IETF Logo Mail Archive

[Cacao] Updated Charter version 03

Bret Jordan <jordan.ietf@gmail.com> Thu, 31 January 2019 23:54 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: cacao@ietfa.amsl.com
Delivered-To: cacao@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84C09131100 for <cacao@ietfa.amsl.com>; Thu, 31 Jan 2019 15:54:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYBZ1EvFG1Ul for <cacao@ietfa.amsl.com>; Thu, 31 Jan 2019 15:54:09 -0800 (PST)
Received: from mail-it1-x12c.google.com (mail-it1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57E3C13103A for <cacao@ietf.org>; Thu, 31 Jan 2019 15:54:09 -0800 (PST)
Received: by mail-it1-x12c.google.com with SMTP id i145so6603052ita.4 for <cacao@ietf.org>; Thu, 31 Jan 2019 15:54:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:date:to; bh=04ECVQS+sxWh7QGrpX6ka5lBg1omuxqWEu99Gjqtaok=; b=dS4I2ewmBtjgkLOcQewGgRQcSyRgYGUS24C8TWzazA0CizWmYX0h1PG46f6rV9bGdC MxTJJ5f9V1UOEN1Ii02F2rvXaH4GrDiuEeRnbAxxy7/y9LTWwS+ud1rRjRXVzV701YtA 7YlKcv3+vXDhfLxAcUuUMBWsrOLgWZiIg4jCpo/FPs4I27lAbu1WzWkdSq2b2QWr/23r n061mtC1otMjnc8bL2rz593haJmUjLRaZ0EaTI/sii3sRiLrX/0neM357Lr8eT8wVqrB WtKmsdmjyepnW5ttRObjBWSf7QErZnYZrASnxGSHUTI8geDRLPfCnfkYRaDv3a9TALlt 8KsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=04ECVQS+sxWh7QGrpX6ka5lBg1omuxqWEu99Gjqtaok=; b=F9qqJiWmRjldOhhQk/EP1FSNsNDny5jC1ErcoRpBhLOYH5AlAj5hfZjhZUQRWRZroI 6Z7EYgjkNnOafqQdwqBjXSrJVwxqT6p5FyWpfoEfDte1XKcY+zxjlakPAM4IDfYvHR9e HJzOnn0FbYoe+3xRUsehnXz1648YSvN/R9rq1eW09LOugUpDbPXrOMEyADvZi3z8qUTl DZk3XNlVCKgkVZOXduCijz9vYHAgNHDakUsEg2p8wF0AEdVllreQweISF/5/yYDwzRIk G+evwbbs3a/nfig6h+Kx+w5LTblHrStd0SPmgLbhjEq+01wElhAyi/nIxa+fOeAoBdjs YqxA==
X-Gm-Message-State: AJcUukdyWfUGbW1cUGhrLl7hi2YtCcMpWUs87NliSUqtVWo7+uniyB+L toFHk+cXRgYkHaQs68EFl/sxeypS
X-Google-Smtp-Source: ALg8bN4TV5ErxTWVx4VukQ2b5Rfz6qdrZuUgXrlAORXK7oqzE7Y84gMFFZPxk3zKI2t2k+cCkGfRSw==
X-Received: by 2002:a02:6284:: with SMTP id d126mr24218804jac.120.1548978848147; Thu, 31 Jan 2019 15:54:08 -0800 (PST)
Received: from ?IPv6:2605:a601:a028:986:442c:8aed:43f1:edf? ([2605:a601:a028:986:442c:8aed:43f1:edf]) by smtp.gmail.com with ESMTPSA id 195sm445838itm.2.2019.01.31.15.54.06 for <cacao@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 31 Jan 2019 15:54:07 -0800 (PST)
From: Bret Jordan <jordan.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3B63EF84-822B-434D-A971-1428D09DAFB1"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Message-Id: <F53E8B84-2905-4418-A232-FCFFA587135A@gmail.com>
Date: Thu, 31 Jan 2019 16:53:46 -0700
To: cacao@ietf.org
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cacao/1-_XudeTnKA4cR5TTTh6lM4JLqo>
Subject: [Cacao] Updated Charter version 03
X-BeenThere: cacao@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Collaborative Automated Course of Action Operations <cacao.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cacao>, <mailto:cacao-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cacao/>
List-Post: <mailto:cacao@ietf.org>
List-Help: <mailto:cacao-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cacao>, <mailto:cacao-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jan 2019 23:54:13 -0000

All,

Thanks for all of the great feedback on the charter text.  We have updated the document to address all comments that we have received and are releasing a new version of the text.  You can see it here: https://datatracker.ietf.org/doc/draft-jordan-cacao-charter/ <https://datatracker.ietf.org/doc/draft-jordan-cacao-charter/> and copied below.


### BEGIN

# Introduction
To defend against threat actors and their tactics, techniques, and procedures, organizations need to manually identify, create, and document prevention, mitigation, and remediation steps. These steps when grouped together into a course of action (COA) / playbook are used to protect systems, networks, data, and users. The problem is, once these steps have been created there is no standardized and structured way to document them, verify they were correctly executed, or easily share them across organizational boundaries and technology stacks.

This working group will create a standard that implements the playbook model based on current industry best practices for cybersecurity. 

This solution will specifically enable:

 1. the creation and documentation of COAs in a structured machine-readable format
 2. organizations to perform attestations on COAs
 3. the sharing and distribution of COAs across organizational boundaries and technology stacks
 4. the verification of deployed COAs. 

This solution will contain (at a minimum) a standard JSON based data model, a defined set of functional capabilities and associated interfaces, and a mandatory to implement protocol. This solution will also provide a data model for actuators to confirm the status of the COA execution, however, it will be agnostic of how the COA is implemented by the actuator.

Each collaborative course of action will consist of a sequence of cyber defense actions that can be executed by the various systems that can act on those actions. Further, these COAs will be coordinated and deployed across heterogeneous cyber security systems such that both the actions requested and the resultant outcomes may be verified. These COA actions will be referenceable in a connected data structure like the OASIS STIX V2 model that provides support for connected data such as threat actors, campaigns, intrusion sets, malware, attack patterns, and other adversarial techniques, tactics, and procedures (TTPs). 

Where possible the working group will consider existing efforts, like OASIS OpenC2 and IETF I2NSF that define the atomic actions to be included in a process or sequence. The working group will not consider how shared actions are used/enforced, except where a response is expected for a specific action or step.

# Goals and Deliverables
This working group has the following major goals and deliverables. Some of the deliverables may be published through the IETF RFC stream as informational or standards track documents.

 - CACAO Use Cases and Requirements
   - Specify the use cases and requirements
 - CACAO Functional Architecture: Roles and Interfaces
   - Specify the system functions and roles that are needed to enable Collaborative Courses of Action
 - CACAO Protocol Specification
   - Specify and standardize the configuration for at least one protocol that can be used to distribute courses of action in both a direct delivery and publish-subscribe method
 - CACAO Distribution and Response Application Layer Protocol
   - Identify and document the requirements to effectively report and alert on the deployment of CACAO actions and the potential threat response to those actions
 - CACAO JSON Data Model
   - Create a JSON data model that can capture and enable collaborative courses of action
 - CACAO Interoperability Test Documents
   - Define and create a series of tests and documents to assist with interoperability of the various systems involved. 

The working group may decide to not publish the use cases and requirements and test documents as RFCs. That decision will be made during the lifetime of the working group. 


### END


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

v2.23.0 | Report a Bug | By Email