IETF Logo Mail Archive

Re: [Cacao] Call for CACAO Charter Consensus

"Jyoti Verma (jyoverma)" <jyoverma@cisco.com> Fri, 10 May 2019 20:21 UTC

Return-Path: <jyoverma@cisco.com>
X-Original-To: cacao@ietfa.amsl.com
Delivered-To: cacao@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C93C1200F1 for <cacao@ietfa.amsl.com>; Fri, 10 May 2019 13:21:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=VMECD3Iv; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=VXgYQZxo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0AXCagYg6_l for <cacao@ietfa.amsl.com>; Fri, 10 May 2019 13:21:29 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F32881200C5 for <cacao@ietf.org>; Fri, 10 May 2019 13:21:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=38401; q=dns/txt; s=iport; t=1557519689; x=1558729289; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=CsTB5cDNG3GcA2DyyJqWAZaGMlValr77OqNz21F4l3w=; b=VMECD3Iv55ac8zea+aHVOLp3tkv/UVuuHMLH1NSG7fRMZmBRPYTE5yh8 fs7e6bK7S9XeJYC12UtvXA+1fs2lVkS00mIPZFL2YWq1D8g8Q8x6YwO9I 5Q9K0QE017QbLUG1OBEHigXAJEU8iXXoWOVtHJIQFM2yhqeJxRFfH+rvx w=;
IronPort-PHdr: 9a23:LWUngxEdVrC/m5GgPki3wp1GYnJ96bzpIg4Y7IYmgLtSc6Oluo7vJ1Hb+e4z1Q3SRYuO7fVChqKWqK3mVWEaqbe5+HEZON0pNVcejNkO2QkpAcqLE0r+efz7aDI3BsFLfFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AIAABJ3NVc/5ldJa1aChoBAQEBAQIBAQEBBwIBAQEBgVEFAQEBAQsBgQ4vUANpVSAECyiEEYNHA4RSiiyCV4k/jWaBLhSBEANUCQEBAQwBARgBCgoCAQGEQAIXgXQjNAkOAQMBAQQBAQIBBG0cDIVKAQEBBAEBEAsGHQEBLAsBDwIBCA4DAQIBAg0UBwMCAgIfBgsUAwYIAgQBDQUbB4MAAYEdTQMdAQIMA6IPAoE1iF9xgS8fgloBAQWFAA0Lgg8DBoEyAYkFgkkXgUA/gREnH4IeLj6CGkcBAYEuAQcLAT8NCUGCE4JYinsngjuEUJRuOQkCggmGH4hlg1UbghOGS40LjDGGVIFOiSSDPQIEAgQFAg4BAQWBTzhmcXAVOyoBgT+BAoEWeYNvhRSFP3KBKY0LgkMBAQ
X-IronPort-AV: E=Sophos;i="5.60,454,1549929600"; d="scan'208,217";a="268941624"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 10 May 2019 20:21:27 +0000
Received: from XCH-RCD-016.cisco.com (xch-rcd-016.cisco.com [173.37.102.26]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x4AKLR32002712 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 10 May 2019 20:21:27 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-016.cisco.com (173.37.102.26) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 10 May 2019 15:21:26 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 10 May 2019 15:21:26 -0500
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 10 May 2019 15:21:25 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector1-cisco-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CsTB5cDNG3GcA2DyyJqWAZaGMlValr77OqNz21F4l3w=; b=VXgYQZxoFzg8zcm6kzpOyQKmLDuqMFTl8RgPUOz+VpmUhBIUgj7zym+WXam9NGwTDTYw2rKiKsr0vFG66Kn3GKrRiPQAyXxCVNtCzoPm2HRfLyNaxqlUGzcV96l/W61GNdI2y83H6fQayYRg0wQeAF5SiiC7pkFgdayPBo2hI+c=
Received: from BYAPR11MB3029.namprd11.prod.outlook.com (20.177.225.90) by BYAPR11MB3749.namprd11.prod.outlook.com (20.178.238.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1878.22; Fri, 10 May 2019 20:21:24 +0000
Received: from BYAPR11MB3029.namprd11.prod.outlook.com ([fe80::601a:876c:b609:f67e]) by BYAPR11MB3029.namprd11.prod.outlook.com ([fe80::601a:876c:b609:f67e%7]) with mapi id 15.20.1856.012; Fri, 10 May 2019 20:21:24 +0000
From: "Jyoti Verma (jyoverma)" <jyoverma@cisco.com>
To: Allan Thomson <athomson@lookingglasscyber.com>, Bret Jordan <jordan.ietf@gmail.com>, "Carolin.Baumgartner@interdiscount.ch" <Carolin.Baumgartner@interdiscount.ch>
