OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

 View Only
  • 1.  Target modules

    Posted 20 days ago
    All,

    Over the break I was looking at some other playbook solutions, trying to see what they had to offer that we do not. We have a much more robust system than most every other solution out there. But one thing that I found that was interesting was the concept of a module based on the target type. I am wondering if this is something we should look into? This also got me thinking about OpenC2, maybe we need something like openc2 but just without all of its transport stuff.  Think about this, and let's talk on our next call.

    Bret



  • 2.  RE: Target modules

    Posted 16 days ago

    Do you have an example of the concept you're describing for people to look at?



    ------------------------------
    David Lemire, CISSP
    HII / National Security Agency
    OpenC2 TC Secretary
    david.p.lemire@hii.com
    ------------------------------



  • 3.  RE: Target modules

    Posted 15 days ago
    https://docs.ansible.com/ansible/latest/collections/ansible/builtin/command_module.html#ansible-collections-ansible-builtin-command-module

    This is also why I think we should look at OpenC2 and see if it could be evolved into something like this. Yes, it could still have the other parts. But if we could encapsulate this part into a stand alone piece, it would be super easy to use, and it might be easier to attract people to work on that part of it. Or at worst case, take all of the content that is already done in Ansible and things like it, and just map it all into OpenC2 structures. But I am just throwing spaghetti up in the air at this point, not even at the wall. So I am not sure if any of this is even possible in OpenC2. But the link above can show you what others are doing with modules.  

    Bret

    On Tue, Jan 7, 2025 at 5:31 AM David Lemire via OASIS <Mail@mail.groups.oasis-open.org> wrote:
    Do you have an example of the concept you're describing for people to look at? ------------------------------ David Lemire, CISSP HII / National...

    OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

    Post New Message
    Re: Target modules
    Reply to Group Reply to Sender via Email
    Jan 7, 2025 8:32 AM
    David Lemire

    Do you have an example of the concept you're describing for people to look at?



    ------------------------------
    David Lemire, CISSP
    HII / National Security Agency
    OpenC2 TC Secretary
    david.p.lemire@hii.com
    ------------------------------
      Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward  




     
    You are subscribed to "OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu" as bret.jordan.sdo@gmail.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.



    Original Message:
    Sent: 1/7/2025 8:32:00 AM
    From: David Lemire
    Subject: RE: Target modules

    Do you have an example of the concept you're describing for people to look at?



    ------------------------------
    David Lemire, CISSP
    HII / National Security Agency
    OpenC2 TC Secretary
    david.p.lemire@hii.com
    ------------------------------


  • 4.  RE: Target modules

    Posted 15 days ago

    Maybe I'm missing something, but: OpenC2's goal is to creating a standardized language for the command and control of technologies that provide or support cyber defenses (TC home page @ OASIS).

     

    Just the ansible.builtin collection by itself is on the order of 60 modules and their documentation identifies about 90 collections of modules. All of that seems like the polar opposite of "a standardized language". I'll readily acknowledge that gaining traction for OpenC2 has been a struggle but I don't see how this is the solution.

     

    Dave

    __________________

    David Lemire
    (301) 575-5190 (o)    (240) 938-9350 (m)
    HII.com

     

     






  • 5.  RE: Target modules

    Posted 15 days ago
    Think of their modules as actuator profiles.

    Bret

    On Wed, Jan 8, 2025 at 9:18 AM David Lemire via OASIS <Mail@mail.groups.oasis-open.org> wrote:
    Maybe I'm missing something, but: OpenC2's goal is to creating a standardized language for the command and control of technologies that provide or...

    OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

    Post New Message
    Re: Target modules
    Reply to Group Reply to Sender via Email
    Jan 8, 2025 12:18 PM
    David Lemire

    Maybe I'm missing something, but: OpenC2's goal is to creating a standardized language for the command and control of technologies that provide or support cyber defenses (TC home page @ OASIS).

     

    Just the ansible.builtin collection by itself is on the order of 60 modules and their documentation identifies about 90 collections of modules. All of that seems like the polar opposite of "a standardized language". I'll readily acknowledge that gaining traction for OpenC2 has been a struggle but I don't see how this is the solution.

