IETF B. Jordan
Internet-Draft Symantec Corporation
Intended status: Informational A. Thomson
Expires: August 1, 2019 LookingGlass Cyber
January 28, 2019
Collaborative Automated Course of Action Operations (CACAO) for Cyber
Security
draft-jordan-cacao-charter-02
Abstract
This is the charter for the Working Group: Collaborative Automated
Course of Action Operations (CACAO) for Cyber Security
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 1, 2019.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Jordan & Thomson Expires August 1, 2019 [Page 1]
Internet-Draft CACAO January 2019
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Goals and Deliverables . . . . . . . . . . . . . . . . . . . 3
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4
1. Introduction
To defend against threat actors and advanced attacker toolkits known
as intrusion sets, organizations need to manually identify, create,
and document prevention, mitigation, and remediation steps. These
steps when grouped together into a course of action (COA) / playbook
are used to protect systems, networks, data, and users. The problem
is, once these steps have been created there is no standardized and
structured way to document them, monitor them for correct execution,
or easily and dynamically share them across organizational boundaries
and technology stacks.
This working group will create a standard that implements the
playbook model based on current industry best practices for
cybersecurity, such as those defined in the IACD work from Johns
Hopkins APL.
This solution will:
1. enable the creation and documentation of COAs in a structured
machine-readable format
2. enable organizations to collaborate on COAs
3. enable the sharing and distribution of COAs across organizational
boundaries and technology stacks
4. enable the monitoring and verification of deployed COAs.
This solution will contain at a minimum; a standard data model, a set
of functional capabilities and associated interfaces, and a mandatory
to implement protocol.
Each collaborative course of action will consist of a sequence of
cyber defense actions that can be executed by the various systems
that those actions target. Further, these COAs can be coordinated
and deployed across heterogeneous cyber security systems such that
both the actions requested and the resultant outcomes may be
monitored and verified. These actions will be referenceable in a
connected data structure that provides support for connected data
such as threat actors, campaigns, intrusion sets, malware, attack
Jordan & Thomson Expires August 1, 2019 [Page 2]
Internet-Draft CACAO January 2019
patterns, and other adversarial techniques, tactics, and procedures
(TTPs).
Where possible the working group will leverage existing efforts, like
OpenC2 that _may_ define the atomic actions to be included in a
process or sequence. The working group will not consider how shared
actions are used/enforced, except where a response is expected for a
specific action or step.
2. Goals and Deliverables
This working group has the following major goals and deliverables.
Some of the deliverables may be published through the IETF RFC stream
as informational or standards track documents.
o CACAO Use Cases and Requirements
* Document the use cases and requirements
o CACAO Functional Architecture: Roles and Interfaces
* Identify and document the system functions and roles that are
needed to enable Collaborative Courses of Action.
o CACAO Protocol Specification
* Identify and document the configuration for a series of
mandatory to implement protocols that can be used to distribute
courses of action in both direct delivery and publish-subscribe
methods
o CACAO Distribution and Response Application Layer Protocol
* Identify and document the requirements to effectively monitor,
report, and alert on the distribution of CACAO actions and the
potential threat response to those actions
o CACAO JSON Data Model
* Create a JSON data model (and possibly a general information
model and CBOR model) that can capture and enable collaborative
courses of action
o CACAO Interoperability Test Documents
* Define and create a series of tests and documents to assist
with interoperability of the various systems involved.
Jordan & Thomson Expires August 1, 2019 [Page 3]
Internet-Draft CACAO January 2019
The working group may decide to not publish the use cases and
requirements as RFCs. That decision will be made during the lifetime
of the working group.
Authors' Addresses
Bret Jordan
Symantec Corporation
350 Ellis Street
Mountain View CA 94043
USA
Email: bret_jordan@symantec.com
Allan Thomson
LookingGlass Cyber
10740 Parkridge Blvd, Suite 200
Reston VA 20191
USA
Email: athomson@lookingglasscyber.com
Jordan & Thomson Expires August 1, 2019 [Page 4]