Re: [Cacao] Initial Problem Set
Bret Jordan <jordan.ietf@gmail.com> Wed, 19 September 2018 18:52 UTC
Return-Path: <jordan.ietf@gmail.com>
X-Original-To: cacao@ietfa.amsl.com
Delivered-To: cacao@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F828130E9C for <cacao@ietfa.amsl.com>; Wed, 19 Sep 2018 11:52:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6CRDbZeAge47 for <cacao@ietfa.amsl.com>; Wed, 19 Sep 2018 11:52:17 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F567130E95 for <cacao@ietf.org>; Wed, 19 Sep 2018 11:52:16 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id 184-v6so2841913ybg.1 for <cacao@ietf.org>; Wed, 19 Sep 2018 11:52:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=qXoetkKyaGTFmHP5ttp1y7ViCIO96oy9ji7nf2KCiUM=; b=Atxsp+WgzVAjNRRaxirPeG6yBHwUq6vbVl7b3zEtuRDT2slxAvSqGlJ65+s6cLhKPZ y8+qjvmIljotTxeMWh8hFq8jy1BuvfktNO8mClWejC+km+LVWwIQYsVL+pjQi1VRadw1 xN7W0JBsOsY2sM6gE+jsOyX750nwezJzam/X+ae5A72iKZlU9ir6MiLUdsYOyq7dClOY /gsJ1arMqWZIAp6l+/zDHwWJA1tvsYN6IvG3LAjkd5ogbcQjRxliiAYQMiqKrL6w3cLX kThSNJknXeZIqcqm/aaod+o+j+O9ZhNW5VH3eLH9OiesXTrSAuFbyXz+rKLK/NUOYOoj pazg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=qXoetkKyaGTFmHP5ttp1y7ViCIO96oy9ji7nf2KCiUM=; b=E+YQnrQEDjO2fTggN+5MD+iXKRS6PCo7vHQoo/x2DZFuPMGXnbLKdH1hrszd6mHIZY w6vbngg2g/F3ubPdODiY8g/2qezI97tRNtTZMOHVceIcxy+grWuLIwdBLn/mHHYx9fLz pZBWqK8BdtkDc8mbvTyW2mtJFM4FvSzDinGKpDElHkRUwLVwVMbD3wBfpcy3cJiR/R2Z biR4GixOjjQ8iA/hZkkZceyNKhyz2EsODLmCxkOZrpfK5NdeSvrotc6Uil6FSmAgBqPm /SONT+SDsWnsD9qoSsJUdIVw0PQhVzKiEoZTna7rg7ib+mOJnTkurRm0OOcc247RKsA7 erRQ==
X-Gm-Message-State: APzg51Covj+z5SL0jb0EFQSz8BO8IKXYQdUYNrdTQDQOds7XcgZnIW3V KJh85aavx7c2CZ5IlViQbM4=
X-Google-Smtp-Source: ANB0VdZc2IkwL/Ah4zkW2T7tPrFmUP32tqdegJCk9/4TkubsQchzKXiKWAzP2pXckSsY9yvL6mtnzw==
X-Received: by 2002:a25:fc21:: with SMTP id v33-v6mr15977589ybd.276.1537383133546; Wed, 19 Sep 2018 11:52:13 -0700 (PDT)
Received: from ?IPv6:2605:a601:3260:266:3c65:82e1:b1ec:9705? ([2605:a601:3260:266:3c65:82e1:b1ec:9705]) by smtp.gmail.com with ESMTPSA id y188-v6sm2249425ywe.2.2018.09.19.11.52.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Sep 2018 11:52:12 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <F12FF620-436C-4172-8A29-750B16954104@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5695365F-ED48-48A1-9255-DFEF5622B2F4"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 19 Sep 2018 12:52:09 -0600
In-Reply-To: <CAHbuEH5bjj8F+6y50a_PSKzjVxcSD8ub031v5NP6bpYXqGxwdA@mail.gmail.com>
Cc: Carolin.Baumgartner@interdiscount.ch, Barry Greene <barryrgreene@gmail.com>, cacao@ietf.org
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <DF979EA2-239A-43B4-AF32-D61F66BD0052@gmail.com> <8C378072-1F76-47B5-A526-AD243E57CE6D@gmail.com> <CAHbuEH5rnwqRHGquT-Zz1_KeqJ2g66YnynV6KqkqUu2zhOk=iQ@mail.gmail.com> <7e942ab2e4024d7db4c45e30f39c97bd@SVRM2EX2K13N05.hs.coop.ch> <CAHbuEH6gCwVaKZZ=NEk9xkvBG-Bs+s1tywEdx02zUYhG6fRfdA@mail.gmail.com> <5f95ad0b6f3f4c54a5f1f32b11724534@SVRM2EX2K13N05.hs.coop.ch> <CAHbuEH5bjj8F+6y50a_PSKzjVxcSD8ub031v5NP6bpYXqGxwdA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cacao/Hu-HzsyIMXBBJyUYp7c_JVGLNKI>
Subject: Re: [Cacao] Initial Problem Set
X-BeenThere: cacao@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Collaborative Automated Course of Action Operations <cacao.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cacao>, <mailto:cacao-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cacao/>
List-Post: <mailto:cacao@ietf.org>
List-Help: <mailto:cacao-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cacao>, <mailto:cacao-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2018 18:52:23 -0000
I agree and hope we can borrow elements, concepts, ideas from other work, not just work here in the IETF. The way I like to approach problems like this is to break them up in to phases. The first of which is the concept phase. Its purpose is to iterate out a list of requirements and problems we need to solve that are tightly scoped to the project at hand. To this end, I have I sent a very short list of initial problems to the list a few days ago and a draft last week. The draft contains a few high level requirements. These lists are not complete and not even the full list that we have worked through prior to uploading the draft. But it was meant as a starting point. My hope is that it would foster dialog and