined over the course of the year, probably because the price of the cryptocurrencies has decreased Ransomware: overall infections were down as attackers moved to other lucrative activities Smartphones: there are opportunities to attack phones that are not on the latest version. Only 23.7% of Android phones and 78.3% of iPhones are on the latest versions. IoT: not new attacks; 75% of compromised devices were routers, 15% were cameras; with more 5G connectivity, the problem will worsen. The main vulnerability is weak passwords. Attacks on cloud are increasing and SDN exploits are going to be interesting the attack surface is going to increase; the most concerning will be a silent attack where something is breached and we dont know about it. Also seen an increase in targeted attacks against corporations: intelligence gathering is the main motive here; mainly not using 0-day vulnerabilities. And more of "living off the land": use of malicious PowerShell was up by 100%. DKG: clarifying questions: what is meant by supply chain attacks? Does 1 in 10 URLs really mean that?? Answer: it does... Q: Centre for Internet Research question: Is fake news an attack? Arnaud answers that it is an attack on the brain/human rather than the protocol. Q: Why was fake news / misinformation included under smartphones? A: Is this an attack on the device or on the brain? Wanted to be mindful that this was an attack and should be included in the report but it's hard to condense a big report into a few slides. Q: On formjacking: was this cross-site scripting attack? Not sure will clarify to the list. Q: Watson Ladd: I know little about incident management but what do we do with numbers like these? Answer: organisations do respond and use this data. Arnaud: Lots of customers, lots of people who want to detect trends. Kathleen: lots of corporations worrying about attacks and data leakage. Kirsty: need to know where understand the problem is in order space to know where to focus the research. Q: Eliot Lear: Perhaps answered by the last question, but what should a research group here do with these figures? Kathleen: Could you be used to look into what are the rising threats. Trying to decide how to manage resources. Q: Research is often slower than trend-tracking, so be mindful of how useful this will be to the RG. ## David McGrew, Cisco, Malicious uses of evasive communication and the threats they pose to privacy What are the motivations of the malware operators? How are they using evasive communication? Privacy is a human right; encryption is a cornerstone of modern society. Davids focus is not on the data in motion during a single session; it's focused on the data that is operated on by the client and server. Protocols are often designed with the following goals: data confidentiality, evading blocking, visiting targeted sites without detection; communication without detection. These all have benign uses and malicious uses. Malware wants to use these features to hide from the defender; provide vectors for infection, C2 and data exfil; minimise indicators of compromise; hide infection. Client-side attacks on privacy: Remote Administration Tools (Trojans) provide the ability to remotely survey electronic activity. Syrian activists have been targeted by malware over the last decade. Critical point: evasive communication is critical to how RATs operate. NSA TAO quote: other attack vectors are easier, less risky, more effective than zero-days just need to understand the victims network better than the victim. Graphic of personal data breach incident scale server-side privacy infringements. Do not think, "there are big dumb vendors that dont know how to use security", think, "there are big dumb vendors that want to use security to protect personal data". Passwords stolen through attacks are a big issue in privacy. Malware analysis shows that most connections, 2 million (94%) used plain TLS and nothing remarkable standing out. Most malware authors dont feel need to use evasive techniques in complement to TLS. The plain TLS connections often visit benign sites, such as dropbox.com (most popular). Highlighted research questions: 1. further characterise malwares use of evasive technology 2. Research how to mitigate malware without reducing privacy [David points out this is the key question] 3. Assurance of client 4. How can protocol designers prevent or mitigate malicious uses? Q: Stephen F. Thanks for presentation. Answer to 1 is yes, answer to 2 is probably no but itd take a long time to find this out. So itll take a long time to determine if a research group will be effective or not. Answer: dont want to define a research answer, just highlight and scope the problem. Q: Richard Barnes: Tor community making statements about mitigating bad traffic in order to improve reputation of user traffic. [there is precedence] Q: DKG. Thanks for presentation and research. How do we as network designers determine malicious