On Thu, Mar 15, 2018 at 12:58 PM, Carl Mehner <c...@cem.me> wrote: > > > On Thu, Mar 15, 2018 at 9:59 AM, Kathleen Moriarty > <kathleen.moriarty.i...@gmail.com> wrote: >> I think what Yoav is referring to by detecting BOTS within the >> network, is really so called advance persistent threat (APT) actors >> that are moving around the internal network leveraging existing access >> rights of compromised accounts and privilege escalation >> vulnerabilities. These might be detectable with 'visibility'. >> Patterns and behavior might be used to detect the APT use case whether >> or not encryption protects the stream, but it is more difficult. > > Yes, they might, however, the best place for malware detection is on the > edge (which is out of scope for "in the Datacenter" type connections) and > the endpoint, where an agent is able to run that does not need to 'break in' > to the TLS session. Yes, the Fenter draft talks about how malware endpoints > can be anywhere in the network, and that they can delete logs as a reason to > require out of band network decryption. However, if "breaking TLS" becomes > an effective malware mitigation means, more malware makers may move to using > app-level encryption (as some already have). Therefore, the conclusion we > can draw is that malware is not a reasonable reason requiring this enhanced > "visibility".
The example I provided is not about malware, it was about lateral movement by threat actors within a network. The initial compromise that led to access within the network may have been through malware or some other vulnerability, but I do think monitoring on an internal network (encrypted or not, through logs or on the wire) is the use case for attack detection that is plausible with the proposed approach. Best regards, Kathleen > > > -carl -- Best regards, Kathleen _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
