CACAO

CACAO Layout Extension v1.0 approved as a Committee Specification

OASIS is pleased to announce that CACAO Security Playbooks Version 2.0 from the OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC [1] has been approved as an OASIS Committee Specification.

Collaborative Automated Course of Action Operations (CACAO) is a schema and taxonomy for cybersecurity playbooks. The CACAO specification describes how these playbooks can be created, documented, and shared in a structured and standardized way across organizational boundaries and technological solutions. This specification defines the CACAO Layout Extension for the purpose of visually representing CACAO playbooks accurately and consistently across implementations.

This Committee Specification is an OASIS deliverable, completed and approved by the TC and fully ready for testing and implementation.

CACAO Layout Extension Version 1.0
Committee Specification 01
04 April 2024

Editable Source: https://docs.oasis-open.org/cacao/layout-extension/v1.0/cs01/layout-extension-v1.0-cs01.docx
HTML: https://docs.oasis-open.org/cacao/layout-extension/v1.0/cs01/layout-extension-v1.0-cs01.html
PDF: https://docs.oasis-open.org/cacao/layout-extension/v1.0/cs01/layout-extension-v1.0-cs01.pdf

ZIP: https://docs.oasis-open.org/cacao/layout-extension/v1.0/cs01/layout-extension-v1.0-cs01.zip

Members of the CACAO TC [1] approved this specification by Special Majority Vote. The specification had been released for public review as required by the TC Process [2]. The vote to approve as a Committee Specification passed [3], and the document is now available online in the OASIS Library as referenced above.

Our congratulations to the TC on achieving this milestone and our thanks to the reviewers who provided feedback on the specification drafts to help improve the quality of the work.

========== Additional references:
[1] OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC
https://groups.oasis-open.org/communities/tc-community-home2?CommunityKey=b75cccb8-adc6-4de5-8b99-018dc7d322b6

[2] Public review metadata document:
https://docs.oasis-open.org/cacao/layout-extension/v1.0/csd01/layout-extension-v1.0-csd01-public-review-metadata.html
– Comment resolution log:
https://docs.oasis-open.org/cacao/layout-extension/v1.0/csd01/layout-extension-v1.0-csd01-comment-resolution-log.txt

[3] Approval ballot:
https://groups.oasis-open.org/higherlogic/ws/groups/b75cccb8-adc6-4de5-8b99-018dc7d322b6/ballots/ballot?id=3819

Invitation to comment on CACAO Layout Extension v1.0

OASIS and the OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC are pleased to announce that CACAO Layout Extension v1.0 is now available for public review and comment. This 30-day review is the first public review for this specification.

About the specification draft:

Collaborative Automated Course of Action Operations (CACAO) is a schema and taxonomy for cyber security playbooks. The CACAO specification describes how these playbooks can be created, documented, and shared in a structured and standardized way across organizational boundaries and technological solutions.

This specification defines the CACAO Layout Extension for the purpose of visually representing CACAO playbooks accurately and consistently across implementations.

The documents and related files are available here:

CACAO Layout Extension Version 1.0
Committee Specification Draft 01
16 January 2024

Editable source (Authoritative):
https://docs.oasis-open.org/cacao/layout-extension/v1.0/csd01/layout-extension-v1.0-csd01.docx
HTML:
https://docs.oasis-open.org/cacao/layout-extension/v1.0/csd01/layout-extension-v1.0-csd01.html
PDF:
https://docs.oasis-open.org/cacao/layout-extension/v1.0/csd01/layout-extension-v1.0-csd01.pdf

For your convenience, OASIS provides a complete package of the specification document and any related files in ZIP distribution files. You can download the ZIP file at:
https://docs.oasis-open.org/cacao/layout-extension/v1.0/csd01/layout-extension-v1.0-csd01.zip

How to Provide Feedback

OASIS and the CACAO TC value your feedback. We solicit input from developers, users and others, whether OASIS members or not, for the sake of improving the interoperability and quality of our technical work.

The public review starts 25 January 2024 at 00:00 UTC and ends 23 February 2024 at 23:59 UTC.

Comments may be submitted to the TC by any person through the use of the OASIS TC Comment Facility, which can be used by following the instructions on the TC’s “Send A Comment” page (https://www.oasis-open.org/committees/comments/index.php?wg_abbrev=cacao).

Comments submitted by TC non-members for this work and for other work of this TC are publicly archived and can be viewed at:
https://lists.oasis-open.org/archives/cacao-comment/

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review, we call your attention to the OASIS IPR Policy [1] applicable especially [2] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification.

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

Additional information about the specification and the CACAO TC can be found at the TC’s public home page:
https://www.oasis-open.org/committees/cacao/

Additional information related to this public review, including a complete publication and review history, can be found in the public review metadata document [3].

