Coordinating Attack Response at Internet Scale 2 (CARIS2) Workshop Report
RFC 8953

Document Type RFC - Informational (December 2020; No errata)
Was draft-moriarty-caris2 (individual)
Author Kathleen Moriarty 
Last updated 2020-12-16
Stream ISE
Formats plain text html xml pdf htmlized bibtex
IETF conflict review conflict-review-moriarty-caris2
Stream ISE state Published RFC
Consensus Boilerplate Unknown
Document shepherd Adrian Farrel
Shepherd write-up Show (last changed 2020-07-03)
IESG IESG state RFC 8953 (Informational)
Telechat date
Responsible AD (None)
Send notices to Adrian Farrel <rfc-ise@rfc-editor.org>
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions


Independent Submission                                       K. Moriarty
Request for Comments: 8953                  Center for Internet Security
Category: Informational                                    December 2020
ISSN: 2070-1721

   Coordinating Attack Response at Internet Scale 2 (CARIS2) Workshop
                                 Report

Abstract

   The Coordinating Attack Response at Internet Scale (CARIS) 2
   workshop, sponsored by the Internet Society, took place on 28
   February and 1 March 2019 in Cambridge, Massachusetts, USA.
   Participants spanned regional, national, international, and
   enterprise Computer Security Incident Response Teams (CSIRTs),
   operators, service providers, network and security operators,
   transport operators and researchers, incident response researchers,
   vendors, and participants from standards communities.  This workshop
   continued the work started at the first CARIS workshop, with a focus
   on scaling incident prevention and detection as the Internet industry
   moves to a stronger and a more ubiquitous deployment of session
   encryption.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not candidates for any level of Internet Standard;
   see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8953.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction
   2.  Accepted Papers
   3.  CARIS2 Goals
   4.  Workshop Collaboration
     4.1.  Breakout 1 Results: Standardization and Adoption
       4.1.1.  Wide Adoption
       4.1.2.  Limited Adoption
     4.2.  Breakout 2 Results: Preventative Protocols and Scaling
           Defense
     4.3.  Breakout 3 Results: Incident Response Coordination
     4.4.  Breakout 4 Results: Monitoring and Measurement
       4.4.1.  IP Address Reputation
       4.4.2.  Server Name Authentication Reputation C (SNARC)
       4.4.3.  Logging
       4.4.4.  Fingerprinting
     4.5.  Taxonomy and Gaps Session
   5.  Next Steps
   6.  Summary
   7.  Security Considerations
   8.  IANA Considerations
   9.  References
     9.1.  Informative References
   Acknowledgements
   Author's Address

1.  Introduction

   The Coordinating Attack Response at Internet Scale (CARIS) 2 workshop
   [CARISEvent], sponsored by the Internet Society, took place on 28
   February and 1 March 2019 in Cambridge, Massachusetts, USA.
   Participants spanned regional, national, international, and
   enterprise Computer Security Incident Response Teams (CSIRTs),
   operators, service providers, network and security operators,
   transport operators and researchers, incident response researchers,
   vendors, and participants from standards communities.  This workshop
   continued the work started at the first CARIS workshop [RFC8073],
   with a focus on scaling incident prevention and detection as the
   Internet industry moves to a stronger and a more ubiquitous
   deployment of session encryption.  Considering the related initiative
   to form a research group (Stopping Malware and Researching Threats
   [SMART]) in the Internet Research Task Force (IRTF), the focus on
   prevention included consideration of research opportunities to
   improve protocols and determine if there are ways to improve attack
   detection during the protocol design phase that could later influence
   protocol development in the IETF.  This is one way to think about
   scaling response, through prevention and allowing for new methods to
   evolve for detection in a post-encrypted world.  Although the
   proposed SMART Research Group has not yet progressed, the work to
   better scale incident response continues through the projects
   proposed at CARIS2 as well as in future CARIS workshops.

2.  Accepted Papers

   Researchers from around the world submitted position and research
   papers summarizing key aspects of their work to help form the shared
   content of the workshop.  The accepted papers may be found at
   [CARISEvent] and include:

   *  Visualizing Security Automation: Takeshi Takahashi, NICT, Japan

   *  Automating Severity Determination: Hideaki Kanehara, NICT, Japan
Show full document text