OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security

 View Only

OASIS-cacao@ConnectedCommunity.org

Contacts

Chair: Bret Jordan, Afero
bret.jordan.sdo@gmail.com

OASIS Staff Contact: Kelly Cullinane
OASIS
kelly.cullinane@oasis-open.org

Charter

(1)(a) TC Name

Collaborative Automated Course of Action Operations (CACAO) for Cyber Security

(1)(b) Statement of Purpose

This TC will create a standard that implements the course of action playbook model for cybersecurity operations. Each type of collaborative course of action playbook, such as prevention, mitigation and remediation will consist of a sequence of cyber defense actions that can be executed by the various technological solutions that can act on those actions. These course of action playbooks should be referenceable by other cyber threat intelligence that provides support for related data such as threat actors, campaigns, intrusion sets, malware, attack patterns, and other adversarial techniques, tactics, and procedures.

This TC may submit the specifications produced by this TC to other standards bodies (e.g., ITU-T, ETSI) for additional ratification.

Business Benefits

To defend against threat actors and their tactics, techniques, and procedures, organizations need to manually identify, create, and document prevention, mitigation, and remediation steps. These steps when grouped together form a course of action playbook that can be used to protect systems, networks, data, and users. The problem is, once these course of action playbooks have been created there is no standardized and structured way to document them or easily share them across organizational boundaries and technological solutions.

(1)(c) Scope

This solution will specifically enable:

1. the creation and documentation of course of action playbooks in a structured machine-readable format
2. organizations to digitally sign course of action playbooks
3. the securely sharing and distribution of course of action playbooks across organizational boundaries and technological solutions
4. the creation and documentation of processing instructions for course of action playbooks in a machine readable format

It is out of scope of the WG to define or recommend actual investigation, detection, prevention, mitigation, and remediation steps for a given specific threat (e.g., defining how to remediate Fuzzy Panda on Windows™ 10). The TC will not consider how shared actions are operationalized on specific systems, except where it is necessary for those actions to interact with the playbook including the response expected for a specific action or step.

(1)(d) Deliverables

This TC has the following major goals and deliverables

- CACAO Use Cases and Requirements
The TC will identify and document the core requirements needed to support the common use cases that are done today.
- CACAO Functional Architecture: Roles and Interfaces
The TC will specify the system functions and roles that are needed to enable collaborative courses of action playbooks.
- CACAO Protocol Specification
The TC will identify and standardize the configuration for at least one protocol that can be used to distribute course of action playbooks over the interfaces identified in the CACAO functional architecture.
- CACAO Data Model
This TC will define a normative data model for CACAO using property tables similar to how the OASIS STIXv2 data model was defined. This data model will be designed to explicitly work with I-JSON and all examples will be done in JSON. The TC will also define JSON as the mandatory to implement serialization for this version of CACAO. The TC may decide to also document the data model in other non-normative forms that would be located in an appendix.
- CACAO Interoperability Test Documents
This TC will define and create a series of tests and documents to assist with interoperability of the various systems involved. These documents can be used by technological solutions adopting the CACAO course of action playbooks to help ensure that they do so in an interoperable manner. The TC will decide how best to publish these documents.

(1)(e) IPR Mode

Non-Assertion

(1)(f) Audience

Security Vendors, Incident Responders, Security Operation Centers (SOCs), Cyber Defense Centers, Threat Intelligence Analysts, Large Enterprise, Governments

(1)(g) Language

English

(Optional References for Section 1)

https://www.lookingglasscyber.com/blog/cacao-a-future-for-collaborative-cybersecurity-course-of-action/

Description

Defining the standard for implementing course of action playbooks for cybersecurity operations.

Group Notes

 

Table of Contents


          Announcements

          The press release announcing the approval of CACAO Security Playbooks v2.0 as a Committee Specification is available now. You can read it here.

          Security Playbooks V1.0 is approved as an OASIS Committee Specification. For details, see the announcement.

          See OASIS announcement: Industry Leaders Collaborate at OASIS to Define Cybersecurity Course-of-Action Playbooks with CACAO: Accenture, Cisco, Cyware, EclecticIQ, FireEye, Fornetix, IBM, New Context, Syncurity, ThreatQuotient, U.S. NIST, and Others Will Develop Machine Readable Cyber Response Playbooks; 24 Sept 2019.

          Participation in the OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC is open to all interested parties. Contact join@oasis-open.org for more information.

          04 September 2019: The CACAO TC held its inaugural meeting with 42 members attending. Bret Jordan of Symantec Corp. and Allan Thomson of LookingGlass were elected as Co-Chairs. Our congratulations to all on a successful launch.


          Overview

          CACAO TC members are developing a standard to implement the course of action playbook model for cybersecurity operations.

          In order to defend against cyber threats, organizations must manually identify, create, and document the prevention, mitigation, and remediation steps that, together, form a course of action playbook. However, today, there is is no standardized way to document and share these playbooks across organizational boundaries and technology solutions.

          CACAO addresses this problem by defining a sequence of cyber defense actions that can be executed for each type of playbook. It will specifically enable organizations to:

          1. create course of action playbooks in a structured machine-readable format,

          1. digitally sign course of action playbooks,

          1. securely share course of action playbooks across organizational boundaries and technological solutions, and

          1. document processing instructions for course of action playbooks in a machine readable format.

          For more information, see the CACAO TC Charter.


          Technical Work Produced by the Committee

          CACAO Security Playbooks Version 2.0. Edited by Bret Jordan and Allan Thomson. 27 November 2023. OASIS Committee Specification 01. https://docs.oasis-open.org/cacao/security-playbooks/v2.0/cs01/security-playbooks-v2.0-cs01.html. Latest version: https://docs.oasis-open.org/cacao/security-playbooks/v2.0/security-playbooks-v2.0.html.

          CACAO Security Playbooks Version 1.0. Edited by Bret Jordan and Allan Thomson. 23 June 2021. OASIS Committee Specification 02. https://docs.oasis-open.org/cacao/security-playbooks/v1.0/cs02/security-playbooks-v1.0-cs02.html. Latest stage: https://docs.oasis-open.org/cacao/security-playbooks/v1.0/security-playbooks-v1.0.html.

          CACAO Security Playbooks Version 1.0. Edited by Bret Jordan and Allan Thomson. 12 January 2021. OASIS Committee Specification 01. https://docs.oasis-open.org/cacao/security-playbooks/v1.0/cs01/security-playbooks-v1.0-cs01.html. Latest version: https://docs.oasis-open.org/cacao/security-playbooks/v1.0/security-playbooks-v1.0.html.


          TC Tools


          TC Work In Progress




          Mailing Lists and Comments

          cacao: the discussion list used by TC members to conduct Committee work. TC membership is required to post, and TC members are automatically subscribed. The public may view the OASIS list archives.

          cacao-comment: a public mailing list for providing feedback on the technical work of the OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC. To send a comment, follow the instructions on the TC's public web page here or view the OASIS comment list archives.


          Press Coverage and Commentary


          Watch the webinar on CACAO: Revolutionizing Playbooks for Enhanced Defense

          Public Resources - Will be hidden if you are logged in

          Announcements

          Log in to see this information

          Either the content you're seeking doesn't exist or it requires proper authentication before viewing.

          Latest Discussions