< draft-taddei-smart-cless-introduction-00.txt   draft-taddei-smart-cless-introduction-01.txt >
IETF A. Taddei IETF A. Taddei
Internet-Draft C. Wueest Internet-Draft C. Wueest
Intended status: Informational K. Roundy Intended status: Informational K. Roundy
Expires: September 26, 2019 Symantec Corporation Expires: January 9, 2020 Symantec Corporation
D. Lazanski D. Lazanski
Last Press Label Last Press Label
March 25, 2019 July 08, 2019
Capabilities and Limitations of an Endpoint-only Security Solution Capabilities and Limitations of an Endpoint-only Security Solution
draft-taddei-smart-cless-introduction-00 draft-taddei-smart-cless-introduction-01
Abstract Abstract
In the context of existing, proposed and newly published protocols, In the context of existing, proposed and newly published protocols,
this draft RFC is to establish the capabilities and limitations of this draft RFC is to establish the capabilities and limitations of
endpoint-only security solutions and explore benefits and endpoint-only security solutions and explore benefits and
alternatives to mitigate those limits with the support of real case alternatives to mitigate those limits with the support of real case
studies. studies.
Status of This Memo Status of This Memo
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 26, 2019. This Internet-Draft will expire on January 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 17 skipping to change at page 2, line 17
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . 6
5. Endpoints: definitions, models and scope . . . . . . . . . . 6 5. Endpoints: definitions, models and scope . . . . . . . . . . 6
5.1. Internal representation of an endpoint . . . . . . . . . 7 5.1. Internal representation of an endpoint . . . . . . . . . 7
5.2. Endpoints modeled in an end-to-end context . . . . . . . 8 5.2. Endpoints modeled in an end-to-end context . . . . . . . 8
6. Threat Landscape . . . . . . . . . . . . . . . . . . . . . . 8 6. Threat Landscape . . . . . . . . . . . . . . . . . . . . . . 9
7. Endpoint Security Capabilities . . . . . . . . . . . . . . . 10 7. Endpoint Security Capabilities . . . . . . . . . . . . . . . 11
8. What would be a perfect endpoint security solution? . . . . . 13 8. What would be a perfect endpoint security solution? . . . . . 14
9. The defence-in-depth principle . . . . . . . . . . . . . . . 15 9. The defence-in-depth principle . . . . . . . . . . . . . . . 15
10. Endpoint Security Limits . . . . . . . . . . . . . . . . . . 16 10. Endpoint Security Limits . . . . . . . . . . . . . . . . . . 16
10.1. No possibility to put an endpoint security add-on on the 10.1. No possibility to put an endpoint security add-on on the
UE . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 UE . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
10.1.1. Not receiving any updates or functioning patches . . 18 10.1.1. Not receiving any updates or functioning patches . . 18
10.1.2. Mirai IoT bot . . . . . . . . . . . . . . . . . . . 19 10.1.2. Mirai IoT bot . . . . . . . . . . . . . . . . . . . 19
10.2. Endpoints may not see the malware on the endpoint . . . 19 10.2. Endpoints may not see the malware on the endpoint . . . 20
10.2.1. LoJax UEFI rootkit . . . . . . . . . . . . . . . . . 19 10.2.1. LoJax UEFI rootkit . . . . . . . . . . . . . . . . . 20
10.2.2. SGX Malware . . . . . . . . . . . . . . . . . . . . 20 10.2.2. SGX Malware . . . . . . . . . . . . . . . . . . . . 21
10.2.3. AMT Takeover . . . . . . . . . . . . . . . . . . . . 20 10.2.3. AMT Takeover . . . . . . . . . . . . . . . . . . . . 21
10.2.4. AMT case study (anonymised) . . . . . . . . . . . . 21 10.2.4. AMT case study (anonymised) . . . . . . . . . . . . 22
10.2.5. Users bypass the endpoint security . . . . . . . . . 22 10.2.5. Users bypass the endpoint security . . . . . . . . . 23
10.3. Endpoints may miss information leakage attacks . . . . . 22 10.3. Endpoints may miss information leakage attacks . . . . . 23
10.3.1. Meltdown/Specter . . . . . . . . . . . . . . . . . . 22 10.3.1. Meltdown/Specter . . . . . . . . . . . . . . . . . . 23
10.3.2. Network daemon exploits . . . . . . . . . . . . . . 22 10.3.2. Network daemon exploits . . . . . . . . . . . . . . 23
10.3.3. SQL injection attacks . . . . . . . . . . . . . . . 23 10.3.3. SQL injection attacks . . . . . . . . . . . . . . . 24
10.3.4. Low and slow data exfiltration . . . . . . . . . . . 23 10.3.4. Low and slow data exfiltration . . . . . . . . . . . 24
