IETF Logo Mail Archive

Re: [Cacao] Call for CACAO Charter Consensus

Bret Jordan <jordan.ietf@gmail.com> Fri, 24 May 2019 16:23 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: cacao@ietfa.amsl.com
Delivered-To: cacao@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96390120305 for <cacao@ietfa.amsl.com>; Fri, 24 May 2019 09:23:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VWODAQaFkvjW for <cacao@ietfa.amsl.com>; Fri, 24 May 2019 09:23:29 -0700 (PDT)
Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A994B120304 for <cacao@ietf.org>; Fri, 24 May 2019 09:23:29 -0700 (PDT)
Received: by mail-pg1-x52f.google.com with SMTP id 33so2359390pgv.9 for <cacao@ietf.org>; Fri, 24 May 2019 09:23:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=35LoaGfdDNtHJ7Gx/9f4OEwM2MIesF5/MmVFjeGzAPA=; b=k5+v6j/6ykpkN+J0X2bBnDjbnL8VwUtjg5XjsJ9GQV+q9JbUVR74xpRj4lVUMLx0of H3ONxDZVRjGj7WKspJzNnt1vzJt0th2HK1P6vsyfLNPuOcJ0h0aUiJ6ZTmcb1V9U8k6e HX5eEO95Zk8GrhzTFtovW/aWjhi6k+wkemrgtL2FeKNXpepS+0M9/E8iIkgYBwppSWRX RFqMdnhcn1jhuJtNkFg6RyhXkquteVRQYXxlHJRdrmWzKo0yIzt4j7IlF5IcQUITP2X2 9+7x5ozTwY4aGMPVJaNSusm2mjCABkfDuKeFX28pzD9JDMgutYcpNAu0gzN0IqkZYD9Q JjnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=35LoaGfdDNtHJ7Gx/9f4OEwM2MIesF5/MmVFjeGzAPA=; b=JkvCCSSxiiGrXpC08+BefnxAwgxTtyqJ5CX/cNVECVRpRtfv5o6vbKtVxVVQU7biXA NkhU+9I/H4aWezzelWpg97Yq3AgqGUcypWz6vu4l5A27ugykDJkCFpnbqi6PzjQGHfTb yS4t/qi8wOvMy2DkVBxMT+lAVVI/4WBEy+ZoVgPqtfKS65eNzUX5sHGz3gs+3hxUkJb4 BvlrZLZ4TMooMt2um2flKrO0I3GZKsYHS/R1SyXQXim2Ao8KnIzNy7AU3ATgfpko6oeQ DaZxQa13ethpcz7tApSA2DpyQrzlpfzY129RxN3xf+14zfJUDHfKu7hBKeXX1phrrPj+ XVEQ==
X-Gm-Message-State: APjAAAW3vwbAAgDyl8WnsdD/VL5/qfGTVhTm8AzAzQZtFahq21FFfe+F drE+J5Sq1wTnfbrE6wAhKEo=
X-Google-Smtp-Source: APXvYqylhJdmcXtM6PGLKrXJfpMznQLo3vNSFlJb0RkXPN+SxKJDuJ7rG1kQ6CwvMO/Ko95/WaL72w==
X-Received: by 2002:a63:2ace:: with SMTP id q197mr21023866pgq.102.1558715009053; Fri, 24 May 2019 09:23:29 -0700 (PDT)
Received: from ?IPv6:2605:a601:a990:4d00:19cd:4706:ab3b:526b? ([2605:a601:a990:4d00:19cd:4706:ab3b:526b]) by smtp.gmail.com with ESMTPSA id e78sm4524789pfh.134.2019.05.24.09.23.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 May 2019 09:23:28 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <57551A28-D39E-4D02-93DE-B795062FAB3B@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D6551F31-2843-4A9A-A8C3-282D83D525FA"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 24 May 2019 10:23:24 -0600
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B3374892@marathon>
Cc: "cacao@ietf.org" <cacao@ietf.org>
To: Roman Danyliw <rdd@cert.org>
References: <CAOgPGoAkj_QqPUzZe+O1W3f=P=EqARE5GCu6kMeO76kBWUK27A@mail.gmail.com> <359EC4B99E040048A7131E0F4E113AFC01B33744C9@marathon> <359EC4B99E040048A7131E0F4E113AFC01B3374892@marathon>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cacao/Vb3-qIIGeyDzcMDUhYxGFyvZt-w>
Subject: Re: [Cacao] Call for CACAO Charter Consensus
X-BeenThere: cacao@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Collaborative Automated Course of Action Operations <cacao.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cacao>, <mailto:cacao-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cacao/>
List-Post: <mailto:cacao@ietf.org>
List-Help: <mailto:cacao-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cacao>, <mailto:cacao-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2019 16:23:33 -0000