========== Additional references:

[1] https://www.oasis-open.org/policies-guidelines/ipr/

[2] https://www.oasis-open.org/committees/cacao/ipr.php
https://www.oasis-open.org/policies-guidelines/ipr/#Non-Assertion-Mode
Non-Assertion Mode

[3] Public review metadata document:
https://docs.oasis-open.org/cacao/layout-extension/v1.0/csd01/layout-extension-v1.0-csd01-public-review-metadata.html

OASIS Unveils CACAO v2.0: Transforming Cybersecurity Course-of-Action Playbooks for Enhanced Defense

Boston, MA – 13 December 2023 – OASIS Open, the international open source and standards consortium, and the Collaborative Automated Course of Action Operations (CACAO) for Cyber Security Technical Committee (TC) have approved CACAO Security Playbooks v2.0 as an OASIS Committee Specification (CS). CACAO v2.0 will empower organizations to orchestrate, collaborate, and share cybersecurity playbooks. In the ongoing battle against threat actors, organizations must identify, create, document, and test various steps to detect, investigate, mitigate, and remedy potential threats. The culmination of these steps results in a cybersecurity playbook designed to secure organizational systems, networks, data, and users.

CACAO v2.0 defines the schema and taxonomy for cybersecurity playbooks and describes how they can be created, documented, and shared in a structured and standardized way across organizational boundaries and technological solutions. These playbooks give security teams the ability to respond to incidents, mitigate threats, and protect their networked systems by offering a modular and extensible approach to playbook development, ensuring that it can adapt to the diverse needs of different organizations.

“CACAO is the culmination of many years of hard work from the cybersecurity community outside and within OASIS, resulting in a significant step forward for all organizations looking to automate their defense against today’s latest cyber threats,” said Allan Thomson, co-chair of the CACAO TC. “We’ve taken the approach with CACAO, to embrace existing toolsets and processes security organizations are already familiar with, and defined a standardized playbook mechanism that allows orchestration and collaboration not easily achieved both within their own organization, as well as with external sharing partners.”

“The creation, development, and now approval of CACAO v2.0 as a Committee Specification is a testament to the hard work and collaboration of so many different individuals and organizations from around the world to help solve one of the biggest problems in cyber defense: the orchestration of response in cyber relevant time,” said Bret Jordan, co-chair of the CACAO TC. “This standardized approach to orchestrated cyber defense gives organizations the ability to navigate the evolving threat landscape with confidence, armed with the tools needed to orchestrate and automate responses effectively. I am so proud of the work that everyone has done to make this a reality. This TC has done for cyber security playbooks what STIX and TAXII did for cyber threat intelligence (CTI).”

For further insights, read the blog Standardized Security Orchestration with CACAO, written by Bret Jordan, Vasileios Mavroeidis, Luca Morgese, and Allan Thomson.

The CACAO TC is made up of a diverse group of global experts from various industries, including cybersecurity, government, and academia. OASIS Open encourages organizations and individuals to get involved in the development and adoption of CACAO v2.0 and other open standards for cybersecurity.

Additional Information
CACAO Technical Committee

Standardized Security Orchestration with CACAO

Organizational cyber security has never been more under attack than in today’s world. With the introduction of the OASIS Collaborative Automated Course of Actions Operations (CACAO) Version 2.0 standard, security organizations have a new and formidable toolkit in their ability to orchestrate and collaborate using fully automatable security playbooks to respond to today’s cyber threats. 

Read on to learn more about how CACAO can help defend your organization better.

The New Standard for Security Playbooks

CACAO is a standardized framework for orchestrating and automating course-of-action playbooks in cybersecurity. It streamlines the creation, execution, and sharing of playbooks, making it easier for security teams to respond to incidents, mitigate threats, and protect their networks. CACAO offers a modular and extensible approach to playbook development, ensuring that it can adapt to the diverse needs of different organizations.

CACAO focuses on empowering IT/Security organizations to design and orchestrate security activities. These range from traditional activities like intrusion detection; through security event triage, to determining relevant steps to counter a threat; and enforce mitigation and incident response procedures. 

Moreover, it enables more advanced techniques that use playbooks across various use cases that organizations may employ or want to address, such as performing attack emulations as part of red team activities, utilizing threat deception techniques to engage with active threats against the organization, or even ensuring policy and regulatory compliance.

The following section highlights some of the key aspects of how CACAO Playbooks are designed.

Key Technology of CACAO

Organizing and Searching Playbooks: Metadata

Metadata is a crucial and powerful component of CACAO, allowing for the efficient categorization and searchability of playbooks. It includes information such as the operational roles a playbook performs, descriptions of its activities, and the complexity of workflow steps encapsulated. For example, a playbook may contain workflow steps that are simple sequencing or they may contain control flows that require the orchestration system to handle the typical logic that programs require. This metadata helps organizations find relevant playbooks quickly and accordingly tailor them to their specific requirements.

Defining the process, logic and knowledge within a playbook: Workflow Steps

CACAO playbooks are structured as workflows, composed of a dictionary of action steps to be performed sequentially or in parallel while also staying flexible, allowing branching with other CACAO playbooks (modular approach), and incorporating different types of conditional logic (e.g., if, while, switch) to support even the most advanced and complex scenarios and requirements.