10.4. Suboptimality and gray areas . . . . . . . . . . . . . . 24 10.4. Suboptimality and gray areas . . . . . . . . . . . . . . 25
10.4.1. Stolen credentials . . . . . . . . . . . . . . . . . 24 10.4.1. Stolen credentials . . . . . . . . . . . . . . . . . 25
10.4.2. Zero Day Vulnerability . . . . . . . . . . . . . . . 25 10.4.2. Zero Day Vulnerability . . . . . . . . . . . . . . . 26
10.4.3. Port scan over the network . . . . . . . . . . . . . 25 10.4.3. Port scan over the network . . . . . . . . . . . . . 26
10.4.4. DDoS attacks . . . . . . . . . . . . . . . . . . . . 26 10.4.4. DDoS attacks . . . . . . . . . . . . . . . . . . . . 27
11. Learnings from production data . . . . . . . . . . . . . . . 27 11. Learnings from production data . . . . . . . . . . . . . . . 28
11.1. Endpoint only incidents . . . . . . . . . . . . . . . . 28 11.1. Endpoint only incidents . . . . . . . . . . . . . . . . 29
11.2. Security incidents detected primarily by network 11.2. Security incidents detected primarily by network
security products . . . . . . . . . . . . . . . . . . . 29 security products . . . . . . . . . . . . . . . . . . . 30
11.2.1. Unauthorized external vulnerability scans . . . . . 29 11.2.1. Unauthorized external vulnerability scans . . . . . 30
11.2.2. Unauthorized internal vulnerability scans . . . . . 30 11.2.2. Unauthorized internal vulnerability scans . . . . . 31
11.2.3. Malware downloads resulting in exposed endpoints . . 30 11.2.3. Malware downloads resulting in exposed endpoints . . 31
11.2.4. Exploit kit infections . . . . . . . . . . . . . . . 30 11.2.4. Exploit kit infections . . . . . . . . . . . . . . . 31
11.2.5. Attacks against servers . . . . . . . . . . . . . . 31 11.2.5. Attacks against servers . . . . . . . . . . . . . . 32
12. Regulatory Considerations . . . . . . . . . . . . . . . . . . 32 12. Regulatory Considerations . . . . . . . . . . . . . . . . . . 33
12.1. IoT Security . . . . . . . . . . . . . . . . . . . . . . 32 12.1. IoT Security . . . . . . . . . . . . . . . . . . . . . . 33
12.2. Network infrastructure . . . . . . . . . . . . . . . . . 33 12.2. Network infrastructure . . . . . . . . . . . . . . . . . 34
12.3. Auditing and Assessment . . . . . . . . . . . . . . . . 33 12.3. Auditing and Assessment . . . . . . . . . . . . . . . . 34
12.4. Privacy Considerations . . . . . . . . . . . . . . . . . 34 12.4. Privacy Considerations . . . . . . . . . . . . . . . . . 35
13. Human Rights Considerations . . . . . . . . . . . . . . . . . 34 13. Human Rights Considerations . . . . . . . . . . . . . . . . . 35
14. Security Considerations . . . . . . . . . . . . . . . . . . . 34 14. Security Considerations . . . . . . . . . . . . . . . . . . . 35
15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35
16. Informative References . . . . . . . . . . . . . . . . . . . 34 16. Informative References . . . . . . . . . . . . . . . . . . . 35
Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 39 Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 40
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction 1. Introduction
This Internet Draft aims to be a reference to the designers of This Internet Draft aims to be a reference to the designers of
protocols on the capabilities and limitations of security solutions protocols on the capabilities and limitations of security solutions
on endpoint devices against malware and other attacks. As security on endpoint devices against malware and other attacks. As security
is entering a new phase in the arms race between attackers and is entering a new phase in the arms race between attackers and
defenders, with many technical, economic and regulatory changes, and defenders, with many technical, economic and regulatory changes, and
with a significant increase in major data breaches, it is a good with a significant increase in major data breaches, it is a good
moment to propose a systematic review and update on what is an old moment to propose a systematic review and update on what is an old
skipping to change at page 6, line 45 skipping to change at page 6, line 45
collaboration. This is to be noted too, that this is the first draft collaboration. This is to be noted too, that this is the first draft
RFC for the authors and contributors, so, coaching and help will be RFC for the authors and contributors, so, coaching and help will be
appreciated. Overall, 'a bon entendeur, salut'. appreciated. Overall, 'a bon entendeur, salut'.
Comments are solicited and should be addressed to the authors. Comments are solicited and should be addressed to the authors.
