CACAO Layout Extension v1.0 approved as a Committee Specification
OASIS is pleased to announce that CACAO Security Playbooks Version 2.0 from the OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC [1] has been approved as an OASIS Committee Specification.
Collaborative Automated Course of Action Operations (CACAO) is a schema and taxonomy for cybersecurity playbooks. The CACAO specification describes how these playbooks can be created, documented, and shared in a structured and standardized way across organizational boundaries and technological solutions. This specification defines the CACAO Layout Extension for the purpose of visually representing CACAO playbooks accurately and consistently across implementations.
This Committee Specification is an OASIS deliverable, completed and approved by the TC and fully ready for testing and implementation.
CACAO Layout Extension Version 1.0 Committee Specification 01 04 April 2024
Members of the CACAO TC [1] approved this specification by Special Majority Vote. The specification had been released for public review as required by the TC Process [2]. The vote to approve as a Committee Specification passed [3], and the document is now available online in the OASIS Library as referenced above.
Our congratulations to the TC on achieving this milestone and our thanks to the reviewers who provided feedback on the specification drafts to help improve the quality of the work.
Invitation to comment on CACAO Layout Extension v1.0
OASIS and the OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC are pleased to announce that CACAO Layout Extension v1.0 is now available for public review and comment. This 30-day review is the first public review for this specification.
About the specification draft:
Collaborative Automated Course of Action Operations (CACAO) is a schema and taxonomy for cyber security playbooks. The CACAO specification describes how these playbooks can be created, documented, and shared in a structured and standardized way across organizational boundaries and technological solutions.
This specification defines the CACAO Layout Extension for the purpose of visually representing CACAO playbooks accurately and consistently across implementations.
The documents and related files are available here:
CACAO Layout Extension Version 1.0 Committee Specification Draft 01 16 January 2024
OASIS and the CACAO TC value your feedback. We solicit input from developers, users and others, whether OASIS members or not, for the sake of improving the interoperability and quality of our technical work.
The public review starts 25 January 2024 at 00:00 UTC and ends 23 February 2024 at 23:59 UTC.
All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review, we call your attention to the OASIS IPR Policy [1] applicable especially [2] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification.
OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.
Additional information related to this public review, including a complete publication and review history, can be found in the public review metadata document [3].
Boston, MA – 13 December 2023 – OASIS Open, the international open source and standards consortium, and the Collaborative Automated Course of Action Operations (CACAO) for Cyber Security Technical Committee (TC) have approved CACAO Security Playbooks v2.0 as an OASIS Committee Specification (CS). CACAO v2.0 will empower organizations to orchestrate, collaborate, and share cybersecurity playbooks. In the ongoing battle against threat actors, organizations must identify, create, document, and test various steps to detect, investigate, mitigate, and remedy potential threats. The culmination of these steps results in a cybersecurity playbook designed to secure organizational systems, networks, data, and users.
CACAO v2.0 defines the schema and taxonomy for cybersecurity playbooks and describes how they can be created, documented, and shared in a structured and standardized way across organizational boundaries and technological solutions. These playbooks give security teams the ability to respond to incidents, mitigate threats, and protect their networked systems by offering a modular and extensible approach to playbook development, ensuring that it can adapt to the diverse needs of different organizations.
“CACAO is the culmination of many years of hard work from the cybersecurity community outside and within OASIS, resulting in a significant step forward for all organizations looking to automate their defense against today’s latest cyber threats,” said Allan Thomson, co-chair of the CACAO TC. “We’ve taken the approach with CACAO, to embrace existing toolsets and processes security organizations are already familiar with, and defined a standardized playbook mechanism that allows orchestration and collaboration not easily achieved both within their own organization, as well as with external sharing partners.”
“The creation, development, and now approval of CACAO v2.0 as a Committee Specification is a testament to the hard work and collaboration of so many different individuals and organizations from around the world to help solve one of the biggest problems in cyber defense: the orchestration of response in cyber relevant time,” said Bret Jordan, co-chair of the CACAO TC. “This standardized approach to orchestrated cyber defense gives organizations the ability to navigate the evolving threat landscape with confidence, armed with the tools needed to orchestrate and automate responses effectively. I am so proud of the work that everyone has done to make this a reality. This TC has done for cyber security playbooks what STIX and TAXII did for cyber threat intelligence (CTI).”
The CACAO TC is made up of a diverse group of global experts from various industries, including cybersecurity, government, and academia. OASIS Open encourages organizations and individuals to get involved in the development and adoption of CACAO v2.0 and other open standards for cybersecurity.
