Greetings! I have reviewed the OPSec draft on indicators of compromise and have a few comments to share, first a general one and then a few specific to sections of the document.
draft-ietf-opsec-indicators-of-compromise is a well documented account and description of the use of IoCs to defend against attacks. 3.2.3 Accurately describes the general consensus on the value of sharing IoCs. My personal opinion informed from being the CTO for Center of Internet Security, responsible for the Multi-State ISAC, is that indicators are most useful when they can be applied to have a broad impact as opposed to being shared broadly. I have a blog coming out to detail this further and encourage improvement to models. I did notice some projected uses in later sections that would be good to see industry more fully adopt. 3.2.4 Deployment - This is good advice that I think should go a step further. Deployment should not rely on individual organizations, but rather the software teams or product teams that can make an impact. Having the ability to support IoCs in protocols would be a big step toward more effective deployment, enabling software or product owners to integrate IoCs when a patch to eliminate the need for them is not yet possible (resolve a vulnerability). Section 4.1.1 mentions the use of patching to resolve the need for IoCs when possible. Section 6.1 If you'd like to include additional examples where IoCs are used in DNS filtering, I am the CTO at Center for Internet Security. CIS runs the Multi-State Information Sharing and Analysis Center (MS-ISAC) and we offer a filtering DNS service to greatly reduce the attacks seen by our members, the US State, Local, Tribal, and Territorial (SLTT) organizations. The MS-ISAC vets 200+ sources of IoCs to compile what is used for our members via DNS and other services. This enables an at-scale solution to impact organizations who oftentimes lack the resources to secure their own networks. Additionally, the US Federal government announced they will be offering a similar service to the US Federal government agencies. Thank you for your work on this draft, documenting the active use of IoCs today and how they may evolve. -- Best regards, Kathleen
_______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
