[Cacao] Updated Charter
Bret Jordan <jordan.ietf@gmail.com> Fri, 03 May 2019 01:45 UTC
Return-Path: <jordan.ietf@gmail.com>
X-Original-To: cacao@ietfa.amsl.com
Delivered-To: cacao@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A610120153 for <cacao@ietfa.amsl.com>; Thu, 2 May 2019 18:45:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m0u4zN06sLyJ for <cacao@ietfa.amsl.com>; Thu, 2 May 2019 18:45:32 -0700 (PDT)
Received: from mail-it1-x12b.google.com (mail-it1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 441BC120164 for <cacao@ietf.org>; Thu, 2 May 2019 18:45:32 -0700 (PDT)
Received: by mail-it1-x12b.google.com with SMTP id i131so6766058itf.5 for <cacao@ietf.org>; Thu, 02 May 2019 18:45:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:date:to; bh=XhCbypPyppEoevBfn/yq5V0Daqo9oPghRW/93x4eFB0=; b=QWbSzmdUqLqls+MzvstJzFDD8/Sbn58BveXQ+Osh8+2t8T2DCDkAsCYNlAOWy/X6U5 pIgijgu2W77jVWV8b/tj1Os8u5+sefg1/BASaLi25zDo63j5TwBRUQFraSMOBfYA607k EWdzBKhWJA3UJf7huLli5MMD80tTROmrm5TUUfGnInQkFm9WsNU9PrZ13B9HGVtzjsP4 rLamUqqHGaFsIunH2fR2DiEGp5lCkGG/LfxT1aPfC9wC0Tn3vLgpEvcklTbZ/DDlZnKm fmFm8YhPtfgVG+U+/bsApRW7p270GK4QV6GJuK+D/9P/zViTcUpvQPYUpSTcjRWsrGWq L36Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=XhCbypPyppEoevBfn/yq5V0Daqo9oPghRW/93x4eFB0=; b=cHgVUkwju3lxIS9kyglDxtlT2QzUgM7UPG3dYUny/vVY0uFfSAp00vXJYQj78hZluQ uwdoEm8umvmahWPa5yYkdl8F3G+HzowzGFXYluT25oS1g1GXFyfCcn8ACXLYaC66m+zh hwa8E3iNei6+NNFClEWYf4XaT03IMi2tpPiguAahFLXLYkUbxwHUvoR92Jd2/TcswENE NW7A4eb94KtIQaWQN0C1zz23hD314rY7t8bLeornfv6QglKpIhyI8l6hUOIJ6gZ803rs 6fDm8yfZt/dPtH8KPd+Gzx0279WJS95rVNWqItCt318RWhyxqeLhgQNCrk34BjJ3nZAI FiHw==
X-Gm-Message-State: APjAAAWfbPeVxlxNaWEfyHUyALcoBMWtmBq9FmkK8oOHhVwcZgKJRLoJ IeHTfULEEuU7C0marccJ+fixj/Hi
X-Google-Smtp-Source: APXvYqzsnYdNenCY+VVfCgf5ip3J7rmgpOI496791fgatCsLOTfAU5fUOfL9dumdiCWIKEhW+P2EsQ==
X-Received: by 2002:a05:660c:148:: with SMTP id r8mr5412554itk.125.1556847931300; Thu, 02 May 2019 18:45:31 -0700 (PDT)
Received: from [192.168.1.156] ([50.236.150.135]) by smtp.gmail.com with ESMTPSA id h10sm328412iob.18.2019.05.02.18.45.29 for <cacao@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 May 2019 18:45:30 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_56B734B8-BCCB-472C-BDBD-68BF081995E4"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Message-Id: <3F3BE4B9-64CA-4685-A26B-A5994A93A724@gmail.com>
Date: Thu, 02 May 2019 21:45:28 -0400
To: cacao@ietf.org
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cacao/QKVvohhYvwU46jcsLYyYY1agPTU>
Subject: [Cacao] Updated Charter
X-BeenThere: cacao@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Collaborative Automated Course of Action Operations <cacao.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cacao>, <mailto:cacao-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cacao/>
List-Post: <mailto:cacao@ietf.org>
List-Help: <mailto:cacao-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cacao>, <mailto:cacao-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 01:45:36 -0000
All, We have addressed all of the feedback from the ADs and Chairs on the charter. Here is the updated charter text. # Introduction To defend against threat actors and their tactics, techniques, and procedures, organizations need to manually identify, create, and document prevention, mitigation, and remediation steps. These steps when grouped together into a course of action (COA) / playbook are used to protect systems, networks, data, and users. The problem is, once these steps have been created there is no standardized and structured way to document them, verify they were correctly executed, or easily share them across organizational boundaries and technology stacks. This working group will create a standard that implements the playbook model for cybersecurity operations. This solution will specifically enable: 1. the creation and documentation of COAs in a structured machine-readable format 2. organizations to perform attestation including verification and authentication on COAs 3. the sharing and distribution of COAs across organizational boundaries and technology stacks that may include protocols, apis, interfaces and other related technology to support sharing. 4. the verification of COA correctness prior to deployment. 5. the monitoring of COA activity after successful deployment. This solution will contain (at a minimum) a standard JSON based data model, a defined set of functional capabilities and associated interfaces, and a protocol. This solution will also provide a data model for systems to confirm the status of the COA execution, however, it will be agnostic of how the COA is implemented by the system. Each collaborative course of action, such as recommended prevention, mitigation and remediation steps, will consist of a sequence of cyber defense actions that can be executed by the various systems that can act on those actions. Further, these COAs will be coordinated and deployed across heterogeneous cyber security systems such that both the actions requested and the resultant outcomes may be verified. These COA actions will be referenceable in a data structure like the OASIS STIX V2 model that provides support for related data such as threat actors, campaigns, intrusion sets, malware, attack patterns, and other adversarial techniques, tactics, and procedures. Where possible the working group will consider existing efforts, like OASIS OpenC2 and IETF I2NSF that define the atomic actions to be included in a process or sequence. The working group will not consider how shared actions are used/enforced, except where a response is expected for a specific action or step. # Goals and Deliverables This working group has the following major goals and deliverables - CACAO Use Cases and Requirements - Specify the use cases and requirements - CACAO Functional Architecture: Roles and Interfaces - Specify the system functions and roles that are needed to enable Collaborative Courses of Action - CACAO Protocol Specification - Specify and standardize the configuration for at least one protocol that can be used to distribute courses of action in both a direct delivery and publish-subscribe method - CACAO Distribution and Response Application Layer Protocol - Specify the protocol which may include apis, interfaces and other related technology to support the requirements identified for the protocol. - CACAO JSON Data Model - Create a JSON data model that can capture and enable collaborative courses of action - CACAO Interoperability Test Documents - Define and create a series of tests and documents to assist with interoperability of the various systems involved. The working group may decide to not publish the use cases and requirements; and test documents. That decision will be made during the lifetime of the working group. Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
- [Cacao] Updated Charter Bret Jordan