CC: "cacao@ietf.org" <cacao@ietf.org>
Thread-Topic: [Cacao] Call for CACAO Charter Consensus
Thread-Index: AQHVBzXTbFTpIuEcCUidgy9cs+SdYqZkYNmAgAA9IQCAABFZAP//qMeA
Date: Fri, 10 May 2019 20:21:24 +0000
Message-ID: <7EF27725-239A-417B-895F-45429259103E@cisco.com>
References: <CAOgPGoAkj_QqPUzZe+O1W3f=P=EqARE5GCu6kMeO76kBWUK27A@mail.gmail.com> <F8FEA2B9-B0EE-409E-A864-A54A56729CD9@interdiscount.ch> <27ECF723-3375-4874-B5F4-37CD3B086B95@gmail.com> <88A0588B-9BCA-42F7-BCEB-FB45AE8F99F7@lookingglasscyber.com>
In-Reply-To: <88A0588B-9BCA-42F7-BCEB-FB45AE8F99F7@lookingglasscyber.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jyoverma@cisco.com;
x-originating-ip: [2001:420:c0c8:1008::297]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 591e2418-6596-4f6a-9d49-08d6d58512dc
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:BYAPR11MB3749;
x-ms-traffictypediagnostic: BYAPR11MB3749:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <BYAPR11MB3749C27BA9DF46CBDFBF618CD10C0@BYAPR11MB3749.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0033AAD26D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(346002)(136003)(376002)(396003)(199004)(189003)(66946007)(53546011)(186003)(66476007)(76176011)(66446008)(102836004)(478600001)(966005)(71200400001)(99286004)(46003)(6506007)(66556008)(11346002)(64756008)(2616005)(446003)(14454004)(5660300002)(66574012)(110136005)(229853002)(476003)(58126008)(68736007)(82746002)(6436002)(6486002)(36756003)(486006)(316002)(606006)(71190400001)(4326008)(83716004)(25786009)(54896002)(6306002)(6512007)(86362001)(236005)(2906002)(14444005)(256004)(2501003)(33656002)(73956011)(76116006)(6246003)(6116002)(7736002)(81166006)(81156014)(8936002)(8676002)(53936002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB3749; H:BYAPR11MB3029.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: CKm4R/ootWJY/Z2SRXro6D9Ot0AJ0oqdnUa9BgVT0ZNR1iu3kLuKXSUpS9Sg+YRu8PuI0sHTqqVqePW+Rh8PIGvCn8MPt5bOy7uMKDUBtnZKQRrN6zpJilnEaJum17P6ZhAc4Yx8oBHyy+7uzkwskrg+fAV3r8d8G2ipXnJcKyaTZFvqrbB19Ee1hJwNI/HYxWp8VaidIErRCo1k24Uyfh4XJYoiz/cDOaGO1nyN8OxhXRevD0tBayd5ep1CviGxH3AwF/wUe4jpZMCPNsPUMVhx8oLrzSEhBgFpCaRT1PdazpwLhT1sc1q3AUVeD8buCGstqo29ZAN9Jbs0MCXgsI9qi1thOgXuRVItS6LSIBNvr/5VosimmKuF+flIi+Cj5Y5m28Q4aVRptfgsjzX2hbVeeWSnH6t32uHaoOmqy+g=
Content-Type: multipart/alternative; boundary="_000_7EF27725239A417B895F45429259103Eciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 591e2418-6596-4f6a-9d49-08d6d58512dc
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 May 2019 20:21:24.1337 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3749
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.26, xch-rcd-016.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cacao/xuzyPLo3aH8BoXkvkDD6Tecn0SU>
Subject: Re: [Cacao] Call for CACAO Charter Consensus
X-BeenThere: cacao@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Collaborative Automated Course of Action Operations <cacao.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cacao>, <mailto:cacao-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cacao/>
List-Post: <mailto:cacao@ietf.org>
List-Help: <mailto:cacao-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cacao>, <mailto:cacao-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2019 20:21:32 -0000