Organizational cyber security has never been more under attack than in today’s world. With the introduction of the OASIS Collaborative Automated Course of Actions Operations (CACAO) Version 2.0 standard, security organizations have a new and formidable toolkit in their ability to orchestrate and collaborate using fully automatable security playbooks to respond to today’s cyber threats.
Read on to learn more about how CACAO can help defend your organization better.
The New Standard for Security Playbooks
CACAO is a standardized framework for orchestrating and automating course-of-action playbooks in cybersecurity. It streamlines the creation, execution, and sharing of playbooks, making it easier for security teams to respond to incidents, mitigate threats, and protect their networks. CACAO offers a modular and extensible approach to playbook development, ensuring that it can adapt to the diverse needs of different organizations.
CACAO focuses on empowering IT/Security organizations to design and orchestrate security activities. These range from traditional activities like intrusion detection; through security event triage, to determining relevant steps to counter a threat; and enforce mitigation and incident response procedures.
Moreover, it enables more advanced techniques that use playbooks across various use cases that organizations may employ or want to address, such as performing attack emulations as part of red team activities, utilizing threat deception techniques to engage with active threats against the organization, or even ensuring policy and regulatory compliance.
The following section highlights some of the key aspects of how CACAO Playbooks are designed.
Key Technology of CACAO
Organizing and Searching Playbooks: Metadata
Metadatais a crucial and powerful component of CACAO, allowing for the efficient categorization and searchability of playbooks. It includes information such as the operational roles a playbook performs, descriptions of its activities, and the complexity of workflow steps encapsulated. For example, a playbook may contain workflow steps that are simple sequencing or they may contain control flows that require the orchestration system to handle the typical logic that programs require. This metadata helps organizations find relevant playbooks quickly and accordingly tailor them to their specific requirements.
Defining the process, logic and knowledge within a playbook: Workflow Steps
CACAO playbooks are structured as workflows, composed of a dictionary of action steps to be performed sequentially or in parallel while also staying flexible, allowing branching with other CACAO playbooks (modular approach), and incorporating different types of conditional logic (e.g., if, while, switch) to support even the most advanced and complex scenarios and requirements.
Connecting the playbook steps to systems, people and their targets: Agents and Targets
In CACAO, the agent is the entity responsible for executing actions, while the target is the recipient of those actions. Agents execute action steps containing commands against targets. The design emphasizes modularity and reusability, allowing organizations to define agents and targets once, reference them in multiple playbooks, or reuse them within a playbook. This approach provides flexibility on how action steps and their underlying commands will be executed by, or against, for example, an individual, group, organization, devices and equipment, or in a hybrid manner.
Additional Key Features of CACAO
Modularity & Extensibility
Recognizing that cybersecurity organizations and their technologies can span a large ecosystem that is constantly evolving, CACAO was designed to be both modular and extensible.
Organizations can be responsible for specific areas of technology and their respective playbooks. Those playbooks can be combined with other organization’s playbooks for specific threats or general process implementation that larger organizations typically follow when responding to incidents (also known as standard operating procedures – SOPs). In many respects how the IT/Security organization is defined and operating is set; however, CACAO playbooks can be easily mapped to that organizational fit, without requiring changes to the organization or how they perform their automation. With CACAO, organizations now have standardized and fully interoperable playbooks that can provide significant improvements to their operational processes within the organization and externally if the team is collaborating with other organizations.
CACAO already includes a comprehensive set of integrations for a large variety of commands and toolsets*. However, organizations can also adapt CACAO to incorporate new tools, proprietary systems, or evolving industry standards. We defined an extension mechanism that is now the basis for STIX and CACAO Extensions that can be applied at the playbook, step, or command level, providing flexibility for organizations to customize their orchestration.
Integrity and trust are essential in the world of cybersecurity. CACAO addresses this need by incorporating digital signatures into playbooks to support the ability for them to be signed and countersigned. CACAO’s signature mechanism (JSON signature scheme), has been submitted to the UN’s ITU-T, which was standardized as X.590. It is now being used in CACAO, assuring authenticity and ensuring integrity across playbooks and helping organizations validate their sources and track changes to playbooks over time.
