Thanks for both writing and presenting this work, Michael. I have some high-level feedback, some of which I teased at in the chat.
Section 6 says protocol designers should consider how a new protocol "may impact attackers' capabilities, such as C2 communications, network traversal or data exfiltration.” Obviously, this line of thinking is good, but I worry that threat modeling is not a skill many protocol designers have. Maybe I’m projecting too much of myself here, but I do recognize this area as being specialized. I think it would be useful to offer more guidance as to how a protocol designer is supposed conduct or document that attacker-capability analysis, or are you thinking SEC DIR will provide this guidance during reviews? The draft covers enterprise/SOC-centric security operations, but what about operators of the infrastructure itself (e.g., ISPs, IXPs, CDNs) who also perform security operations at scale? The tooling, IoC models, and incident response described seem to correspond to what I recognize as SOC in the enterprise, but I imagine traffic analysis and threat detection at a carrier or IX point look quite different. It might make sense to better distinguish the two if others agree. Joe
_______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