communication like “why is X a requirement, how do you plan on solving X, have you thought about problem Y, what about use-case W or requirement Z”. Once we have our concept phase done and fleshed out, I would like us to do a lit-review of prior work (even though most of us have already read all of these existing work products) to help us understand what has been done before and what can be reused. Some of us may just be able to point certain requirements at certain sections of existing work, which will be fantastic. Doing this will help us do two things: 1) It helps ensure that we do not artificially box ourselves in to a design just because there was something done similar or tangential in the past. 2) It helps ensure that we do not forget anything and ensures that we take advantage of lessons learned or really neat design elements from other work. After this review phase we would work our way in to design where we will iron out all of the bumps and ridges and ensure that we are not creating a Frankenstein. Some really cool designs may not be harmonious with our direction or other design elements. In those cases we need to pick and choose or redesign them. There has been a lot of great work done here in the IETF, other SDOs, and industry in the past. We need to learn from that work and borrow great design elements from as many of them as we can. But we also need to keep in mind that a complete solution to the problems identified in the CACAO Introduction draft is not currently available and there is no standardized solution used en mass by industry. Several vendors have their own solutions to this problem, but those only work within the confines of their products. We need to bridge the divide between treat hunters, threat defenders, vendor solutions, etc. This is the reason why we are working on this. Any work like this does require vast vendor adoption and buy-in and a lot of SMEs from industry. So as this work continues and grows, it is paramount that we engage with industry to help ensure that this works meets their requirements and that industry can and will adopt it. If they can not or will not adopt it, then we need to just stop work. There is no reason to create something that is not going to get adopted en mass. Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." > On Sep 19, 2018, at 12:06 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: > > Hello Carolin, > > Thanks for your efforts here. > > On Wed, Sep 19, 2018 at 10:26 AM <Carolin.Baumgartner@interdiscount.ch <mailto:Carolin.Baumgartner@interdiscount.ch>> wrote: > Hi Kathleen > > > > ok thanks for the feedback. I have a question to understand this part better: " I'd be interested to see the requirements matched up against what exists and what can be re-used or what can be a lesson learned as well. IODEF carries the CoAs that used to be in RID and IODEF has a nesting capability as well as a way to lay our the format to allow for predicate logic, so analysis on that would be interesting as well. It can be used for chains of connected events/incidents. Understanding what doesn't work for your new effort would help to understand why it's needed and how it is better." > > > > Since the goals of both initiatives are different, I struggle a bit. Technically we should always discuss what concepts work for which use case. Like for instance do we need an authentication somewhere or not, and we don't re-invent the authentication. We check how it is usually done today. Is that what you are referring to when you mention the predicate logic etc? So, since MILE already worked on exchange formats for incidents even if their goal was different, we might have similar formatting requirements when we discuss the reactions to incidents? (just picking the formatting example here). > > > The gap analysis may wind up just showing the gap, but I am hoping that there will be pieces of knowledge that can be gleaned from prior efforts. Your authentication example is good. There may be a need for it and the requirements may guide the selection of a solution that either works for both or that the new work has requirements (or technology evolved) that clearly show the need for something new. > > MILE protocols all support sharing formatted data, XML, JSON, etc. and are not restricted to IODEF. There are 3 protocols to look at and I would hope that