Minutes IETF104: smart
minutes-104-smart-00

# SMART meeting minutes

## Chair Setup Time – Kathleen and Kirsty
Kathleen and Kirsty introduce the session as not yet a proposed RG, hence an
IAB sponsored session. Recap of Note Well – would like SMART to be friendly to
newcomers to the IETF and to the group.

The goals of SMART are:
•       To be the advisory research group on attack defence in the IETF/IRTF
•       To research methods to efficiently detect, mitigate, prevent threats
•       To guide protocol development.

This is so when protocols are being designed, engineers are better informed
about attack defence. Research SMART would like to see/do may seem broad
because the threat landscape is broad. Some examples are: threat detection on
encrypted traffic; best practice to prevent phishing; endpoint detection
capabilities and limitations. The draft charter is on Github – feedback is
welcome.

Kathleen presents CARIS2. This was an ISOC-sponsored workshop on Coordinating
Attack Response at Internet Scale run at the start of March to seed research
ideas for SMART. This was two days packed with brainstorming activities to
generate ideas, based on papers brought forward to the workshop. Emphasis on
the importance of coupling people together worrying about privacy and network
management, to avoid a constant arms race.

Lots of creative thinking about what factors are helping/hindering incident
response. Problems in incident response were highlighted, for example that
Incident Responders are isolated into small groups about how they exchange
data. We (the whole community) need to flip how we do incident management; as
we are never going to fill the gap with training information security
professionals. Attack coordination and automated security is always an ongoing
theme. So a question is: how do we bake more security into existing protocols?
Some other research presented/discussed at CARIS2 included: •       OpenC2 –
indicators of compromise and how you respond •       NICT – automation and
visualisation, key learnings were deficiencies in standards and their adoption,
key areas where they were hindered in their abilities and further research
would shed light •       Incident response coordination – both official and
community-based CERT-type groups and working together •       IPv6 – from MAPRG
– this is a good example where researchers are looking at measurement and
considering privacy within that, which is better than an arms race. More
projects listed for further research, such as SNARC which had a lot of traction
from people to work on after CARIS2.

Question: What kind of group does SMART want to be? It's not clear.
A: If we have a choice, we would be an IRTF research group. We could be a mix
of research with hand-offs to IETF security area/secdispatch for more tactical
work.

## Arnaud Taddei, Symantec, Threat Landscape report
ISTR is Symantec's annual report with breakdown by country, threat etc. This
presentation shares the trends in threats by category Formjacking – use of
malicious forms; difficult to detect by end users; this has emerged over the
course of the year Cryptojacking – this has declined over the course of the
year, probably because the price of the cryptocurrencies has decreased
Ransomware: overall infections were down as attackers moved to other lucrative
activities Smartphones: there are opportunities to attack phones that are not
on the latest version. Only 23.7% of Android phones and 78.3% of iPhones are on
the latest versions. IoT: not new attacks; 75% of compromised devices were
routers, 15% were cameras; with more 5G connectivity, the problem will worsen.
The main vulnerability is weak passwords. Attacks on cloud are increasing and
SDN exploits are going to be interesting – the attack surface is going to
increase; the most concerning will be a silent attack – where something is
breached and we don’t know about it. Also seen an increase in targeted attacks
against corporations: intelligence gathering is the main motive here; mainly
not using 0-day vulnerabilities. And more of "living off the land": use of
malicious PowerShell was up by 100%. DKG: clarifying questions: what is meant
by supply chain attacks? Does 1 in 10 URLs really mean that?? Answer: it
does... Q: Centre for Internet Research question: Is fake news an attack?
Arnaud answers that it is an attack on the brain/human rather than the
protocol. Q: Why was fake news / misinformation included under smartphones? A:
Is this an attack on the device or on the brain? Wanted to be mindful that this
was an attack and should be included in the report but it's hard to condense a
big report into a few slides. Q: On formjacking: was this cross-site scripting
attack? Not sure – will clarify to the list. Q: Watson Ladd: I know little
about incident management but what do we do with numbers like these? Answer:
organisations do respond and use this data. Arnaud: Lots of customers, lots of
people who want to detect trends. Kathleen: lots of corporations worrying about
attacks and data leakage. Kirsty: need to know where understand the problem is
in order space to know where to focus the research. Q: Eliot Lear: Perhaps
answered by the last question, but what should a research group here do with
these figures? Kathleen: Could you be used to look into what are the rising
threats. Trying to decide how to manage resources. Q: Research is often slower
than trend-tracking, so be mindful of how useful this will be to the RG.

## David McGrew, Cisco, Malicious uses of evasive communication and the threats
they pose to privacy What are the motivations of the malware operators? How are
they using evasive communication? Privacy is a human right; encryption is a
cornerstone of modern society. David’s focus is not on the data in motion
during a single session; it's focused on the data that is operated on by the
client and server.