Roman,

Thanks for your comments as well.  The goals of item 5 is to ensure that if product A sends a playbook to a product B, that product A can get a response back saying that product B received it, acted on it, successfully acted on it, etc.   To do this you need to call out an application layer protocol (say MQTT, RabbitMQ, HTTP, etc) that both ends can implement so you can have interoperability.  The whole goal of this work is to have a solution that is easy for vendors to adopt and make use of it. 

But if this is going to cause a problem, we could break this out of the work for now, and do it later after the first batch is done. 

I will try and address your comments in-line below.


 
Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

>> 
>> 1. the creation and documentation of COAs in a structured machine-
>> readable format  2. organizations to perform attestation including
>> verification and authentication  on COAs  
> 
> I'm concerned that attestation is an overloaded term.  Does "attestation" mean more than "verification and authentication"?  This topic got a lot of discussion during the preparation for the RATS chartering process.


I am not sure what other word to use.  If you could help suggested a different one, that would be awesome. The goal is for organizations to be able to digitally sign sections or parts of the COA or the entire COA to say that this does work as expected or does prevent, mitigate, or remediate this threat.  The fundamental goal is to be able to give organizations that have a less mature security operations center or cyber defense center some level of confidence that other organizations or vendors have verified that COA.  


> 
>> 3. the sharing and distribution of
>> COAs across organizational boundaries and technology stacks that may
>> include protocols, apis, interfaces and other related technology to support
>> sharing.
>> 4. the verification of COA correctness prior to deployment.
> 
> What is "correctness" in this context?


For a complete deployment of the solution you would want the ability to do a dry run of the COA.  Maybe this does not have to be in the charter, but it was a goal item that we talked about very early on.  Maybe it is simply a flag or boolean that is added to the top of the COA that says “test run” or “dry run”.  



> 
>> 5. the monitoring of COA activity after successful deployment.
>> 
>> 
>> This solution will contain (at a minimum) a standard JSON based data
>> model, a defined set of functional capabilities and associated interfaces, and
>> a protocol. This solution will also provide a data model for systems to
>> confirm the status of the COA execution, however, it will be agnostic of how
>> the COA is implemented by the system.
> 
> Is the JSON data model mentioned in the first sentence the same one as mentioned in the second?  I'm assuming yes because the deliverables only list one.

There would only be a single data model that we would define in this work. The goal of the protocol is to ensure that two products can share and collaborate on COAs.  More than likely some of this will be done via HTTP or MQTT/RabbitMQ.   The point is we need to pick one and define how it would be used so vendors can build products.  We would also want to define some interoperability tests so that vendors can self-verify that they are compliant. 


> The above text describes only one protocol, but the deliverables list two.  What is the second protocol doing?
> 

There are two types of communications.  One is the sharing of COAs between products that are being used to work on, collaborate on, etc.  The other is the execution side of the COA, when I send this COA to a device directly or to an orchestration device I would like to have defined messages that I get back to talk about if the COA was taken, deployed, failed, etc. So while they may both use the same application layer protocol, we called them out as two separate line items so we could work on them.  Does that help? 




