OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

 View Only
  • 1.  OpenC2 agents

    Posted 12 days ago
    Bret assigned himself an action to re-split the OpenC2 command into two separate commands, based on the idea that conditional logic in a single command is complex. I believe a single command without the conditional logic is the simplest approach, parallel to how manual commands are already represented in playbooks.

    A manual command can go to more than one agent:  email:user1@soc1, email:user2@soc1, email:user3@soc2.
    An OpenC2 command can go to more than one agent: mqtt:topic1@broker1, mqtt:topic2@broker1, mqtt:topic3@broker2.
    An OpenC2 command can even go to different agents by different transports: mqtt:topic1@broker1, http:oc2.example.org

    When you send an email to a user at an organization, the "pipe" takes care of getting the message to an agent at an endpoint.
    When you send a command to an application at an organization, the "pipe" gets it there.  The assumption is that the executing agent has already subscribed to the topics that it is interested in, and has already published its broker address for senders to use, and that senders have configured their systems to properly send email messages and mqtt messages.

    The playbook does not have any logic or knowledge of how email or mqtt is set up, the orchestrator is responsible for being correctly configured.

    The CACAO TC will decide by consensus on the approach to pursue; I believe a single transport-independent OpenC2 command is simplest.

    regards,
    David Kemp