IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e

Cyber Defence Lexicon

Earlier last month saw the publication an IETF draft NCC Group co-wrote with the UK’s National Cyber Security Center titled ‘Indicators of Compromise (IoCs) and Their Role in Attack Defence

The purpose of the draft is four fold:

  • Outline the different types of Indicators of Compromise.
  • Outline their associated benefits and limitations.
  • Discuss their effective use.
  • Articulate the need for continual consideration around such matters in the design, implementation and operation of network protocols and higher-level applications.

The driver behind all of this is to converge on the formalization as to the definition, role and value of such Indicators of Compromise. Specifically in detecting and mitigating threat actors through a range of approaches, capability and scalability.

Privacy and Security an Opportunity

An interesting dimension is how this draft sits with RFC7258 or ‘ Pervasive Monitoring Is an Attack‘. Whilst not overly at odds, it is clear (as DNS over HTTP (DoH) has shown) there are trade-offs today in terms of being able to monitor for malicious activity at scale with relative low cost & complexity and privacy.

What this highlights to me is there is still significant scope for further research into privacy enhancing technologies which enable indicators and other security monitoring to occur whilst bringing privacy preserving properties.

Further Comments Welcome

We welcome further comments as we are currently in the review and edit process based on this initial draft.