< draft-jordan-cacao-charter-02.txt   draft-jordan-cacao-charter-03.txt >
IETF B. Jordan IETF B. Jordan
Internet-Draft Symantec Corporation Internet-Draft Symantec Corporation
Intended status: Informational A. Thomson Intended status: Informational A. Thomson
Expires: August 1, 2019 LookingGlass Cyber Expires: August 4, 2019 LookingGlass Cyber
January 28, 2019 J. Verma
Cisco Systems
January 31, 2019
Collaborative Automated Course of Action Operations (CACAO) for Cyber Collaborative Automated Course of Action Operations (CACAO) for Cyber
Security Security
draft-jordan-cacao-charter-02 draft-jordan-cacao-charter-03
Abstract Abstract
This is the charter for the Working Group: Collaborative Automated This is the charter for the Working Group: Collaborative Automated
Course of Action Operations (CACAO) for Cyber Security Course of Action Operations (CACAO) for Cyber Security
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 33 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 1, 2019. This Internet-Draft will expire on August 4, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 13 skipping to change at page 2, line 15
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Goals and Deliverables . . . . . . . . . . . . . . . . . . . 3 2. Goals and Deliverables . . . . . . . . . . . . . . . . . . . 3
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4
1. Introduction 1. Introduction
To defend against threat actors and advanced attacker toolkits known To defend against threat actors and their tactics, techniques, and
as intrusion sets, organizations need to manually identify, create, procedures, organizations need to manually identify, create, and
and document prevention, mitigation, and remediation steps. These document prevention, mitigation, and remediation steps. These steps
steps when grouped together into a course of action (COA) / playbook when grouped together into a course of action (COA) / playbook are
are used to protect systems, networks, data, and users. The problem used to protect systems, networks, data, and users. The problem is,
is, once these steps have been created there is no standardized and once these steps have been created there is no standardized and
structured way to document them, monitor them for correct execution, structured way to document them, verify they were correctly executed,
or easily and dynamically share them across organizational boundaries or easily share them across organizational boundaries and technology
and technology stacks. stacks.
This working group will create a standard that implements the This working group will create a standard that implements the
playbook model based on current industry best practices for playbook model based on current industry best practices for
cybersecurity, such as those defined in the IACD work from Johns cybersecurity.
Hopkins APL.
This solution will: This solution will specifically enable:
1. enable the creation and documentation of COAs in a structured 1. the creation and documentation of COAs in a structured machine-
machine-readable format readable format
2. enable organizations to collaborate on COAs 2. organizations to perform attestations on COAs
3. enable the sharing and distribution of COAs across organizational 3. the sharing and distribution of COAs across organizational
boundaries and technology stacks boundaries and technology stacks
4. enable the monitoring and verification of deployed COAs. 4. the verification of deployed COAs.
This solution will contain at a minimum; a standard data model, a set This solution will contain (at a minimum) a standard JSON based data
of functional capabilities and associated interfaces, and a mandatory model, a defined set of functional capabilities and associated
to implement protocol. interfaces, and a mandatory to implement protocol. This solution
will also provide a data model for actuators to confirm the status of
the COA execution, however, it will be agnostic of how the COA is
implemented by the actuator.
Each collaborative course of action will consist of a sequence of Each collaborative course of action will consist of a sequence of
cyber defense actions that can be executed by the various systems cyber defense actions that can be executed by the various systems
that those actions target. Further, these COAs can be coordinated that can act on those actions. Further, these COAs will be
and deployed across heterogeneous cyber security systems such that coordinated and deployed across heterogeneous cyber security systems
both the actions requested and the resultant outcomes may be such that both the actions requested and the resultant outcomes may
monitored and verified. These actions will be referenceable in a be verified. These COA actions will be referenceable in a connected
connected data structure that provides support for connected data data structure like the OASIS STIX V2 model that provides support for
such as threat actors, campaigns, intrusion sets, malware, attack connected data such as threat actors, campaigns, intrusion sets,
patterns, and other adversarial techniques, tactics, and procedures malware, attack patterns, and other adversarial techniques, tactics,
(TTPs). and procedures (TTPs).
Where possible the working group will leverage existing efforts, like Where possible the working group will consider existing efforts, like
OpenC2 that _may_ define the atomic actions to be included in a OASIS OpenC2 and IETF I2NSF that define the atomic actions to be
process or sequence. The working group will not consider how shared included in a process or sequence. The working group will not
actions are used/enforced, except where a response is expected for a consider how shared actions are used/enforced, except where a
specific action or step. response is expected for a specific action or step.
2. Goals and Deliverables 2. Goals and Deliverables
This working group has the following major goals and deliverables. This working group has the following major goals and deliverables.
Some of the deliverables may be published through the IETF RFC stream Some of the deliverables may be published through the IETF RFC stream
as informational or standards track documents. as informational or standards track documents.
o CACAO Use Cases and Requirements o CACAO Use Cases and Requirements
* Document the use cases and requirements * Specify the use cases and requirements
o CACAO Functional Architecture: Roles and Interfaces o CACAO Functional Architecture: Roles and Interfaces
* Identify and document the system functions and roles that are * Specify the system functions and roles that are needed to
needed to enable Collaborative Courses of Action. enable Collaborative Courses of Action
o CACAO Protocol Specification o CACAO Protocol Specification
* Identify and document the configuration for a series of * Specify and standardize the configuration for at least one
mandatory to implement protocols that can be used to distribute protocol that can be used to distribute courses of action in
courses of action in both direct delivery and publish-subscribe both a direct delivery and publish-subscribe method
methods
o CACAO Distribution and Response Application Layer Protocol o CACAO Distribution and Response Application Layer Protocol
* Identify and document the requirements to effectively monitor, * Identify and document the requirements to effectively report
report, and alert on the distribution of CACAO actions and the and alert on the deployment of CACAO actions and the potential
potential threat response to those actions threat response to those actions
o CACAO JSON Data Model o CACAO JSON Data Model
* Create a JSON data model (and possibly a general information * Create a JSON data model that can capture and enable
model and CBOR model) that can capture and enable collaborative collaborative courses of action
courses of action
o CACAO Interoperability Test Documents o CACAO Interoperability Test Documents
* Define and create a series of tests and documents to assist * Define and create a series of tests and documents to assist
with interoperability of the various systems involved. with interoperability of the various systems involved.
The working group may decide to not publish the use cases and The working group may decide to not publish the use cases and
requirements as RFCs. That decision will be made during the lifetime requirements and test documents as RFCs. That decision will be made
of the working group. during the lifetime of the working group.
Authors' Addresses Authors' Addresses
Bret Jordan Bret Jordan
Symantec Corporation Symantec Corporation
350 Ellis Street 350 Ellis Street
Mountain View CA 94043 Mountain View CA 94043
USA USA
Email: bret_jordan@symantec.com Email: bret_jordan@symantec.com
Allan Thomson Allan Thomson
LookingGlass Cyber LookingGlass Cyber
10740 Parkridge Blvd, Suite 200 10740 Parkridge Blvd, Suite 200
Reston VA 20191 Reston VA 20191
USA USA
Email: athomson@lookingglasscyber.com Email: athomson@lookingglasscyber.com
Jyoti Verma
Cisco Systems
170 West Tasman Dr.
San Jose CA 95134
USA
Email: jyoverma@cisco.com
 End of changes. 21 change blocks. 
53 lines changed or deleted 54 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/