England’s National Cyber Security Centre has taken an unusual step out of the spotlight, authoring an Internet Engineering Task Force Request for Comment (IETF RFC) discussing indicators of compromise (IoCs) – symptoms that indicate a corporate system has suffered a data breach.

UK cyber agency signs its first IETF RFC

RFCs are the foundation documents of the internet, in which the internet’s protocols and technologies are described and standardised.

The NCSC’s “informational” document, RFC 9424, was adopted in August, and the agency discusses its purpose in this blog post.

The aim of the post is to bring information familiar to security pros to the attention of the people who are “involved in the IETF and designing the future internet”, who may not be security experts.

“Standards bodies like the IETF are where the design decisions that will define the internet of the future are made,” the post noted.

The agency says its introduction to indicators of compromise is designed to describe the “observable artefacts associated with an attacker” – all the way from the IP address that might host an attacker, up to the tools and techniques an attacker or a campaign uses.

IoCs “can be things like domain names for phishing sites, IP addresses of malware command and control servers, or cryptographic hashes of malicious executables,” the NCSC’s author Andrew S explained.

“They provide a relatively simple way to detect malicious activity and tie it to a specific actor, while also being very easy to share quickly between organisations.”

The RFC offers a pyramid hierarchy of IoCs. 

At the top are the attackers “tactics, techniques and procedures”, which are the most difficult for an attacker to change, but which offer relatively low-precision IoCs (which phishing e-mail can be associated with which attacker, for example).

At the bottom, IP addresses and malware hash values are very precise, but very easy for the attacker to change.