Frans,
As Allan stated this will be the main topic for tomorrow's TC call. The examples I sent you were just high level visuals, to help understand the concepts. But behind them, and behind each step, would be a lot of detail.
So yes, CACAO Playbooks will need to have targeting information and the actual commands that need to be applied or executed on the the devices that are the targets.
From a targeting standpoint, it could be very general classes of systems to very specific systems. Here are some examples:
High Level Targets: Firewall(s), BrandX Desktops, BrandY Wireless APs
Low Level Targets: Firewall Foo at 10.1.1.1, BrandX Desktop ver 1.2.3 at 192.168.1.10
So this needs to support high level targets and very detailed targets and then everything in between.
On the command side, you need to be able to capture very specific commands like "delete file foo.exe if foo.exe has hash sha256=<some hash>". You could also have high level commands like "check for the existence of these files and delete if found a.exe, b.exe".
On the network side you could have commands like "On router 10.0.2.1 update OSPF route information to route traffic to 1.1.1.1 to 172.16.0.1". Or "on router 10.0.2.1 update inbound acl to deny traffic to 1.1.1.1". These commands could be prose text, or could
be actual commands that could be executed on the device. For example:
"target" : "10.0.2.1",
"target_details" : "Cisco GSR Router 10.0.2.1",
"command_type": "Cisco IOS CLI Command",
"command" : "access-list 100 deny host 192.168.10.1",
Yes, a lot needs to still be figured out and we will talk about a lot of this tomorrow.
Thanks
Bret
From:
cacao-chair@lists.oasis-open.org <
cacao-chair@lists.oasis-open.org> on behalf of Allan Thomson <
athomson@lookingglasscyber.com>
Sent: Monday, September 30, 2019 8:22 AM
To: Frans Schippers <
f.h.schippers@hva.nl>;
cacao-chair@lists.oasis-open.org <
cacao-chair@lists.oasis-open.org>
Cc:
cacao@lists.oasis-open.org <
cacao@lists.oasis-open.org>
Subject: Re: [cacao-chair] Re: [EXT] [cacao] Playbooks
Frans - We will discuss in the next meeting and we will present a proposal on the various aspects for discussion with the group.
regards
Allan Thomson
CTO (+1-408-331-6646)
LookingGlass Cyber Solutions <
https://clicktime.symantec.com/3BXk61EU3QUGJ1WyPLSVDZu7Vc?u=http%3A%2F%2Fwww.lookingglasscyber.com%2F >
ïOn 9/29/19, 11:36 PM, "Frans Schippers" <
cacao-chair@lists.oasis-open.org on behalf of
f.h.schippers@hva.nl> wrote:
Bret
Seeing you examples, we must define what we think Automated" means is de context of CACAO.
These examples are high level and need context to able to operate on.
For example: "Call level one network support make only sense if the call also gives information about
what happend, ip-addresses (and roles) involved, what type of threat etc.
I really would like to be able to specify (in the end) actionable operations.
For example block src-ip x.x.x.x to server y.y.y.y for ports a,a in router c
Which then can be implemented using the right instruction for a specific router.
This also means that to apply this rule context information about the local network is needed
To determine the right router for this action and the router-type tp determine the right command.
What do we see as the scope of CACAO?
How much of the translation from the shared playbook to the actual action can be automated,
how much information must be added by the user to make the playbook actionable.
An escalation procedure can be different for each CACAO user.
Do we adres such issues?
Could we talk about this next meeting (tomorrow)?
Frans
> On 26 Sep 2019, at 16:40, Bret Jordan <
Bret_Jordan@symantec.com> wrote:
>
> Frans,
>
> Are you looking for examples of what exists in the SoC today? If you search for "security playbooks on Google the first 2 or 3 non sponsored links have some visual examples. In slide ware, when I talk about this, I often give the follow examples as
it is something that most people can easily understand:
>
> Security Operations Center
> Open ticket with priority level 2
> Call level one network support
> If they do not respond within 10 minutes
> Escalate to level 2, then level 3, then management
> Network Support
> Quarantine system to sandbox VLAN
> Security Operations Center
> Call level level one desktop support
> If they do not respond within 30 minutes
> Escalate to level 2, then level 3, then management
> Desktop Support
> Delete run at start reg keys and triggers
> Reboot into SafeMode
> Kill process sysmg.exe then winsrvx.exe then xnc.exe
> Delete temp files
> Delete compromised files defined in KB article 311
> Delete other registry keys defined in KB article 312
> Reboot system in to safe mode
> Verify processes do not restart after cleanup
> If this does not work, escalate
> Patch AV system and run updated AV scan
> Patch OS
> Run additional on-demand special AV scanners
> Reboot system to normal mode
> Update ticket
> Network Support
> Monitor traffic from system for 90 minutes
> If no abnormal behavior is detected move system out of sandbox VLAN in to a restricted watch VLAN for 24 hours
> If no user issues or abnormal behavior is detected move system to production VLAN
> Update and close ticket
>
> Bret
>
>
>
>> On Sep 26, 2019, at 1:34 AM, Frans Schippers <
f.h.schippers@hva.nl> wrote:
>>
>> Dear members
>>
>> Can anyone share some playbooks with me?
>>
>> Frans Schippers
>> Cyber Security
>> Lecturer / Researcher
>>
>> Amsterdam Universe of Applied Science
>> HBO-ICT
>> Wibautstraat 2-4
>> 1091 GM Amsterdam
>>
>> PGP: 12D1 D930 488C 22B7 6AFF BFF7 218C 865E D6E0 6B48
>>
>
Frans Schippers
Cyber Security
Lecturer / Researcher
Amsterdam Universe of Applied Science
HBO-ICT
Wibautstraat 2-4
1091 GM Amsterdam
PGP: 12D1 D930 488C 22B7 6AFF BFF7 218C 865E D6E0 6B48