[Cacao] Call for CACAO Charter Consensus

Joseph Salowey <joe@salowey.net> Fri, 10 May 2019 13:39 UTC

Return-Path: <joe@salowey.net>
X-Original-To: cacao@ietfa.amsl.com
Delivered-To: cacao@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 9B331120075 for <cacao@ietfa.amsl.com>; Fri, 10 May 2019 06:39:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2dT1y-eznnuY for <cacao@ietfa.amsl.com>; Fri, 10 May 2019 06:39:28 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C0B71201D5 for <cacao@ietf.org>; Fri, 10 May 2019 06:39:28 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id r3so6549292qtp.10 for <cacao@ietf.org>; Fri, 10 May 2019 06:39:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=GbCyySVKZ/+TgJk/qE8j31WcT0wXy2EZhIHonpbjrAE=; b=D7vueFlTdUMlm9IJ2D1+bJlAfv/twe+rF3uwhn/wBQ26ZsX3ORRZoBnCY63pFfap1m nu4A0DYjSFFRNYHlBHf3N1L0w8TwVC9DXg0UrtfB9k6XNG1Hjw/IxQ84VtDKwt07WHRA jVeXx3cenHyrAslx9MjfFHefazU0PEDG8UeXu1FIE8OsMFig7+HBWtZH+3T9KS6ae2V4 22jID8Jsi66WdznOrAT5G+P5HcY6JgQ6H3ODJzKnRs02rbY8cU5IfOScjX0a5jcm44qA Pc5DIht5g0YAgPxisR0rdlMEvJuUYJQqtaFk9Qy+I6yftM9M+HBeFlBAmpSO49NyPn8P DCAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=GbCyySVKZ/+TgJk/qE8j31WcT0wXy2EZhIHonpbjrAE=; b=HAY32uWhTv7BngUxZEGk7LgUa31HeM8+6G4iMkjY8g2itPvZG0bQWVBVv7l8tQ1VWp pZZBoLWC+vE1i/FLQZJ/ic2uNnbrQci5jkMu8eoRxhnT2bANdYkGRAsEFogO5Zap+5a8 s1dGnjwuIpfoE1gwY5PjI5PW5e2ccbMhA9qgq92Pn4KYqd3RtwFC0g0WbQgHObQRxnYj o4nHAG/ZMjPciiN45VDmqJumvNawahg4DkbeI+HPC0zlNx1IWTSWE2TiG2Nv6nZzhWmH MKSrvsibEdlezK3+4lVBF5AhLiwdJUxO/DNGb1ty85It7DSrmn2yjk0MNzawF2uWBjXp BmKA==
X-Gm-Message-State: APjAAAW2NsolPJ7Ths3zDG7YOVbuhMthM0rL1ceDWt6ApTlT1rWxEK6h +YLCAfO2RRtt1EkurTd4rctFttuS1pfohm+dnNl6xq/5m/2xpQ==
X-Google-Smtp-Source: APXvYqyI8fB5Z2mXULZnuGOkLBTN1iuAGGnz0D9VSosuziLyV4KAgds7TQQh6CwGXS6eSSG1K7Z9WQqc27ktHOrqneQ=
X-Received: by 2002:a0c:b0ea:: with SMTP id p39mr9181500qvc.242.1557495566773; Fri, 10 May 2019 06:39:26 -0700 (PDT)
MIME-Version: 1.0
From: Joseph Salowey <joe@salowey.net>
Date: Fri, 10 May 2019 06:39:15 -0700
Message-ID: <CAOgPGoAkj_QqPUzZe+O1W3f=P=EqARE5GCu6kMeO76kBWUK27A@mail.gmail.com>
To: cacao@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ff82a1058888b19a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cacao/wE64UREP5RjHZwpaxMtm4yPj31o>
Subject: [Cacao] Call for CACAO Charter Consensus
X-BeenThere: cacao@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Collaborative Automated Course of Action Operations <cacao.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cacao>, <mailto:cacao-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cacao/>
List-Post: <mailto:cacao@ietf.org>
List-Help: <mailto:cacao-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cacao>, <mailto:cacao-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2019 13:39:31 -0000

At the CACAO meeting at IETF 105 in Prague there was significant
interest in the CACAO problem statement.  We want to reach consensus
for a charter for a working group.  A draft charter has been posted to
the list [1].