5. Endpoints: definitions, models and scope 5. Endpoints: definitions, models and scope
Endpoints are the origin and destination for a communication between Endpoints are the origin and destination for a communication between
parties. This encompasses User Equipment (UE) and the Host at the parties. This encompasses User Equipment (UE) and the Host at the
other end of the communication. More work to model the various other end of the communication. Whilst it is recognized that these
endpoint types would be helpful for this draft (in the same spirit as two ends of the communication may represent a vast amount of diverse
the IETF TEEP Working Group generalized its work, see [TEEP]). endpoints, this document will set here a requirement for a uniform
way to describe the endpoints in order to work from an equally
uniform representation of what is called the Attack Surface. In the
same spirit as the IETF TEEP Working Group generalized its work, see
[TEEP], this document will rely on another document identified as
We require a framework in order to define and model the endpoint [I-D.draft-mcfadden-smart-endpoint-taxonomy-for-cless-00] in order to
itself and the position of the endpoint in the network. In this represent the taxonomy of endpoints.
initial analysis we focus on endpoints that are User Equipment (UE)
rather than on hosts. In the future, we hope to balance and unify
the model.
For example: For example:
o The following would be considered as UEs: a smartphone, a smart o The following would be considered as UEs: a smartphone, a smart
device, any IoT device, a laptop, a desktop, a workstation, etc. device, any IoT device, a laptop, a desktop, a workstation, etc.
o Hosts represent too, physical servers, virtual servers/machines, o Hosts represent too, physical servers, virtual servers/machines,
etc. etc.
We need two models for the endpoint, internally and in an end-to-end We require a framework in order to define and model the endpoint
context within the network. With this approach we expect both models itself and the position of the endpoint in the network. In this
to help us cover all the threat landscape and capabilities for initial analysis we focus on endpoints that are User Equipment (UE)
endpoint security. This will help us understand point attacks versus rather than on hosts. In the future, with the help of
composite attacks within context, and, accordingly, understand [I-D.draft-mcfadden-smart-endpoint-taxonomy-for-cless-00] we hope to
holistically the capabilities and the limitations of endpoint balance and unify the model.
security. For example to differentiate when only an application on
the end point is affected. In addition, we need two models for the endpoint, internally and in
an end-to-end context within the network. With this approach we
expect both models to help us cover all the attack surface and the
threat landscape and therefore help us list the capabilities and
limitations for endpoint security.
Indeed, this will help us understand point attacks versus composite
attacks within context, and, accordingly, understand holistically the
capabilities and the limitations of endpoint security. For example
to differentiate when only an application on the end point is
affected.
5.1. Internal representation of an endpoint 5.1. Internal representation of an endpoint
An internal representation of an endpoint could be generalized by the This section interfaces here with
simple diagram below: [I-D.draft-mcfadden-smart-endpoint-taxonomy-for-cless-00] which
starts from the below internal representation of an endpoint which
could be generalized by the simple diagram below:
+----------------------------+ +----------------------------+
| Application | | Application |
+----------------------------+ +----------------------------+
| OS / Execution Environment | | OS / Execution Environment |
+----------------------------+ +----------------------------+
| Hardware | | Hardware |
+----------------------------+ +----------------------------+
Today there are many combinations of Hardware, OS/EE pairing and Today there are many combinations of Hardware, OS/EE pairing and
Application layers, offering the user a vast set of features with a Application layers, offering the user a vast set of features with a
wide spectrum of capabilities. wide spectrum of capabilities.
Furthermore we can consider that an application running on a UE or a Furthermore we can consider that an application running on a UE or a
host is an endpoint too, so we have multiple ways to read the above host is an endpoint too, so we have multiple ways to read the above
diagram. diagram.
In essence we want to consider here endpoints including those which In essence we want to consider here endpoints including those which
have a variance in electrical power, computational power, memory, have a variance in electrical power, computational power, memory,
skipping to change at page 7, line 47 skipping to change at page 8, line 14
Today there are many combinations of Hardware, OS/EE pairing and Today there are many combinations of Hardware, OS/EE pairing and
Application layers, offering the user a vast set of features with a Application layers, offering the user a vast set of features with a
wide spectrum of capabilities. wide spectrum of capabilities.
Furthermore we can consider that an application running on a UE or a Furthermore we can consider that an application running on a UE or a
host is an endpoint too, so we have multiple ways to read the above host is an endpoint too, so we have multiple ways to read the above
diagram. diagram.
In essence we want to consider here endpoints including those which In essence we want to consider here endpoints including those which
have a variance in electrical power, computational power, memory, have a variance in electrical power, computational power, memory,
disk, network interfaces, size, ownership, etc. disk, network interfaces, size, ownership, connectics, etc. and
therefore why we rely on
[I-D.draft-mcfadden-smart-endpoint-taxonomy-for-cless-00].