Protocols are often designed with the following goals: data confidentiality,
evading blocking, visiting targeted sites without detection; communication
without detection. These all have benign uses and malicious uses. Malware wants
to use these features to hide from the defender; provide vectors for infection,
C2 and data exfil; minimise indicators of compromise; hide infection.
Client-side attacks on privacy: Remote Administration Tools (Trojans) provide
the ability to remotely survey electronic activity. Syrian activists have been
targeted by malware over the last decade. Critical point: evasive communication
is critical to how RATs operate. NSA TAO quote: other attack vectors are
easier, less risky, more effective than zero-days – just need to understand the
victim’s network better than the victim. Graphic of personal data breach
incident scale – server-side privacy infringements. Do not think, "there are
big dumb vendors that don’t know how to use security", think, "there are big
dumb vendors that want to use security to protect personal data". Passwords
stolen through attacks are a big issue in privacy. Malware analysis shows that
most connections, 2 million (94%) used plain TLS and nothing remarkable
standing out. Most malware authors don’t feel need to use evasive techniques in
complement to TLS. The plain TLS connections often visit benign sites, such as
dropbox.com (most popular). Highlighted research questions: 1.      further
characterise malware’s use of evasive technology 2.      Research how to
mitigate malware without reducing privacy [David points out this is the key
question] 3.      Assurance of client 4.      How can protocol designers
prevent or mitigate malicious uses? Q: Stephen F. Thanks for presentation.
Answer to 1 is yes, answer to 2 is probably no but it’d take a long time to
find this out. So it’ll take a long time to determine if a research group will
be effective or not. Answer: don’t want to define a research answer, just
highlight and scope the problem. Q: Richard Barnes: Tor community making
statements about mitigating bad traffic in order to improve reputation of user
traffic. [there is precedence] Q: DKG. Thanks for presentation and research.
How do we as network designers determine malicious uses from legitimate uses?
It’s subjective – one person’s malicious terrorism is another person’s freedom.
I fully agree that massive amount of data stored on cloud servers represents
real privacy risks, but I'm not convinced that protocols are the way to
mitigate this, want to flag it as a potentially impossible problem. A: if
you’re defending a datacentre that has a lot of PII, would you allow
unrestricted Tor connections to the Internet? if the answer is no, then how
would you help this – that's the research area. There are unintended
consequences of using privacy networks to evade censorship etc – e.g. evasive
communication to exfil data from the data centre.

## Simon Edwards, Testing for the Good of the Internet
From SE labs and the Anti-Malware Testing Standards Organisation. This talk is
to demonstrate the methodology and rigour that goes into testing anti-malware
products. Why do testing? There is too much snake oil. Most important point:
they test by creating and running the full attack chain, based on the threat
landscape. They are not just testing in a VM because that’s not what victims
are doing. They verify claims of security products and provide evidence to
improve the products. Testing against prevalent threats is important: not the
edgy weird threats, but the ones that are being indicated to be the most
popular. There is a danger of bias if a tester takes a feed of threats from
vendors – they might have threat-sharing agreements – so results will be biased
and not representative of actual threats. Therefore they do something smarter.
They aim to behave like an APT; not every nation state has the same level of
resources; there are incentives not to use zero days (something echoed in the
threat landscape from the first talk) and using disposable technology like
MetaSploit is unattributable. Then there is an example of malware running in
the presence of anti-malware software running on the system. There is a problem
testing with rootkits: the whole system is compromised, need to take it offline
and do the testing somewhere else. Kathleen: What are the opportunities for
research in SMART? Can use this methodology to find areas that can be improved,
e.g. in protocols; Simon's expertise is in being naughty and testing out bad
things. Q: Are you bound by contractual agreements? No.

## Toma Gavrichenkov, BGP hijacking
Fast-forwarded through example of how BGP hijacking works due to experience in
the room. Examples of attacks: 2018 myetherwallet.com was BGP hijacked, went
unnoticed for 2 hours before anyone reached out to get it fixed. The TLS
ClientHello went to a fake server in Russia. Placing multiple verifying agents
on the Internet is hard, as these could still be compromised.

There are consequences of BGP hijacking for other protocols – could QUIC spin
bit be used together with BGP hijacking to triangulate the location of a user
behind a VPN? [Potential research question]

There is a potential need for additional security analysis whenever a protocol
acts on the Internet. The DISCO experiment was held in January – on how to
change the BGP protocol to reduce the exposure to hijacks. There is work being
done in IDR and SIDROPS – ASPA – work being done to detect and mitigate the
hijacking; this may be an area of research for SMART, to find which is more
effective. Q: Eliot Lear of Cisco: what does a research group do with numbers
like BGP hijacks? Answer: it can focus the research. Q: There’s a research area
in how to manage resources [for security problems]. Answer: Thank you – there
is research to do in making security more efficient, there’s a 2 million
deficit in professionals.