     

    Dave

    __________________

    David Lemire
    (301) 575-5190 (o)    (240) 938-9350 (m)
    HII.com

     

     



      Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward  




    Original Message:
    Sent: 1/8/2025 12:18:00 PM
    From: David Lemire
    Subject: RE: Target modules

    Maybe I'm missing something, but: OpenC2's goal is to creating a standardized language for the command and control of technologies that provide or support cyber defenses (TC home page @ OASIS).

     

    Just the ansible.builtin collection by itself is on the order of 60 modules and their documentation identifies about 90 collections of modules. All of that seems like the polar opposite of "a standardized language". I'll readily acknowledge that gaining traction for OpenC2 has been a struggle but I don't see how this is the solution.

     

    Dave

    __________________

    David Lemire
    (301) 575-5190 (o)    (240) 938-9350 (m)
    HII.com

     

     




    Original Message:
    Sent: 1/8/2025 10:56:00 AM
    From: Bret Jordan
    Subject: RE: Target modules

    https://docs.ansible.com/ansible/latest/collections/ansible/builtin/command_module.html#ansible-collections-ansible-builtin-command-module

    This is also why I think we should look at OpenC2 and see if it could be evolved into something like this. Yes, it could still have the other parts. But if we could encapsulate this part into a stand alone piece, it would be super easy to use, and it might be easier to attract people to work on that part of it. Or at worst case, take all of the content that is already done in Ansible and things like it, and just map it all into OpenC2 structures. But I am just throwing spaghetti up in the air at this point, not even at the wall. So I am not sure if any of this is even possible in OpenC2. But the link above can show you what others are doing with modules.  

    Bret

    On Tue, Jan 7, 2025 at 5:31 AM David Lemire via OASIS <Mail@mail.groups.oasis-open.org> wrote:
    Do you have an example of the concept you're describing for people to look at? ------------------------------ David Lemire, CISSP HII / National...

    OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

    Post New Message
    Re: Target modules
    Reply to Group Reply to Sender via Email
    Jan 7, 2025 8:32 AM
    David Lemire

    Do you have an example of the concept you're describing for people to look at?



    ------------------------------
    David Lemire, CISSP
    HII / National Security Agency
    OpenC2 TC Secretary
    david.p.lemire@hii.com
    ------------------------------
      Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward  

    Original Message:
    Sent: 01-03-2025 01:56



     
    You are subscribed to "OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu" as bret.jordan.sdo@gmail.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.




  • 6.  RE: Target modules

    Posted 12 days ago
    Having review the references Bret sent and considered what we have done already here are my thoughts.

    There's a few options.

    Option A: Playbook definitions
    -----------------------------------------
    We could just add ansible collections as a standard set of playbooks with different entry points for each of the command supported in each of the playbooks. Those playbooks would be checked into GitHub repo so that people could use them as necessary with versioning...etc.

    So you would have playbooks for ansible.builtin.command, ansible.kubernetes...etc.

    Where each of the actions invokes the specific command supported in the collection identified by the caller.

    Frankly, I think looking at the reference you sent shows a bunch of examples that would seem ansible.builtin.command takes a set of arguments (argv), names a command (in this example it seemed like shell commands for the most part), names output (either what is created or where an output list is generated) and returns.

    That sounds very like what we already have defined just without the ansible.buildin.command prefix. Frankly everything else already exists in CACAO.

    It seems to me ansible has defined the raw set of commands per technology (similar to what we already have for security technologies in CACAO list) but not the playbook itself.

    Option B: Add Ansible Collection Commands Directly
    ------------------------------------------------------------------------
    Alternative option is just add the underlying collections required to add to CACAO (like Kubernetes, Openvswitch, Splunk....etc) directy as commands. 

    We already did this for other technologies that are the mainstay of cybersecurity. Ansible expands that to all other IT technologies involved in management of the IT environment. 

    Option C: Ansible Collection Command Extensions
    ---------------------------------

    A variation on Option B.

    It might be better to consider defining extensions for each sub-technology of Ansible as commands sets in CACAO to avoid delaying the next update that much.

    Allan

    On Jan 8, 2025, at 7:56 AM, Bret Jordan via OASIS <Mail@mail.groups.oasis-open.org> wrote:

    docs.ansible.com/ansible/latest/collections/ansible/... This is also why I think we should look at OpenC2 and see if it could be evolved into... -posted to the "OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security" community