5.2. Endpoints modeled in an end-to-end context 5.2. Endpoints modeled in an end-to-end context
A representation of endpoints in an end-to-end context could look A representation of endpoints in an end-to-end context could look
like the following diagram: like the following diagram:
+-------+ +---------------------+---------+ +-------+ +---------------------+---------+
| Human | <- (1) -> | Digital Persona | Application | <- (2) -> | Human | <- (1) -> | Digital Persona | Application | <- (2) ->
+-------+ +-----------+-------------------+ +-------+ +-----------+-------------------+
| User Equipment | | User Equipment |
skipping to change at page 35, line 41 skipping to change at page 36, line 41
[EPPSECURITY] [EPPSECURITY]
Hunt, J., "Advantages and Disadvantages of Three Top Hunt, J., "Advantages and Disadvantages of Three Top
Endpoint Security Vendors", n.d., Endpoint Security Vendors", n.d.,
<https://www.adapture.com/blog/ <https://www.adapture.com/blog/
evaluating-leading-endpoint-security-vendors/>. evaluating-leading-endpoint-security-vendors/>.
[EPRSANS] Neely, L., "Endpoint Protection and Response A SANS [EPRSANS] Neely, L., "Endpoint Protection and Response A SANS
Survey", June 2018, <https://www.sans.org/reading- Survey", June 2018, <https://www.sans.org/reading-
room/whitepapers/clients/paper/38460>. room/whitepapers/clients/paper/38460>.
[EPTAXONOMY]
MacFadden, M., "Endpoint Taxonomy for CLESS", July 2019,
<https://www.ietf.org/id/
draft-mcfadden-smart-endpoint-taxonomy-for-cless-00.txt>.
[ERICSSON] [ERICSSON]
Ericsson, ., "Internet of Things forecast", n.d., Ericsson, ., "Internet of Things forecast", n.d.,
<https://www.ericsson.com/en/mobility-report/ <https://www.ericsson.com/en/mobility-report/
internet-of-things-forecast>. internet-of-things-forecast>.
[EURLEX] EUP, ., "Directive (EU) 2016/1148", July 2016, [EURLEX] EUP, ., "Directive (EU) 2016/1148", July 2016,
<https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=urise <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=urise
rv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC>. rv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC>.
[FLAMER] Symantec, ., "W32.Flamer Microsoft Windows Update Man-in- [FLAMER] Symantec, ., "W32.Flamer Microsoft Windows Update Man-in-
skipping to change at page 36, line 33 skipping to change at page 37, line 37
[GSMAIOT] GSMA, ., "GSMA IoT Security Guidelines and Assessment", [GSMAIOT] GSMA, ., "GSMA IoT Security Guidelines and Assessment",
n.d., <https://www.gsma.com/iot/iot-security/ n.d., <https://www.gsma.com/iot/iot-security/
iot-security-guidelines/>. iot-security-guidelines/>.
[HSTODAY] Hstoday, ., "Layered Approach Critical to Effective [HSTODAY] Hstoday, ., "Layered Approach Critical to Effective
Endpoint Protection", October 2016, Endpoint Protection", October 2016,
<https://www.hstoday.us/channels/federal-state-local/ <https://www.hstoday.us/channels/federal-state-local/
layered-approach-critical-to-effective-endpoint- layered-approach-critical-to-effective-endpoint-
protection/>. protection/>.
[I-D.draft-mcfadden-smart-endpoint-taxonomy-for-cless-00]
McFadden, M., "Endpoint Taxonomy for CLESS", draft-
mcfadden-smart-endpoint-taxonomy-for-cless-00 (work in
progress), July 2019.
[IMDAIOTG] [IMDAIOTG]
IMDA, ., "IMDA IoT Cyber Security Guide", January 2019, IMDA, ., "IMDA IoT Cyber Security Guide", January 2019,
<https://www.imda.gov.sg/-/media/imda/files/ <https://www.imda.gov.sg/-/media/imda/files/
regulation-licensing-and-consultations/consultations/ regulation-licensing-and-consultations/consultations/
open-for-public-comments/ open-for-public-comments/
consultation-for-iot-cyber-security-guide/ consultation-for-iot-cyber-security-guide/
imda-iot-cyber-security-guide.pdf>. imda-iot-cyber-security-guide.pdf>.
[IOTPATCHING] [IOTPATCHING]
Rogers, D., "Handling vulnerabilities as an IoT vendor", Rogers, D., "Handling vulnerabilities as an IoT vendor",
 End of changes. 15 change blocks. 
62 lines changed or deleted 86 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/