Minutes IETF104: cacao
minutes-104-cacao-00

IETF 104 CACAO BOF (Collaborative Automated Course of Action Operations for
Cyber Security) Friday, March 29, 2019 9:00 - 10:30 Prague, Czech Republic
Chairs: Joe Salowe, Chris Inacio Minutes: Michael Richardson
----------------------------------------------------
Over 75 people in the room
- 10s of remote participants

----------------------------------------------------
1) Note Well (chairs)
2) Problem statement & Introduction (Bret Jordan)
     https://datatracker.ietf.org/meeting/104/materials/slides-104-cacao-cacao-proposal-deck-00

Q&A

Q: Mohammad Boucadir -  Is about creating or communicating workbooks
We need to be able to share workbooks and work books need to be processed by
machine.  Open C2 is a basic mechanism but is focused only on individual
actions and will not cover a sequence of commands. TIe into these efforts to
tie into threats. Playbook wraps things together.

Q: Mohammad Boucadir -  THis would be helpful in Telco environments. 
Informational sharing would be important.

Q: Many questions about how it interacts with cloud systems and playbooks.
A; should be applicable to cloud even more so since there is more commonality.

Q: would humans confirm the commands during phase 1,  or would it be automated?
A: yes, probably initially would be confirmed.

Q: mcr --- is it mitigation or detection?
A: unclear whether something is a threat or not.... ability to copy/replicate
traffic to be able to dig deeper as to whether or not this is a real threat. 
Then go into a phase of mitigation. A: how can this be re-useable across
customers: the specific ability to modularize the playbooks, not just signed,
but modular functions that do specific things. A: could be a bunch of playbooks
created by startups to migitate against very specific things, against very
specific systems.

Q: David Waltermire worries about ontology.   Machine readable framing around
the PDF binder, becomes machine processable.  The conditional logic, the
tracking. A: 100% on.

Q: Ruediger Volk: works as routing architect, dealing with the general threat
of what is happening in the routing system.  Large gap between typical security
guys, and what state of the art is.  Lacking of integration of security
functions.   Remind that there is a gap, and please do not extend it more, and
make progress in end-systems and leave behind the infrastructure.

Q: <missed the question>

BOF Question: Problem Definition

Chairs: how many people understand the problem?
Answer: most

Chairs: how many do not understand the problem?
Answer: few
Q: OASIS already has STIX and TAXII.  What is the main difference?
A: am an editor on STIX, solving a different part of the problem, doing the
cyber-intelligence actors involved.  Course of action is to call out to CACAO
playbook. Outside of their charter.  Also outside of C2 charter. Q: what do the
playbooks look like? A: slides "Example playbooks" slide.   "Windows Fuzzy
PandaX"

BOF Question: Is this suitable to the IETF

Chairs: How many people think this is a suitable problem for the IETF?

Q: Kathleen... iodef has the ability nest and order. and RID also has some of
this.  Why did these fail, what was the gap?  And maybe the models of sharing
have been a problem.  How will this differ from past efforts? A: threat
intelligence... they take awhile to get adopted.  Most vendors are implementing
this.  IBM's new system is all backended on STIX and TAXII...  Interoperably. 
OpenC2 still doesn't have legs... yet.  still up-and-coming. A: get the basic
data model done.

Q: daniel, how many data models do we need?
A: just one needed.

Q: Alissa Cooper: human vs machine, still one data model?
A: yes, playbooks are the same regardless of who runs the playbook
Allan: there are automated playbooks in specific silos or enterprises today.

Chairs: How many people think this is a suitable problem for the IETF?
A:

    Chair slide starting with "The scope being..."

Q: Mike from DHS, very happy with Playbooks.... scope is an issue, but not
worried about scope creep. Q: Eliot, would like to see a bit better diagraming
of the actors involved.  Also the trust relationships that are expected. A: has
a lot more content to share, (80+ pages), but some groups can not contribute
until there is a WG that they can contribute official to. Q: Ander@Verizon, the
playbooks are there in PDF.  And there is automation today.  A data model that
machine links these things together... A: long term, indicate a fire by some
means, and then pull down a playbook for that event.  Risk profile is to
immediately block on firewall and proxy, and immediately rehost on a VLAN.  The
reason why it might be IETF is because there are 70 people in the room and we
need to get vendor interoperability.

Q: what is the trust model... can anyone send them to anyone?
A: yup. What was a blog post is now a data format?

Is this suitable for the IETF?   20 people or so.
Is this *NOT* suitable?  1 person

Eliot: readiness.  Seems closely related to work in OASIS.  Maybe they are the
right people to do this before us? A: there are people that want to bring into
the work which are not in OASIS, and they are at the IETF.

David Waltermire: am the rep to C2, and that group said no.  This is why Bret
is here.

kaduk@jabber.org/barnowl: Perhaps "what YANG did for router administration, for
incident response" is a glib summary

participates in all three: agrees that IETF would be a better place.

BOF Question is the currently scoped problem tractable?

Is this problem tractable?

YES: ten people
NO: five people, many can't tell.
NEED MORE INFO: most of the room, at least twenty.