Hi Jaimandeep, Thanks very much for your feedback on the draft. My replies to each of your points, and some questions, are below.
1. The draft has been adopted by the OPSEC WG as a working group document, and we believe it meets the group's charter as it documents current best practice around how IoCs are used and shared. It's not designed as a taxonomy or problem statement. 2. You're right that use of those more fragile IoCs is well established amongst those defending networks, but is not necessarily generally well known in the IETF community. We don't think there is a previous document that captures that best practice. 3. Exactly how IoCs are extracted will depend on the organisation and the tooling being used (and may rely on manual analysis), so we see that as out of scope for this document. This document focuses more on using and sharing those IoCs. Would a more detailed treatment of what might constitute e.g. attacker TTPs and tooling, and how you might be able to find them, be helpful? With regard to your final point on specific protocols, do you have a specific area of concern or detail that you think the document should cover? We were aiming this document more to be a reference for the general technique of IoCs and how they are best used in current practice. Hence we had tried to keep the document relatively protocol agnostic, rather than cataloguing all of the different types of IoC in use that are drawn from IETF protocols or providing detailed guides on how to extract them. In particular, we think a more general overview is a more useful reference for those designing protocols when thinking about what metadata, that could be used as IoCs, their design may include. Thanks, Andrew From: OPSEC <[email protected]> On Behalf Of Jaimandeep Singh Sent: 05 August 2022 03:31 To: Jen Linkova <[email protected]> Cc: opsec WG <[email protected]>; OpSec Chairs <[email protected]>; [email protected] Subject: Re: [OPSEC] WGLC: draft-ietf-opsec-indicators-of-compromise Dear All, I am not in favour of adopting the draft at this stage because of the following concerns: 1. In my opinion, the draft falls under the category of Taxonomy and Problem Statement Documents, as it is mostly filled with definitions and theory. 2. It does not provide for any protocols, tools and technologies that are used to address the threat except for hashes of emails/IPs/Domain Names, which are already well established and do not add any additional value to the draft document. 3. The examples of Cobalt Strike and APT33 bring out no concrete ways in which the IOCs could be extracted. It is the same old technique of hashes of emails/IPs/Domain Names. In my opinion, there is a definite requirement of working and brainstorming on the issue before the final call for adoption. We can look at picking up specific protocols such as HTTP/1/2/3, OAuth 2.0 and then work on the IOCs that can be extracted from these specific protocols. Regards Jaimandeep Singh On Thu, Jul 28, 2022 at 5:02 AM Jen Linkova <[email protected]<mailto:[email protected]>> wrote: This email starts a WG Last Call for draft-ietf-opsec-indicators-of-compromise https://datatracker.ietf.org/doc/draft-ietf-opsec-indicators-of-compromise/<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-opsec-indicators-of-compromise%2F&data=05%7C01%7Candrew.s2%40ncsc.gov.uk%7C63388e3c00ad41dd742e08da768aa741%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C637952635142213230%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ie9YapmWEVqKTkiV5R5%2FlxzBMg67yAOqcsXjChMBbSM%3D&reserved=0> The WGLC finishes on Sunday, Aug 14th, 25:59 UTC. The chairs are looking for people who would review the document and respond to the list stating their support (or concerns regarding) advancing the draft. Thank you! -- SY, Jen Linkova aka Furry _______________________________________________ OPSEC mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/opsec<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fopsec&data=05%7C01%7Candrew.s2%40ncsc.gov.uk%7C63388e3c00ad41dd742e08da768aa741%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C637952635142213230%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NEIFywLjJZkDO5R9aLtkwL5%2FxqKtNalCnJvAFTcfdj4%3D&reserved=0> This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]. All material is UK Crown Copyright (c)
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