We need to continue this discussion on the email list as well as gauge
continued interest in participating in this work.  Please do so by
responding to the following questions:

  1.  Do you support this charter text (full text also provided at the
end of email or at [1])?  Please submit objections or blocking
concerns to the list.
  2.  Are you willing to author or participate in the development of
the drafts of this WG?
  3.  Are you willing to help review the drafts of this WG?
  4.  Are you interested in implementing drafts of this WG?

Please provide comments including proposed text changes ASAP to
provide ample time for discussion.  This call for consensus ends on
May 27, 2019.


Joe & Chris

[1] https://mailarchive.ietf.org/arch/msg/cacao/QKVvohhYvwU46jcsLYyYY1agPTU

Charter text copied below:


# Introduction
To defend against threat actors and their tactics, techniques, and
procedures, organizations need to manually identify, create, and
document prevention, mitigation, and remediation steps. These steps
when grouped together into a course of action (COA) / playbook are
used to protect systems, networks, data, and users. The problem is,
once these steps have been created there is no standardized and
structured way to document them, verify they were correctly executed,
or easily share them across organizational boundaries and technology

This working group will create a standard that implements the playbook
model for cybersecurity operations.

This solution will specifically enable:

 1. the creation and documentation of COAs in a structured
machine-readable format
 2. organizations to perform attestation including verification and
authentication  on COAs
 3. the sharing and distribution of COAs across organizational
boundaries and technology stacks that may include protocols, apis,
interfaces and other related technology to support sharing.
 4. the verification of COA correctness prior to deployment.
 5. the monitoring of COA activity after successful deployment.

This solution will contain (at a minimum) a standard JSON based data
model, a defined set of functional capabilities and associated
interfaces, and a protocol. This solution will also provide a data
model for systems to confirm the status of the COA execution, however,
it will be agnostic of how the COA is implemented by the system.

Each collaborative course of action, such as recommended prevention,
mitigation and remediation steps, will consist of a sequence of cyber
defense actions that can be executed by the various systems that can
act on those actions. Further, these COAs will be coordinated and
deployed across heterogeneous cyber security systems such that both
the actions requested and the resultant outcomes may be verified.
These COA actions will be referenceable in a data structure like the
OASIS STIX V2 model that provides support for related data such as
threat actors, campaigns, intrusion sets, malware, attack patterns,
and other adversarial techniques, tactics, and procedures.

Where possible the working group will consider existing efforts, like
OASIS OpenC2 and IETF I2NSF that define the atomic actions to be
included in a process or sequence. The working group will not consider
how shared actions are used/enforced, except where a response is
expected for a specific action or step.

# Goals and Deliverables
This working group has the following major goals and deliverables

 - CACAO Use Cases and Requirements
   - Specify the use cases and requirements
 - CACAO Functional Architecture: Roles and Interfaces
   - Specify the system functions and roles that are needed to enable
Collaborative Courses of Action
 - CACAO Protocol Specification
   - Specify and standardize the configuration for at least one
protocol that can be used to distribute courses of action in both a
direct delivery and publish-subscribe method
 - CACAO Distribution and Response Application Layer Protocol
   - Specify the protocol which may include apis, interfaces and other
related technology to support the requirements identified for the
 - CACAO JSON Data Model
   - Create a JSON data model that can capture and enable
collaborative courses of action
 - CACAO Interoperability Test Documents
   - Define and create a series of tests and documents to assist with
interoperability of the various systems involved.

The working group may decide to not publish the use cases and
requirements; and test documents. That decision will be made during
the lifetime of the working group.