CACAO TC + a few people,
Duncan / Dave can you please forward this to the OpenC2 community?
As we start working on CACAO v2.1 and to do some cleanup based on implementation feedback, I would like to have a broader discussion with the OpenC2 community on what changes, if any, does CACAO need to implement to work better with OpenC2 and vice versa.
Duncan, do we need to set up an official liaison between our two technical committees?
I think what might help is for us to have a joint call at some point, where we can each give an overview of our specifications. Basically bring each side up to speed and what each TC is doing.
While I was involved in OpenC2 in the early days, I have not been in some time. So I am not sure how things have evolved since then. I am also wondering what kind of overlap exists between these two specifications and what kind of harmonization could we, or should we do.
For the OpenC2 TC:
CACAO allows a SOC/ISAC/ISAO/CERT/Individual/Company to create a structured set of actions that can be used to accomplish something. These are often called playbooks. We have geared this for cyber security (both defence and red teaming), but in theory it could easily be used for capturing the steps needed to build a car or make a cake.
Steps can be atomic commands, they can invoke parallel processing, while loops, switch statements, if/then conditions, or even call other playbooks. In CACAO there are things to address conditional logic, temporal logic, delays in processing, etc. For example, do not run this step and thus these commands until 10:00 PM on Saturday night and only if X is true and Y is false.
At the Action Step we have the ability to capture commands that need to be run by an agent against a target. Commands can be human processing commands, shell commands, http API commands, OpenC2 commands, etc etc. An agent is the thing that executes commands against targets. Agents and targets can be granular down to the specific endpoint (computer, switch, firewall, etc) or as high level as human, group/team, company, or even industry.
A CACAO playbook can easily include manual things like call and get the CIO out of bed, or talk to the PR team or the regulators, all the way down to full automated steps and commands. There is no restriction on the types of commands that can be encoded into a CACAO playbook.
Bret