uses from legitimate uses? Its subjective one persons malicious terrorism is another persons freedom. I fully agree that massive amount of data stored on cloud servers represents real privacy risks, but I'm not convinced that protocols are the way to mitigate this, want to flag it as a potentially impossible problem. A: if youre defending a datacentre that has a lot of PII, would you allow unrestricted Tor connections to the Internet? if the answer is no, then how would you help this that's the research area. There are unintended consequences of using privacy networks to evade censorship etc e.g. evasive communication to exfil data from the data centre. ## Simon Edwards, Testing for the Good of the Internet From SE labs and the Anti-Malware Testing Standards Organisation. This talk is to demonstrate the methodology and rigour that goes into testing anti-malware products. Why do testing? There is too much snake oil. Most important point: they test by creating and running the full attack chain, based on the threat landscape. They are not just testing in a VM because thats not what victims are doing. They verify claims of security products and provide evidence to improve the products. Testing against prevalent threats is important: not the edgy weird threats, but the ones that are being indicated to be the most popular. There is a danger of bias if a tester takes a feed of threats from vendors they might have threat-sharing agreements so results will be biased and not representative of actual threats. Therefore they do something smarter. They aim to behave like an APT; not every nation state has the same level of resources; there are incentives not to use zero days (something echoed in the threat landscape from the first talk) and using disposable technology like MetaSploit is unattributable. Then there is an example of malware running in the presence of anti-malware software running on the system. There is a problem testing with rootkits: the whole system is compromised, need to take it offline and do the testing somewhere else. Kathleen: What are the opportunities for research in SMART? Can use this methodology to find areas that can be improved, e.g. in protocols; Simon's expertise is in being naughty and testing out bad things. Q: Are you bound by contractual agreements? No. ## Toma Gavrichenkov, BGP hijacking Fast-forwarded through example of how BGP hijacking works due to experience in the room. Examples of attacks: 2018 myetherwallet.com was BGP hijacked, went unnoticed for 2 hours before anyone reached out to get it fixed. The TLS ClientHello went to a fake server in Russia. Placing multiple verifying agents on the Internet is hard, as these could still be compromised. There are consequences of BGP hijacking for other protocols could QUIC spin bit be used together with BGP hijacking to triangulate the location of a user behind a VPN? [Potential research question] There is a potential need for additional security analysis whenever a protocol acts on the Internet. The DISCO experiment was held in January on how to change the BGP protocol to reduce the exposure to hijacks. There is work being done in IDR and SIDROPS ASPA work being done to detect and mitigate the hijacking; this may be an area of research for SMART, to find which is more effective. Q: Eliot Lear of Cisco: what does a research group do with numbers like BGP hijacks? Answer: it can focus the research. Q: Theres a research area in how to manage resources [for security problems]. Answer: Thank you there is research to do in making security more efficient, theres a 2 million deficit in professionals. ## CLESS, Arnaud Taddei, Symantec Wrote this draft on endpoint security capabilities and limitations, as the question is asked in WGs. Realised there is not a proper codification of endpoint security. So a long-term aim for SMART could be a full review. Started with endpoint models, and a threat landscape the closest being MITRE ATT&CK. Good research problem for SMART: what threat model to use. Internally, they looked at 3 months of customer data and attacks, and categorised where detected endpoint only, network only, or a mix. The fundamental question is: are we all talking about the same thing when we say endpoint security? Looking for further collaboration and highlights the needs for trends to prioritise research. Thats the value of the numbers. Next steps for the draft are to look at: endpoint modelling, threat landscape methodology, intrinsic capabilities, other aspects of economics/regulation/human-rights/other-data-sources. Who has read the draft? It was submitted late but a reasonable show of hands, about 15. Looking for a good threat landscape; the best they found was MITRE ATT&CK but this is not perfect; would make a good research question for SMART. What does the ideal endpoint security solution look like? What are the constraints from regulation? Seeking feedback Would like input on human rights