Hi Rob, Thanks very much for your review. With regard to your questions, we think that while it would be feasible for threat actors to use automated threat feeds in this way, the authors haven't seen an example of a threat actor doing this or of specific mitigations that defenders are putting in place against it. It's certainly something to be mindful of, and a reason to share IoCs responsibly to limit the chance that they are obtained by threat actors. However, exploiting automated IoC feeds is likely to be too complex for all but sophisticated threat actors working against sophisticated targets to attempt, and it would likely be frustrated by good operational security practices for the majority of their targets.
Many thanks, Andy -----Original Message----- From: Robert Wilton via Datatracker <[email protected]> Sent: 09 January 2023 14:28 To: The IESG <[email protected]> Cc: [email protected]; [email protected]; [email protected]; [email protected]; [email protected] Subject: Robert Wilton's Yes on draft-ietf-opsec-indicators-of-compromise-03: (with COMMENT) Robert Wilton has entered the following ballot position for draft-ietf-opsec-indicators-of-compromise-03: Yes ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Hi, Thanks for this informative read. When sharing IoCs, is there ever a concern that the attackers themselves may make use of an IoC feed, particularly one that is generated in a machine readable format, to automatically modify their attacks to mitigate the defenses? Are steps taken to mitigate this, or is this not really a practical concern at this time? Regards, Rob _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