some could be reused, or that similar patterns may be useful. > > Does that help? > > Thanks, > Kathleen > > > > > > best regards > > Carolin > > > > From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com>] > Sent: Wednesday, September 19, 2018 4:11 PM > To: Baumgartner Carolin <Carolin.Baumgartner@interdiscount.ch <mailto:Carolin.Baumgartner@interdiscount.ch>> > Cc: Barry Greene <barryrgreene@gmail.com <mailto:barryrgreene@gmail.com>>; cacao@ietf.org <mailto:cacao@ietf.org>; Bret Jordan <jordan.ietf@gmail.com <mailto:jordan.ietf@gmail.com>> > Subject: Re: [Cacao] Initial Problem Set > > > > Hi Carolin, > > > > Thanks for starting something to help! I think that could be a good starting point. I'd be interested to see the requirements matched up against what exists and what can be re-used or what can be a lesson learned as well. IODEF carries the CoAs that used to be in RID and IODEF has a nesting capability as well as a way to lay our the format to allow for predicate logic, so analysis on that would be interesting as well. It can be used for chains of connected events/incidents. Understanding what doesn't work for your new effort would help to understand why it's needed and how it is better. > > > > Then for RID, there is lots that is met in the requirement list that was sent out and some requirements that I suggested (there are more) that were learned from time and experience on essentially the same problem. > > > > Barry - understanding more on your work and the Cisco products mentioned would be helpful too. If standards were used or not and what can be integrated into this effort or what can be a lesson learned to improve for this effort. > > > > This will be very helpful for a BoF to be successful. You'll get derailed otherwise. > > > > Thank you, > > Kathleen > > > > On Wed, Sep 19, 2018 at 4:31 AM <Carolin.Baumgartner@interdiscount.ch <mailto:Carolin.Baumgartner@interdiscount.ch>> wrote: > > Hi Bret, Kathleen > > > > would that be something that could work as some kind of gap analysis? https://github.com/clatze/ietf/blob/master/CACAO-gap-FAQ.md <https://github.com/clatze/ietf/blob/master/CACAO-gap-FAQ.md> . It is no real gap analysis, this FAQ would rather highlight the differences. I just took two samples to show how that could look like and if that is what could be helpful. We could also include comments here like… "CACAO makes use of XY to achieve its goal". > > > > best regards > Carolin > > > > From: Cacao [mailto:cacao-bounces@ietf.org <mailto:cacao-bounces@ietf.org>] On Behalf Of Kathleen Moriarty > Sent: Wednesday, September 19, 2018 4:06 AM > To: Barry Greene <barryrgreene@gmail.com <mailto:barryrgreene@gmail.com>> > Cc: cacao@ietf.org <mailto:cacao@ietf.org>; Bret Jordan <jordan.ietf@gmail.com <mailto:jordan.ietf@gmail.com>> > Subject: Re: [Cacao] Initial Problem Set > > > > Hi Bret, > > > > > > > > On Tue, Sep 18, 2018 at 6:35 PM Barry Greene <barryrgreene@gmail.com <mailto:barryrgreene@gmail.com>> wrote: > > Hi Bret, > > > > What you have below was done in Cisco’s TIDP/TMS architecture.. > > > > Barry > > > On Sep 18, 2018, at 23:49, Bret Jordan <jordan.ietf@gmail.com <mailto:jordan..ietf@gmail.com>> wrote: > > All, > > > > I wanted to start some discussion on some of the initial problems (not all) that we have already identified that need to be solved with this type of solution. Some of the solutions to these will have elements we can borrow from other work. Also, keep in mind all of this needs to work in native JSON.. > > > > Need the ability to document a single command > Human executed commands > Native Machine commands (Cisco IOS, Juniper, SEP, OpenC2, SNMP, NETCONF, YANG, etc) > What device or system does the command target (DesktopOS 10 at IP address 10.0.0.2, Firewall BAR at 192.168.0..2) > What class of devices or systems does the command target (DesktopOS 10 at patch level 4, Firewall FOO ver 10) > Additional data classes of IODEF, also the SCI extension. > > https://tools.ietf.org/html/rfc7970 <https://tools.ietf.org/html/rfc7970> > Need the ability to document a chain of commands > Need to know if there is temporal logic or conditional logic associated between commands > Need to know if commands are sequenced or if they can be run in parallel > Need to know if there are fall through or fail-to-next commands > Need tracking to know how to back out commands