considerations as well as regulatory. They currently cant find an agreed, stable, unified approach to threat landscape. Key statistic from the draft is that 32/275 threat categories were only found from network detection, not endpoint. ## Ian Levy, NCSC What NCSC are trying to do in the UK government on attack defence. A new kind of organisation needing an early win thankfully won the Carbuncle Cup for the architecture of the building. Security measures and policies can't be driven by the companies who are incentivised to make it sound worse than it is. This is risk management. Reducing the burden on people: people should be able to use password managers specifically calling out the financial services industry. Getting the UK populus to demand better, more sensible policies. Pranking example: nothing in the UX to indicate that the message might be unsafe message needs to be cryptographically bound to the envelope. We have a building in London feel free to get in touch if you want to visit. Cybersecurity is the only part of policy driven by fear and hype. NCSC is changing that with evidence and evidence-driven policy. Work on phishing making up for protocols designed 20 years ago, the fact that the envelope and mailing isnt cryptographically bound means the user cant spot anything weird. We're working on introduction of a labelling scheme for IoT products, like with food labels separate the ones that help from the ones that kill you. ACD: BGP sucks. NCSC is building a national scale BGP platform; done an alpha experiment, and if it works, they are going to scale it. Protective DNS, DMARC, take-downs doing them all at scale has an effect. One of the aims of ACD is to put some objective research out there. DMARC: It cant be that hard if Government can do it. Stopping people using the brands that look like government domains. The UK tax office has gone from 16th to 146th in global phishing rankings. We do active defence, we learn issues with doing it at scale. Malicious domains takedowns by e-mailing hosts; notification service We teach public that padlock means things are safe... And it doesn't. Dont tell me about domain validation because the public doesn't know or care. Public sector DNS: blocked 28 million queries related to 15 DGAs including Conficker from 2007; still getting 450,000 Wannacry enquiries. They are asking BT to protect their 6M customers in the UK, from malware, for free. Root causes of attacks: admins browsing the web using their admin account; credentials; whats connected to the Internet. SMART: have to find ways of giving high quality information to UX designers from the protocol layer; security, privacy, resilience are all totally different things. Protocols being built in the IETF are starting to underpin critical infrastructure in a way they never did before. IETFs engineering is underpinning critical infrastructure in a way it's never done before. The IETFs help is needed here! Kathleen: hoping to stimulate additional conversation. Q Toma: Huge numbers of attacks in academia sector whats the explanation for this? A: Academic freedom. Security is much bigger than encryption; encryption is very important. DKG: Thank you, wants to echo that people are an increasingly important part of protocols. Like to pretend that we work at the networking layer alone; need to be thinking about what our protocols do and what they expose to the UI layer, what signals they can work with. Remember that bad guys use the shiny too. Bad guys can use takedown services too could stop doing business in certain countries they are real risks in having those kinds of relationships being so easily used. Answer: NCSC uses Netcraft to do this, independent from government. DKG: whats the ghost proposal for lawful access about in tension with limiting the User Interface? Answer: ghost proposal wasnt the purpose, it was to have a conversation on solutions. Kathleen asks as a review: Who is interested in contributing or reviewing documents for SMART? Answer: About half the room raises their hand. Alissa Cooper: what are the expectations for the future of the group? Some of this is far out from what is currently being done in the IETF. Answer, Kathleen: need to see what work comes in; different timescales is an issue; open to guidance for scoping. Kirsty: the tie-back to protocols is the reason that we want this to be in the IRTF. Q, Eliot Lear: One of the biggest challenges is bringing the researchers to us. NDSS, workshop on economics and security; how to bring those people here? Kirsty: some of the work going into MAPRG would previously have come to IETF; have already academics engaged from various industries despite having only a mailing list. Ian: NCSC works with research institutes we can bring researchers to the IETF/IRTF with attack defence research, such as: Angela Sasse in London. We need to bring them here, meaningfully. I am happy to say that our research institutes will contribute.