>> Each collaborative course of action, such as recommended prevention,
>> mitigation and remediation steps, will consist of a sequence of cyber
>> defense actions that can be executed by the various systems that can act on
>> those actions. Further, these COAs will be coordinated and deployed across
>> heterogeneous cyber security systems such that both the actions requested
>> and the resultant outcomes may be verified. These COA actions will be
>> referenceable in a data structure like the OASIS STIX V2 model that provides
>> support for related data such as threat actors, campaigns, intrusion sets,
>> malware, attack patterns, and other adversarial techniques, tactics, and
>> procedures.
> 
> If you cite STIX, then cite the MILE work, unless this work is intended to be STIX-focused.

The reason we have called out STIX is that is what the threat intelligence community and FIRST has adopted.  So we want to make sure that our playbooks and COAs can be referenced in the graph (nodes/vertices and edges). Because you will want to ensure that you can link CACAO playbooks against campaigns, threat actors, intrusion sets, TTPs, etc. 




>> Where possible the working group will consider existing efforts, like OASIS
>> OpenC2 and IETF I2NSF that define the atomic actions to be included in a
>> process or sequence. 
> 
> My understanding coming out of the BOF was that CACAO would re-use (i.e., not redefine/use as a normative reference) OpenC2/I2NSF to define all atomic action.  If that’s right, then I recommend being explicit in this dependency.  It will help shrink the perceived scope of the problem.


A playbook may have many atomic actions,  Some may be human process based, some may be computer automation based, some may use vendor proprietary commands, some may use things like OpenC2 or I2NSF.  The goal is for an atomic action to be able to define “what command” is coming next.  OpenC2 and I2NSF do not define all the possible commands that we need to be able to define.  Thus those would be two options in a taxonomy.  For example:

[{
  “Id”: “cacao--123456”,
  “Action_type”: “cisco_ios”,
  “Action”: “deny ip 1.2.3.4"
},
{
  “Id”: “cacao-98765”,
  “Action_type”: “openc2”,
  “Action”: “<some openc2 blob of data>”
}]



> 
>> The working group will not consider how shared
>> actions are used/enforced, except where a response is expected for a specific
>> action or step.
> 
> This text seems to conflict with my read of item #5 above ("5. the monitoring of COA activity after successful deployment”)


The idea of sharing a COA with you and figuring out if you deployed it or not is out of scope.  But getting a response back from the devices in my network or my orchestration tool that I have deployed the COA to is in scope. When deploying this you want to be able to get back standard defined messages that mean something, are easily to understand, and allow vendors to add extra content if needed.  But you need a way of knowing did my firewall actually do what I told it to do. 



>> 
>> # Goals and Deliverables
>> This working group has the following major goals and deliverables
>> 
>> 
>> - CACAO Use Cases and Requirements
>>   - Specify the use cases and requirements
>> - CACAO Functional Architecture: Roles and Interfaces
>>   - Specify the system functions and roles that are needed to enable
>> Collaborative Courses of Action
>> - CACAO Protocol Specification
>>   - Specify and standardize the configuration for at least one protocol that
>> can be used to distribute courses of action in both a direct delivery and
>> publish-subscribe method
>> - CACAO Distribution and Response Application Layer Protocol
>>   - Specify the protocol which may include apis, interfaces and other related
>> technology to support the requirements identified for the protocol.
> 
> (Noted above) What is the difference between this protocol and the one above it -- "CACAO Protocol Specification" vs. "CACAO Distribution and Response Application Layer Protocol”?


I tried to address this above and in my last email to Michael.  Does this now make sense? 


> 
>> - CACAO JSON Data Model
>>   - Create a JSON data model that can capture and enable collaborative
>> courses of action
>> - CACAO Interoperability Test Documents
>>   - Define and create a series of tests and documents to assist with
>> interoperability of the various systems involved.
>> 
>> 
>> The working group may decide to not publish the use cases and
>> requirements; and test documents. That decision will be made during the
>> lifetime of the working group.
> -- 
> Cacao mailing list
> Cacao@ietf.org
> https://www.ietf.org/mailman/listinfo/cacao

v2.23.0 | Report a Bug | By Email