that fail and how far up the tree you need to back out on failure > > > Take a look at the MILE work more closely, there are lessons learned as much of this has been done. Even if you don't want to use the work, there 's no reason to have us all debate the same things again rather than build from experience. > > IODEF predicate logic: It's simple and more compact. > > https://tools.ietf.org/html/rfc8274#page-7 <https://tools.ietf.org/html/rfc8274#page-7> > > > Need ability to provide Digital signatures at the command, the command chain (tree), and COA Project levels > These digital signatures need to be included in the payload themselves > Need to be able to sign a section or part of the JSON text data > They need to be in parallel and in series. Meaning, a command may individually be signed by more than one people. The command and a signature may also be signed multiple times in series. > Example: Company X that makes DesktopOS 10 signs a command that says it will resolve malware Z on DesktopOS 10 patch version 4. Big Bank Foo may then sign that (command + Company sig) and say they have verified it and it works. Some ISAC may then sign that (command + Company sig + Big Bank Foo sig) and then send it out to their eco-system > Signatures need ability to identify what assertions someone is making. > We need to know what the types of assertions should be (it works, it has been verified, it has been reviewed, it may work, it seems to work, etc) > You also need to consider origin authentication and multi-hop authentication. There was a lot of work that went into the requirements analysis across areas of the IETF as not to make RID and other MILE protocols specific to incidents or even XML. > > https://tools.ietf.org/html/rfc6545 <https://tools.ietf.org/html/rfc6545> > > > > Yes, this is XML and you want JSON, using JOSE, I presume. Still, the gap analysis I think will be quite useful as I think you are missing requirements we already came up against. It will speed your work up to leverage existing work. > > Need ability to get responses at the individual command level, the chain of commands level, and the COA Project level. > Need to identify the types of responses that can be returned and what are the types of command codes / response codes that should be returned > Need to identify and have negotiation between systems if the responses should be pushed or pulled. > Need to know how the individual response can impact the next steps in the chain. > > > You also need to consider internationalization, which has already been done in the MILE work. This level of detail helps a lot for interoperability. There were 3 interoperable implementations of RID, so testing was done, lessons can be learned. I'm not sure how may IODEF implementations there were/are, but many more than that. > > > > Once again, please do the gap analysis to save us all time. There are other MILE documents that may be useful, they can be found off the documents link of the charter page. ROLIE and XMPP Grid were also designed to work with any format and I believe are more flexible than RID, so there is much that can be gleaned from these efforts as well as the DOTS work. > > > > Best regards, > > Kathleen > > > > Things we already know how to do.. We know how to make this work in a graph, we know how to make this work with versioning, we know how to tie these to existing Cyber Threat Intelligence. > > > > > > Thanks, > > Bret > > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." > > > > -- > Cacao mailing list > Cacao@ietf.org <mailto:Cacao@ietf.org> > https://www.ietf.org/mailman/listinfo/cacao <https://www.ietf.org/mailman/listinfo/cacao> > -- > Cacao mailing list > Cacao@ietf.org <mailto:Cacao@ietf.org> > https://www.ietf.org/mailman/listinfo/cacao <https://www.ietf.org/mailman/listinfo/cacao> > > > > -- > > > > Best regards, > > Kathleen > > > > > > -- > > > > Best regards, > > Kathleen > > > > -- > > Best regards, > Kathleen
- [Cacao] Initial Problem Set Bret Jordan
- Re: [Cacao] Initial Problem Set Barry Greene
- Re: [Cacao] Initial Problem Set Kathleen Moriarty
- Re: [Cacao] Initial Problem Set Carolin.Baumgartner
- Re: [Cacao] Initial Problem Set Kathleen Moriarty
- Re: [Cacao] Initial Problem Set Carolin.Baumgartner
- Re: [Cacao] Initial Problem Set Kathleen Moriarty
- Re: [Cacao] Initial Problem Set Bret Jordan