OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

 View Only
  • 1.  CACAO and OpenC2

    Posted 08-13-2024 17:46
    CACAO TC + a few people,  

    Duncan / Dave can you please forward this to the OpenC2 community?

    As we start working on CACAO v2.1 and to do some cleanup based on implementation feedback, I would like to have a broader discussion with the OpenC2 community on what changes, if any, does CACAO need to implement to work better with OpenC2 and vice versa.  

    Duncan, do we need to set up an official liaison between our two technical committees?

    I think what might help is for us to have a joint call at some point, where we can each give an overview of our specifications. Basically bring each side up to speed and what each TC is doing.

    While I was involved in OpenC2 in the early days, I have not been in some time. So I am not sure how things have evolved since then. I am also wondering what kind of overlap exists between these two specifications and what kind of harmonization could we, or should we do.

    For the OpenC2 TC:
    CACAO allows a SOC/ISAC/ISAO/CERT/Individual/Company to create a structured set of actions that can be used to accomplish something. These are often called playbooks. We have geared this for cyber security (both defence and red teaming), but in theory it could easily be used for capturing the steps needed to build a car or make a cake. 

    Steps can be atomic commands, they can invoke parallel processing, while loops, switch statements, if/then conditions, or even call other playbooks. In CACAO there are things to address conditional logic, temporal logic, delays in processing, etc. For example, do not run this step and thus these commands until 10:00 PM on Saturday night and only if X is true and Y is false.

    At the Action Step we have the ability to capture commands that need to be run by an agent against a target. Commands can be human processing commands, shell commands, http API commands, OpenC2 commands, etc etc. An agent is the thing that executes commands against targets. Agents and targets can be granular down to the specific endpoint (computer, switch, firewall, etc) or as high level as human, group/team, company, or even industry. 

    A CACAO playbook can easily include manual things like call and get the CIO out of bed, or talk to the PR team or the regulators, all the way down to full automated steps and commands. There is no restriction on the types of commands that can be encoded into a CACAO playbook. 

    Bret  



  • 2.  RE: CACAO and OpenC2

    Posted 08-14-2024 10:42

    Bret,

    Personally I am against liaisons – either people or statements – between TC's. I think they are extremely inefficient and not very productive and it's better to just have some members participate across both. Ideally swim lanes should be established so each group can operate independently for time periods, with periodic sync ups or handoffs.

     

    I'm fine with either a CACAO ad hoc working meeting, or a OpenC2 ad hoc working meeting or a joint ad hoc working meeting to discuss. Joint is at least possible since we operate under the same OASIS IPR policy. Whichever of the 3 choices we pick (C, O, C/O), everybody present has to be a member of the TC (and of both TC's in the case of joint). It "should" be no big deal of any member of one TC to join the other – BUT it does have to happen and corporate policies (since corporate has to approve joining the TC) do sometimes get in the way (for valid IPR reasons).

     

    The reality is people like attending what they like attending, and don't want to attend 'extra' stuff. CACAO would prefer it all took place in CACAO. OpenC2 would prefer it all took place in OpenC2. And we'll have to make some mix and hopefully some people will agree to attend both – at least the minimum meetings where the topic is discussed 'in the other TC'.

     

    As you know, I'm trying to scale back myself. So I don't attend CTI on a regular basis anymore. But I am still a member and will attend if I know the agenda is of interest and I happen to not have a conflict. I have less 'work' conflicts nowadays but more 'personal' conflicts (medical, training, bowling, pickleball, family outings, etc) as I try to be "more retired". So I don't think I should be counted on. Hopefully NSA is interested enough that some subset of Dave/Dave/Mike can 'attend both' and we get done what needs to get done without formal liaisons.

     

    -- 

    Duncan Sparrell

    sFractal Consulting

    iPhone, iTypo, iApologize

    I welcome VSRE emails. Learn more at http://vsre.info/