I support this work and the need for it. Will continue to contribute towards any test code/documentation write-up, review etc.

Thanks,
Jyoti


From: Cacao <cacao-bounces@ietf.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Friday, May 10, 2019 at 11:33 AM
To: Bret Jordan <jordan.ietf@gmail.com>, "Carolin.Baumgartner@interdiscount.ch" <Carolin.Baumgartner@interdiscount.ch>
Cc: "cacao@ietf.org" <cacao@ietf.org>
Subject: Re: [Cacao] Call for CACAO Charter Consensus

Fully agree with the need for this work and will continue to contribute whether that is requirements, architecture specifications, test cases, test code….etc and support it moving forward.

Regards

Allan

From: Cacao <cacao-bounces@ietf.org> on behalf of Bret Jordan <jordan.ietf@gmail.com>
Date: Friday, May 10, 2019 at 10:31 AM
To: "Carolin.Baumgartner@interdiscount.ch" <Carolin.Baumgartner@interdiscount.ch>
Cc: "cacao@ietf.org" <cacao@ietf.org>
Subject: Re: [Cacao] Call for CACAO Charter Consensus

I obviously fully support this work.  I will write documents, write code, and review documents.   This work is really the next step beyond CTI and is critically needed.


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."



On May 10, 2019, at 2:52 PM, Carolin.Baumgartner@interdiscount.ch<mailto:Carolin.Baumgartner@interdiscount.ch> wrote:

I am still interested and support the charter. I am not sure what to make out of this sentence though

“The working group may decide to not publish the use cases and requirements; and test documents.”

I am willing to review documents

Carolin

From: Cacao <cacao-bounces@ietf.org<mailto:cacao-bounces@ietf.org>> on behalf of Joseph Salowey <joe@salowey.net<mailto:joe@salowey.net>>
Date: Friday, 10 May 2019 at 15:39
To: "cacao@ietf.org<mailto:cacao@ietf.org>" <cacao@ietf.org<mailto:cacao@ietf.org>>
Subject: [Cacao] Call for CACAO Charter Consensus


At the CACAO meeting at IETF 105 in Prague there was significant interest in the CACAO problem statement.  We want to reach consensus for a charter for a working group.  A draft charter has been posted to the list [1]..

We need to continue this discussion on the email list as well as gauge continued interest in participating in this work.  Please do so by responding to the following questions:



  1.  Do you support this charter text (full text also provided at the end of email or at [1])?  Please submit objections or blocking concerns to the list.

  2.  Are you willing to author or participate in the development of the drafts of this WG?

  3.  Are you willing to help review the drafts of this WG?

  4.  Are you interested in implementing drafts of this WG?



Please provide comments including proposed text changes ASAP to provide ample time for discussion.  This call for consensus ends on May 27, 2019.



Thanks,

Joe & Chris

[1] https://mailarchive.ietf.org/arch/msg/cacao/QKVvohhYvwU46jcsLYyYY1agPTU



Charter text copied below:

--------------

# Introduction

To defend against threat actors and their tactics, techniques, and procedures, organizations need to manually identify, create, and document prevention, mitigation, and remediation steps. These steps when grouped together into a course of action (COA) / playbook are used to protect systems, networks, data, and users. The problem is, once these steps have been created there is no standardized and structured way to document them, verify they were correctly executed, or easily share them across organizational boundaries and technology stacks.





This working group will create a standard that implements the playbook model for cybersecurity operations.





This solution will specifically enable:





 1. the creation and documentation of COAs in a structured machine-readable format

 2. organizations to perform attestation including verification and authentication  on COAs

 3. the sharing and distribution of COAs across organizational boundaries and technology stacks that may include protocols, apis, interfaces and other related technology to support sharing.

 4. the verification of COA correctness prior to deployment.

 5. the monitoring of COA activity after successful deployment.





This solution will contain (at a minimum) a standard JSON based data model, a defined set of functional capabilities and associated interfaces, and a protocol. This solution will also provide a data model for systems to confirm the status of the COA execution, however, it will be agnostic of how the COA is implemented by the system.





Each collaborative course of action, such as recommended prevention, mitigation and remediation steps, will consist of a sequence of cyber defense actions that can be executed by the various systems that can act on those actions. Further, these COAs will be coordinated and deployed across heterogeneous cyber security systems such that both the actions requested and the resultant outcomes may be verified. These COA actions will be referenceable in a data structure like the OASIS STIX V2 model that provides support for related data such as threat actors, campaigns, intrusion sets, malware, attack patterns, and other adversarial techniques, tactics, and procedures.





Where possible the working group will consider existing efforts, like OASIS OpenC2 and IETF I2NSF that define the atomic actions to be included in a process or sequence. The working group will not consider how shared actions are used/enforced, except where a response is expected for a specific action or step.





# Goals and Deliverables

This working group has the following major goals and deliverables





 - CACAO Use Cases and Requirements

   - Specify the use cases and requirements

 - CACAO Functional Architecture: Roles and Interfaces

   - Specify the system functions and roles that are needed to enable Collaborative Courses of Action

 - CACAO Protocol Specification

   - Specify and standardize the configuration for at least one protocol that can be used to distribute courses of action in both a direct delivery and publish-subscribe method

 - CACAO Distribution and Response Application Layer Protocol

   - Specify the protocol which may include apis, interfaces and other related technology to support the requirements identified for the protocol.

 - CACAO JSON Data Model

   - Create a JSON data model that can capture and enable collaborative courses of action

 - CACAO Interoperability Test Documents

   - Define and create a series of tests and documents to assist with interoperability of the various systems involved.





The working group may decide to not publish the use cases and requirements; and test documents. That decision will be made during the lifetime of the working group.
--
Cacao mailing list
Cacao@ietf.org<mailto:Cacao@ietf.org>
https://www.ietf.org/mailman/listinfo/cacao

v2.23.0 | Report a Bug | By Email