OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security Technical Committee

The original Call For Participation for this TC may be found at https://www.oasis-open.org/2019/08/04/call-for-participation-oasis-collaborative-automated-course-of-action-operations/.

  1. Name of the TC

    OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security

  2. Statement of Purpose

    This TC will create a standard that implements the course of action playbook model for cybersecurity operations. Each type of collaborative course of action playbook, such as prevention, mitigation and remediation will consist of a sequence of cyber defense actions that can be executed by the various technological solutions that can act on those actions. These course of action playbooks should be referenceable by other cyber threat intelligence that provides support for related data such as threat actors, campaigns, intrusion sets, malware, attack patterns, and other adversarial techniques, tactics, and procedures.

    This TC may submit the specifications produced by this TC to other standards bodies (e.g., ITU-T, ETSI) for additional ratification.

    Business Benefits

    To defend against threat actors and their tactics, techniques, and procedures, organizations need to manually identify, create, and document prevention, mitigation, and remediation steps. These steps when grouped together form a course of action playbook that can be used to protect systems, networks, data, and users. The problem is, once these course of action playbooks have been created there is no standardized and structured way to document them or easily share them across organizational boundaries and technological solutions.

  3. Scope of Work

    This solution will specifically enable:

    • the creation and documentation of course of action playbooks in a structured machine-readable format
    • organizations to digitally sign course of action playbooks
    • the securely sharing and distribution of course of action playbooks across organizational boundaries and technological solutions
    • the creation and documentation of processing instructions for course of action playbooks in a machine readable format

    It is out of scope of the TC to define or recommend actual investigation, detection, prevention, mitigation, and remediation steps for a given specific threat (e.g., defining how to remediate Fuzzy Panda on Windows™ 10). The TC will not consider how shared actions are operationalized on specific systems, except where it is necessary for those actions to interact with the playbook including the response expected for a specific action or step.

  4. Deliverables

    This TC has the following major goals and deliverables

    - CACAO Use Cases and Requirements

    The TC will identify and document the core requirements needed to support the common use cases that are done today.

    - CACAO Functional Architecture: Roles and Interfaces

    The TC will specify the system functions and roles that are needed to enable collaborative courses of action playbooks.

    - CACAO Protocol Specification

    The TC will identify and standardize the configuration for at least one protocol that can be used to distribute course of action playbooks over the interfaces identified in the CACAO functional architecture.

    - CACAO Data Model

    This TC will define a normative data model for CACAO using property tables similar to how the OASIS STIXv2 data model was defined. This data model will be designed to explicitly work with I-JSON and all examples will be done in JSON. The TC will also define JSON as the mandatory to implement serialization for this version of CACAO. The TC may decide to also document the data model in other non-normative forms that would be located in an appendix.

    - CACAO Interoperability Test Documents This TC will define and create a series of tests and documents to assist with interoperability of the various systems involved. These documents can be used by technological solutions adopting the CACAO course of action playbooks to help ensure that they do so in an interoperable manner. The TC will decide how best to publish these documents.

  5. IPR Mode

    This TC will operate under the Non-Assertion IPR mode as defined in Section 10.3 of the OASIS IPR Policy document.

  6. Audience

    Security Vendors, Incident Responders, Security Operation Centers (SOCs), Cyber Defense Centers, Threat Intelligence Analysts, Large Enterprise, Governments

  7. Language

    The TC will operate and publish its documents in English.

  8. References