Integrating Cyber Threat Intelligence (CTI) with Orchestration
CACAO connects with the Structured Threat Information eXpression (STIX) Version 2.1 standard, ensuring interoperability and information sharing between cyber threat intelligence and incident response. CACAO uses the same identifiers, versioning mechanism, and core metadata as STIX, enabling organization investments to support both standards easily. This integration allows organizations to leverage their cyber threat intelligence knowledge and apply it directly to their playbooks. Similarly, the synergistic utilization of these two standards can allow CTI to trigger or recommend the execution of specific CACAO playbooks.
Designing CACAO Playbooks – Key Elements to Consider
As highlighted above, there are three key aspects to designing a CACAO Playbook that an organization must consider.
Metadata
Metadata enables organizations to assess and evaluate the contents of a playbook and what its operational impact might be. The key parts and some of the properties to consider are:
Playbook Type
This property defines the key purpose of the playbook, for example, does it address, threat detection, incident response, threat mitigation, investigation, a combination of the aforementioned, etc.
Playbook Activities & Playbook Processing
These properties enable organizations to better understand what a playbook does in detail and what features it has implemented such as conditional logic, digital signatures, etc.
Versioning
Versioning enables organizations to track changes in their playbooks over time and potentially changes in playbooks created by different authors.
Labels
Labels can be used to index and categorize playbooks by type, organization, and function while enabling many other organizational and trust group specific vocabularies or taxonomies. Labeling can be extremely powerful and effective when organizing playbooks.
Workflow Steps
Workflow Steps are the primary content that defines the playbook and the outcomes expected by executing the steps within it. CACAO provides a rich set of (programming) constructs, offering organizations a great amount of flexibility and comprehensive support for their operational and automation needs.
Steps may include:
Sequential
Each step is executed in a simple defined order: step 1, step 2, step 3, step n
Parallel
Each step is executed in parallel: step 1.1, step 1.2, step 1.3, step 1.n
Conditional
Each step can consider a boolean expression prior to executing the next step, for example, if Condition X is true, then perform step 1.
Loops
Supports repeating steps until a condition is not satisfied, for example, while Condition X is true, then perform step 1.
Action
Supports the specific action to be executed for a given step.
Agents & Targets
Agents execute action steps containing commands against targets.
Two simple examples:
An agent could be an orchestration system executing an automated command (e.g., HTTP API call) to configure a firewall (in this case – the target).
A human agent executing a manual step (manual command), such as switching off the power to a building’s internet connection, which requires network isolation and is impossible to automate without a human override.
Conclusion
CACAO provides organizations with a rich set of mechanisms to define security playbooks across their entire organization to handle many different aspects of the security operations lifecycle. For collaborating teams within the organizations or across different organizations, CACAO enables the teams to define and share their defensive tradecraft on many aspects including incidents, threat responses, investigative actions, and security assessments.
Please check out the CACAO specification here and watch our webinar, “Revolutionizing Cybersecurity Playbooks for Enhanced Defense” from 19 March 2024.
Our digital ecosystem is one of the greatest tools ever devised by humankind.
However, the presence of online predators presents a continuing challenge to parents and children everywhere. Preventing online exploitation and the sexual abuse of children all over the world is a serious challenge – and one that can be overcome thanks to the work of OASIS Open.
The Virtual Global Taskforce (VGT) has recommended the worldwide adoption of the OData standard developed by OASIS Open to enable much-needed compatibility among international law inforcement tools that help manage illicit images and video regardless of vendor. The result is an online environment in which young surfers are less likely to be exposed to inappropriate content.
Complex and valuable infrastructures like the Internet, which function over multiple channels and geographies require the standard-setting work of organizations like OASIS Open, so that the tools we develop truly result in improvements – rather than increased danger – for all.
The advent of online banking didn’t just make financial transactions easier and more convenient for people everywhere. More importantly, it helped democratize the international banking system, ensuring that more people in more place had virtually instant access to banking services. This, in turn, has supported wealth creation, creating a more equitable world.
Online banking was made possible thanks to the SAML and SSO open standards developed by OASIS Open. A complex system like international online banking – involving a multiplicity of stakeholders, regulations, digital interfaces and security – requires the fair, transparent standards developed by not-for-profit organizations like ours.
Creating standards for foundational systems that radically improve our world like these is OASIS Open’s proud heritage, and our continuing mission today and tomorrow.
In the past, sudden tsunamis, tornadoes and flash floods took communities by surprise – resulting in devastating cost to human life, and destruction to property and infrastructure. Today, communities everywhere are able to mitigate the destruction caused by natural disasters, thanks to early warning systems made possible by OASIS Open. Disseminated simultaneously over multiple communication outlets, these alerts warn communities of impending danger. So people have time to react, and get out of harm’s way.