Connecting the playbook steps to systems, people and their targets: Agents and Targets

In CACAO, the agent is the entity responsible for executing actions, while the target is the recipient of those actions. Agents execute action steps containing commands against targets. The design emphasizes modularity and reusability, allowing organizations to define agents and targets once, reference them in multiple playbooks, or reuse them within a playbook. This approach provides flexibility on how action steps and their underlying commands will be executed by, or against, for example, an individual, group, organization, devices and equipment, or in a hybrid manner. 

Additional Key Features of CACAO


Modularity & Extensibility

Recognizing that cybersecurity organizations and their technologies can span a large ecosystem that is constantly evolving, CACAO was designed to be both modular and extensible. 

Organizations can be responsible for specific areas of technology and their respective playbooks. Those playbooks can be combined with other organization’s playbooks for specific threats or general process implementation that larger organizations typically follow when responding to incidents (also known as standard operating procedures – SOPs). In many respects how the IT/Security organization is defined and operating is set; however, CACAO playbooks can be easily mapped to that organizational fit, without requiring changes to the organization or how they perform their automation. With CACAO, organizations now have standardized and fully interoperable playbooks that can provide significant improvements to their operational processes within the organization and externally if the team is collaborating with other organizations.

CACAO already includes a comprehensive set of integrations for a large variety of commands and toolsets*. However, organizations can also adapt CACAO to incorporate new tools, proprietary systems, or evolving industry standards. We defined an extension mechanism that is now the basis for STIX and CACAO Extensions that can be applied at the playbook, step, or command level, providing flexibility for organizations to customize their orchestration.

* See CACAO Specification Section 5 for details.



Ensuring Playbook Integrity

Integrity and trust are essential in the world of cybersecurity. CACAO addresses this need by incorporating digital signatures into playbooks to support the ability for them to be signed and countersigned. CACAO’s signature mechanism (JSON signature scheme), has been submitted to the UN’s ITU-T, which was standardized as X.590. It is now being used in CACAO, assuring authenticity and ensuring integrity across playbooks and helping organizations validate their sources and track changes to playbooks over time.



Integrating Cyber Threat Intelligence (CTI) with Orchestration

CACAO connects with the Structured Threat Information eXpression (STIX) Version 2.1 standard, ensuring interoperability and information sharing between cyber threat intelligence and incident response. CACAO uses the same identifiers, versioning mechanism, and core metadata as STIX, enabling organization investments to support both standards easily. This integration allows organizations to leverage their cyber threat intelligence knowledge and apply it directly to their playbooks. Similarly, the synergistic utilization of these two standards can allow CTI to trigger or recommend the execution of specific CACAO playbooks. 


Designing CACAO Playbooks – Key Elements to Consider

As highlighted above, there are three key aspects to designing a CACAO Playbook that an organization must consider.

Metadata

Metadata enables organizations to assess and evaluate the contents of a playbook and what its operational impact might be. The key parts and some of the properties to consider are:

  • Playbook Type
    • This property defines the key purpose of the playbook, for example, does it address, threat detection, incident response, threat mitigation, investigation, a combination of the aforementioned, etc.
  • Playbook Activities & Playbook Processing
    • These properties enable organizations to better understand what a playbook does in detail and what features it has implemented such as conditional logic, digital signatures, etc.
  • Versioning
    • Versioning enables organizations to track changes in their playbooks over time and potentially changes in playbooks created by different authors.
  • Labels
    • Labels can be used to index and categorize playbooks by type, organization, and function while enabling many other organizational and trust group specific vocabularies or taxonomies. Labeling can be extremely powerful and effective when organizing playbooks.

Workflow Steps

Workflow Steps are the primary content that defines the playbook and the outcomes expected by executing the steps within it. CACAO provides a rich set of (programming) constructs, offering organizations a great amount of flexibility and comprehensive support for their operational and automation needs.

Steps may include: 

  • Sequential
    • Each step is executed in a simple defined order:
      step 1, step 2, step 3, step n
  • Parallel
    • Each step is executed in parallel:
      step 1.1, step 1.2, step 1.3, step 1.n
  • Conditional
    • Each step can consider a boolean expression prior to executing the next step, for example, if Condition X is true, then perform step 1.
  • Loops
    • Supports repeating steps until a condition is not satisfied, for example, while Condition X is true, then perform step 1.
  • Action
    • Supports the specific action to be executed for a given step.

Agents & Targets

Agents execute action steps containing commands against targets.

Two simple examples:

  • An agent could be an orchestration system executing an automated command (e.g., HTTP API call) to configure a firewall (in this case – the target). 
  • A human agent executing a manual step (manual command), such as switching off the power to a building’s internet connection, which requires network isolation and is impossible to automate without a human override.


Conclusion

CACAO provides organizations with a rich set of mechanisms to define security playbooks across their entire organization to handle many different aspects of the security operations lifecycle. For collaborating teams within the organizations or across different organizations, CACAO enables the teams to define and share their defensive tradecraft on many aspects including incidents, threat responses, investigative actions, and security assessments. 

Please check out the CACAO specification here and watch our webinar, “Revolutionizing Cybersecurity Playbooks for Enhanced Defense” from 19 March 2024.

Authors: Bret Jordan, Vasileios Mavroeidis, Luca Morgese, and Allan Thomson

No results with the selected filters