## CLESS, Arnaud Taddei, Symantec
Wrote this draft on endpoint security capabilities and limitations, as the
question is asked in WGs. Realised there is not a proper codification of
endpoint security. So a long-term aim for SMART could be a full review. Started
with endpoint models, and a threat landscape – the closest being MITRE ATT&CK.
Good research problem for SMART: what threat model to use. Internally, they
looked at 3 months of customer data and attacks, and categorised where detected
– endpoint only, network only, or a mix. The fundamental question is: are we
all talking about the same thing when we say ‘endpoint security’? Looking for
further collaboration and highlights the needs for trends to prioritise
research. That’s the value of the numbers. Next steps for the draft are to look
at: endpoint modelling, threat landscape methodology, intrinsic capabilities,
other aspects of economics/regulation/human-rights/other-data-sources. Who has
read the draft? It was submitted late but a reasonable show of hands, about 15.
Looking for a good threat landscape; the best they found was MITRE ATT&CK but
this is not perfect; would make a good research question for SMART. What does
the ideal endpoint security solution look like? What are the constraints from
regulation? Seeking feedback Would like input on human rights considerations as
well as regulatory.

They currently can’t find an agreed, stable, unified approach to threat
landscape. Key statistic from the draft is that 32/275 threat categories were
only found from network detection, not endpoint.

## Ian Levy, NCSC
What NCSC are trying to do in the UK government on attack defence. A new kind
of organisation – needing an early win – thankfully won the Carbuncle Cup for
the architecture of the building. Security measures and policies can't be
driven by the companies who are incentivised to make it sound worse than it is.
This is risk management. Reducing the burden on people: people should be able
to use password managers – specifically calling out the financial services
industry. Getting the UK populus to demand better, more sensible policies.
Pranking example: nothing in the UX to indicate that the message might be
unsafe – message needs to be cryptographically bound to the envelope. We have a
building in London– feel free to get in touch if you want to visit.
Cybersecurity is the only part of policy driven by fear and hype. NCSC is
changing that with evidence and evidence-driven policy. Work on phishing –
making up for protocols designed 20 years ago, the fact that the envelope and
mailing isn’t cryptographically bound means the user can’t spot anything weird.
We're working on introduction of a labelling scheme for IoT products, like with
food labels – separate the ones that help from the ones that kill you. ACD: BGP
sucks. NCSC is building a national scale BGP platform; done an alpha
experiment, and if it works, they are going to scale it. Protective DNS, DMARC,
take-downs – doing them all at scale has an effect.

One of the aims of ACD is to put some objective research out there.
DMARC: It can’t be that hard if Government can do it. Stopping people using the
brands that look like government domains. The UK tax office has gone from 16th
to 146th in global phishing rankings. We do active defence, we learn issues
with doing it at scale. Malicious domains takedowns – by e-mailing hosts;
notification service We teach public that padlock means things are safe... And
it doesn't. Don’t tell me about domain validation because the public doesn't
know or care. Public sector DNS: blocked 28 million queries related to 15 DGAs
including Conficker from 2007; still getting 450,000 Wannacry enquiries. They
are asking BT to protect their 6M customers in the UK, from malware, for free.
Root causes of attacks: admins browsing the web using their admin account;
credentials; what’s connected to the Internet.

SMART: have to find ways of giving high quality information to UX designers
from the protocol layer; security, privacy, resilience are all totally
different things. Protocols being built in the IETF are starting to underpin
critical infrastructure in a way they never did before. IETF’s engineering is
underpinning critical infrastructure in a way it's never done before. The
IETF’s help is needed here! Kathleen: hoping to stimulate additional
conversation. Q Toma: Huge numbers of attacks in academia sector – what’s the
explanation for this? A: Academic freedom. Security is much bigger than
encryption; encryption is very important. DKG: Thank you, wants to echo that
people are an increasingly important part of protocols. Like to pretend that we
work at the networking layer alone; need to be thinking about what our
protocols do and what they expose to the UI layer, what signals they can work
with. Remember that bad guys use the shiny too. Bad guys can use takedown
services too – could stop doing business in certain countries – they are real
risks in having those kinds of relationships being so easily used. Answer: NCSC
uses Netcraft to do this, independent from government. DKG: what’s the ghost
proposal for lawful access about in tension with limiting the User Interface?
Answer: ghost proposal wasn’t the purpose, it was to have a conversation on
solutions.

Kathleen asks as a review: Who is interested in contributing or reviewing
documents for SMART? Answer: About half the room raises their hand. Alissa
Cooper: what are the expectations for the future of the group? Some of this is
far out from what is currently being done in the IETF. Answer, Kathleen: need
to see what work comes in; different timescales is an issue; open to guidance
for scoping. Kirsty: the tie-back to protocols is the reason that we want this
to be in the IRTF.

Q, Eliot Lear: One of the biggest challenges is bringing the researchers to us.
NDSS, workshop on economics and security; how to bring those people here?
Kirsty: some of the work going into MAPRG would previously have come to IETF;
have already academics engaged from various industries despite having only a
mailing list. Ian: NCSC works with research institutes – we can bring
researchers to the IETF/IRTF with attack defence research, such as: Angela
Sasse in London. We need to bring them here, meaningfully. I am happy to say
that our research institutes will contribute.