Systems like these are enabled thanks to the open software and standards Open Oasis makes possible. Partnering with government, community and private industry players, OASIS Open helps to foster a common language and means of operation that allows such transformational systems to be put into place.
These complex and valuable infrastructures – over multiple channels and geographies – would simply not function without the work of organizations like OASIS Open.
The fair, transparent development of open standards and software is transforming the world, for the better. As one of the most respected, non-profit standards bodies in the world, we are a cornerstone in the development and implementation of social innovations like the early warning systems for tsunamis, floods and tornadoes that save lives and communities.
Secure Quick Response (QR) codes have become ubiquitous. By simply pointing our smartphones, we are able to safely gather information quickly and seamlessly. QR Codes themselves are easily available, ensuring a true democratization of efficiency. Today QR Codes have become an $8.7 billion industry – and none of it would have happened without the work of OASIS Open.
OASIS Open is an established non-profit organization where individuals, organizations and governments come together to solve some of the world’s biggest technical challenges through the development of open code and open standards. QR codes are only one of these open, fair, and transparent standards, which are transforming our world in a positive way, every day.
Information belongs to all of us. Indeed, access to information is seen as a necessity for effective participation in public life. OASIS Open makes that access possible.
The SAML standard developed by OASIS Open allows access to information to be enjoyed by all in Europe, where all citizens are legally entitled to it. As this complex web of information is gathered and stored by a multiplicity of players over a wide variety of channels in the private and public spheres, its management would simply not be possible without the standards set by organizations like ours.
As one of the most respected, non-profit standards bodies in the world, we can be counted on to develop far-reaching solutions that allow access to information to be an everyday reality.
E-invoicing has changed the way the world does business, creating a global $11 billion market that has benefited the environment by signficantly reducing waste. It is now used in over 190 countries the world over – and it was made possible thanks to the UBL standard developed by OASIS Open.
UBL is just one of the open, fair, and transparent standards developed by our not-for-profit organization. Every day we create protocols and software that allow complex systems to be integrated across multiple geographies and a complex web of regulations and private and public stakeholders.
So that, among other things, we can grow business, greener.
During the darkest days of the COVID-19 pandemic, time was of the essence in treating those hit hardest by the virus. Pin-pointing hospital bed availability within hours was a matter of life and death – and it was made possible thanks to the Florida Emergency Support System (ESS) developed with OASIS Open.
Work on the ESS began in 2017, when a number of nursing home residents died during power outages caused b Hurricane Irma. An application called RESTier was developed, powered by OData, to help collect vital information about healthcare facilities. This data was integrated into the ESS, which was activated for 24 months straight, handling tens of millions of records without a single documented outage.
Partnering with government, community and private industry players. OASIS Open helps to foster a common language and means of operation that allows transformational systems like the ESS to be put into place.
Every day, the world is being transformed for the better thanks to the fair, transparent open standards and software fostered by OASIS Open.
Protecting and enhancing biodiversity is key to creating a future in which our planet and everything living on it thrive. A crucial first step in realizing that goal is collecting and managing a potentially-bewildering and constantly evolving set of data from various sources.
That step is made possible by the OData standard developed by OASIS Open. This open interface allows organizations and individuals to directly integrate biodiversity data into their software systems. It was adapted early in its development and implementation by the NSW Office of the Environment to follow, store and make available over 7 million species sightings to track biodiversity over their Open Data Bionet Web Services. With this data on hand, the NSW’s Office of Environment and Heritage was able to improve it environmental decision-making and engagement with our natural ecosystem.
Today the NSW can constantly improve its environmental decision making by continually integrating up-to-date, consistent and reliable biodiversity data. And, in so doing, protect our precious natural heritage.
Cases like these demonstrate how transformational, positive change is being enabled by the work of OASIS Open.
Since the Amber Alert Emergency response system was established in 1996, 1,127 children abducted around the world have been successfully recovered. Amber Alerts are broadcast simultaneiously over television and radio stations, text messages, e-mail, electronic traffic-condition signs, commercial bill-boards, and more.
The operations of this complex and valuable system – over multiple channels and geographies – would not have been possible without the standards developed and put into place by OASIS Open.
As one of the most respected, non-profit standards bodies in the world, we offer partners the ability to develop and implement social innovations like the Amber Alert system that transform society for the betterment of all.
We do it by fostering and enabling the fair, transparent development of open software and standards, through the power of global collaboration and community. The result: foundational changes that make a lasting impact on human lives.
