[Cacao] Updated Charter version 02
Bret Jordan <jordan.ietf@gmail.com> Mon, 28 January 2019 17:07 UTC
Return-Path: <jordan.ietf@gmail.com>
X-Original-To: cacao@ietfa.amsl.com
Delivered-To: cacao@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B780131088 for <cacao@ietfa.amsl.com>; Mon, 28 Jan 2019 09:07:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kKMmR8wJ9N_x for <cacao@ietfa.amsl.com>; Mon, 28 Jan 2019 09:07:17 -0800 (PST)
Received: from mail-it1-x12f.google.com (mail-it1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EEA913107A for <cacao@ietf.org>; Mon, 28 Jan 2019 09:07:17 -0800 (PST)
Received: by mail-it1-x12f.google.com with SMTP id b5so20425271iti.2 for <cacao@ietf.org>; Mon, 28 Jan 2019 09:07:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:date:to; bh=J6vAikyZoKEVOHa0+1dtUYLIcieYxBuq+zky3NZ8LRA=; b=qh5AkZlySlEl70XsPzVg6w1e+Grg3AaJh/giH4REUpCJVl1iRcHDVO4aenLjMz3Mh+ PiuCwXpQ687NcGEpyHCz3/l4/Io1M3AtGA8iW+ZM1FQpPGiJJaD1URn0ms0tVXBHdjpg AIvQiNQFXcQGNqdni+FX2ku7QIlK8VgpqZvJctOTpf+gzXahwWrJnQsDPiuBkMfiz2lq oT78WcSdpr4OLGbWim3Zylqi2LC8P+TCyiQbXpN8TFbdXw2XlCTnr+eGrUvJwMZIPsZ/ D782peXOTU8oBigTp5fa9BPxmJGi51s3WeOAxq6IQcMFuxgObAFTv1vRLX+z+tlE99pI wQ6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=J6vAikyZoKEVOHa0+1dtUYLIcieYxBuq+zky3NZ8LRA=; b=gFVIj84I7viWGVwrzBBlPd1qFXDqGRTqd6u0fMPI9YhXCfj54u7G8235NClCtGNW/l 4FGizixrc1vnnU/Zw7bwuhFDzViaE9P9qNcu3hVropNrqK+8LVogzUFYt1jSFYN9JkmE RzeQ+ld9kPcf4yKfQPVE3czLSKx/2Ec/b6DJMQ6TBoUezcJqyDhUy2c6rt/iVrBjwFYD rxa5mSooPXF7d45A3JqtakPmnYqRmBSaPcM4+lZTz4mCD0iLrhqbKvKQ+AnM7zaBnhFX kp9Eo7GvpBv7C6/CR1WrcJWoHBN+ToU0po1u4aHG+vBHsMVyMoAvXKVnpVBdJn4yxHam dqlw==
X-Gm-Message-State: AJcUukefn4WVv/XVQsPvLlSlwy1gJURCes8fqo/RnBlsXzl9eUY5OzjQ SkFothMCplHKxLZwIFGhYpZ03QeT
X-Google-Smtp-Source: ALg8bN64eWVhwINmM0IdP47Fs+dmiG/TmzYlXnV5YJ/QrVff4NwXb9JYOvr5oKI3QwUFayZwoIZgNQ==
X-Received: by 2002:a24:5f4d:: with SMTP id r74mr10684794itb.170.1548695236487; Mon, 28 Jan 2019 09:07:16 -0800 (PST)
Received: from ?IPv6:2605:a601:a028:986:380d:aebe:1454:b28? ([2605:a601:a028:986:380d:aebe:1454:b28]) by smtp.gmail.com with ESMTPSA id f13sm13773236iol.82.2019.01.28.09.07.15 for <cacao@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 28 Jan 2019 09:07:15 -0800 (PST)
From: Bret Jordan <jordan.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_33DE90ED-1515-4241-82BD-B42184E578E4"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Message-Id: <C58AB829-80D5-4C1E-9C50-04544BC8EA19@gmail.com>
Date: Mon, 28 Jan 2019 10:06:57 -0700
To: cacao@ietf.org
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cacao/nHC2qsAUqkD-dv_XUA1IgTABKXk>
Subject: [Cacao] Updated Charter version 02
X-BeenThere: cacao@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Collaborative Automated Course of Action Operations <cacao.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cacao>, <mailto:cacao-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cacao/>
List-Post: <mailto:cacao@ietf.org>
List-Help: <mailto:cacao-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cacao>, <mailto:cacao-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jan 2019 17:07:20 -0000
All, We tried to address all of the comments and feedback from Roman in this version of the Charter. Please review. If there are other changes, please let us know. https://datatracker.ietf.org/doc/draft-jordan-cacao-charter/ <https://datatracker.ietf.org/doc/draft-jordan-cacao-charter/> ### BEGIN # Introduction To defend against threat actors and advanced attacker toolkits known as intrusion sets, organizations need to manually identify, create, and document prevention, mitigation, and remediation steps. These steps when grouped together into a course of action (COA) / playbook are used to protect systems, networks, data, and users. The problem is, once these steps have been created there is no standardized and structured way to document them, monitor them for correct execution, or easily and dynamically share them across organizational boundaries and technology stacks. This working group will create a standard that implements the playbook model based on current industry best practices for cybersecurity, such as those defined in the IACD work from Johns Hopkins APL. This solution will: 1. enable the creation and documentation of COAs in a structured machine-readable format 2. enable organizations to collaborate on COAs 3. enable the sharing and distribution of COAs across organizational boundaries and technology stacks 4. enable the monitoring and verification of deployed COAs. This solution will contain at a minimum; a standard data model, a set of functional capabilities and associated interfaces, and a mandatory to implement protocol. Each collaborative course of action will consist of a sequence of cyber defense actions that can be executed by the various systems that those actions target. Further, these COAs can be coordinated and deployed across heterogeneous cyber security systems such that both the actions requested and the resultant outcomes may be monitored and verified. These actions will be referenceable in a connected data structure that provides support for connected data such as threat actors, campaigns, intrusion sets, malware, attack patterns, and other adversarial techniques, tactics, and procedures (TTPs). Where possible the working group will leverage existing efforts, like OpenC2 that *may* define the atomic actions to be included in a process or sequence. The working group will not consider how shared actions are used/enforced, except where a response is expected for a specific action or step. # Goals and Deliverables This working group has the following major goals and deliverables. Some of the deliverables may be published through the IETF RFC stream as informational or standards track documents. - CACAO Use Cases and Requirements - Document the use cases and requirements - CACAO Functional Architecture: Roles and Interfaces - Identify and document the system functions and roles that are needed to enable Collaborative Courses of Action. - CACAO Protocol Specification - Identify and document the configuration for a series of mandatory to implement protocols that can be used to distribute courses of action in both direct delivery and publish-subscribe methods - CACAO Distribution and Response Application Layer Protocol - Identify and document the requirements to effectively monitor, report, and alert on the distribution of CACAO actions and the potential threat response to those actions - CACAO JSON Data Model - Create a JSON data model (and possibly a general information model and CBOR model) that can capture and enable collaborative courses of action - CACAO Interoperability Test Documents - Define and create a series of tests and documents to assist with interoperability of the various systems involved. The working group may decide to not publish the use cases and requirements as RFCs. That decision will be made during the lifetime of the working group. ### END Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
- [Cacao] Updated Charter version 02 Bret Jordan
- Re: [Cacao] Updated Charter version 02 Roman Danyliw