Operational Security Capabilities for IP Network Infrastructure (OPSEC)

Friday, July 30, 14:30

Note Well, Administrivia, WG Status (10 Minutes)

-- Chairs

Working Group Business, two drafts making significant progress.

• RFC Ed Queue - Operation Security Considerations for IPv6 Networks
• IESG Evaluation - Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers at Transit Routers

Indicators of Compromise (IoCs) and Their Role in Attack Defence

-- draft-paine-smart-indicators-of-compromise
-- Ollie Whitehouse [OW]

Ollie is co-author of this proposal with Kirsty Paine.

Presentation to show intent and ask some questions at the end.

History - presented at secdispatch in IETF 109. Revised based on feedback. Brought to OPSEC mailing list this year.

Motivation - authors defend networks all the time. Cyber defence is complicated due to a range of factors. Wanted to provide guidance for protocol engineers on cyber defence. At times protocol design goes against principles of cyber defence. Wanted to bring their expertise to the IETF.

Draft introduction - cyber defence relies on Indicators of Compromise (IoCs) to get scaling effect. IoCs have varying degrees of quality, length of time they are effective for. Systems which send the IoCs out to endpoints very quickly to identify threat actors and displace them from networks.

Draft includes design considerations, how to think about IoCs, examples

Draft has been fleshed out to create more standalone piece of work.

What are IoCs? Examples include IP addresses in traffic, DNS domain names, TLS SNI in network traffic (SNI can be used even when traffic is encrypted), TLS cert information, code signing certs in binaries (threat actors buy code signing certificates but these are often used across campaigns), hashes of binaries, attack tools, attack techniques (lots more detail on slide)

Eric Rescorla (EKR) - What is threat model for SNI? If the attacker controls the server/client pair then SNI is unverifiable.

OW - Yes but an attacker will often use a CDN so we will see a connection going to CDN, and the IP address is responsible for many hosts, and through SNI we can tell which of the hosts this is. We don't have a specific SNI threat model. If you have a sufficiently advanced threat actor they can get around these, but that's the 1% most of this is about defeating the 99%

Presentation - Putting this all together gives Pyramid of pain, which is a hierarchy of IoCs.
Have added work to this draft around life cycle of IoCs. Discovery. Assessment. Sharing (remember some IoCs are fragile). Deployment. Detection, Reaction, End of Life.

Questions/Next Steps

• Further feedback and comments welcome
• Is the work is scope for opsec
• Would the group consider WG adoption?

Éric Vyncke (EV) - What you've said looks like a very attractive draft. More on protocol design than operation though?

OW - Yes, that's fair. What we're asking is that as the IETF designs new protocols or amends existing that these are taken into account.

Warren Kumari (WK) - Was that a pointed question suggesting that shouldn't be done here?

EV - Yes, should have been more open.

EKR - Informationally this is all fine, but we've had about three separate documents saying encrypting things makes our lives harder. This is a source of frustration. What are you asking for?

OW - Optionality. Cyber defence can be hard, deploying new protocols e.g. DoH can make it harder. Protecting at endpoint is not always possible e.g. in walled gardens, embedded devices. We're tasked with monitoring everything. DoH might be a bad example, but organisations are having to turn DoH off to do certain monitoring. There are now ways to do privacy preserving introspection. It's building some of that into future design.

EKR - Spent years discussion how DoH should be designed. WG now does mechanism not policy. Don't want this WG to do policy part and lead to difficulties at WGLC.

OW - Multiparty computation and similar are techniques that maintain privacy and to do what is wanted.

EKR - MPC not plausible answer.

OW - Do you think there's no way we can achieve this?

EKR - Would be multiyear research project, not a drop in. We focused on people being able to control the endpoint to disable things. Don't see how it's going to work. If outcome is recommendations on protocol design will be difficult to get consensus.

OW - Want to provide body of knowledge.

Jen Linkova - Would like to see more comments on the list about the draft. I don't mind hosting it, just want to make sure there isn't a better place. If not we'll run the adoption call here. Drafts shouldn't be adopted if no one says anything, please give feedback.