Re: [cacao-comment] CACAO Security Playbooks Version 2.0 Draft 05 Feedback

[Bret Jordan <bret.jordan.sdo@gmail.com>]

Kurt,

Thank you for taking time to review and provide feedback. We talked about your feedback today on the TC call. The response from the TC is as follows:

1. We will add examples for targetsÂas you suggested, this will be in the final CS version.

2. The ability to call out different agents or targets in different ways was done by design. Meaning we needed a way to accommodateÂthe different layers of abstraction that we have in the market today. For your example with a Firewall, you may want to just talk about it at the highest level of security category. Or you may want to process it more in an automated way inside your organization, thus you want to create an HTTP-API or SSH interface to it. We also understand the point you bring up about some agents/targets are entities and some are ways of communicating or systems themselves, once again this is by design but we would welcome any clarifyingÂtext you could provide for the next version. We are always looking for ways to make this more clear.Â

3. We have full support for OpenC2 commands today. Yes, there is a difference between some of the terms, but even OpenC2 has moved away from using the term actuatorÂnow. We would welcome any text for the next version that could make this more clear and help organizations. If there is something we can do to help people better understand that we fully support OpenC2 commands, please let us know. If you think we could better harmonize the terminology, please submit some suggestions.Â

Thanks,

Bret

On Mon, Nov 13, 2023 at 4:59âPM Karolenko, Kurt T. <Kurt.Karolenko@jhuapl.edu> wrote:

Hello all,

Â

I have some feedback regarding the Agents and Targets section:

1. When reading section 7, it is seems clear that target objects exist but no examples of them exist in the entire CACAO v2.0 specification. To clear confusion about their usage, it would be helpful to show one instance of a target as well as its placement inside target_definitions, similar to the example on GitHub: https://github.com/oasis-tcs/cacao/blob/master/Examples/CACAO-2.0/locky-bart-mbc-examples.md
2. For the types of agent-target defined in 7.2-7.12, there is significant overlap in the definition of an entity and the form that is used to communicate with it. For example, 7.8, 7.10, and 7.12 do not define an entity but rather a form of communication. Whereas 7.3-7.7, 7.9, and 7.11 define an entity.
   1. Additionally, there could be multiple ways to define an entity give the types defined. For example, consider a firewall: it is given as an example for both the HTTP API and the Network Address types (Examples 7.7 and 7.9); it is a category in the security-category-type-ov for the Security Category type; and it could easily be a candidate for definition using the SSH CLI and Linux System types, provided the particular firewallâs operating system and/or configuration.
3. Lastly, I wanted to note that the Agents and Targets section could be a great candidate for collaboration with OpenC2 in the future since it also has similar concepts: Actuator and Target.

Â

Thank you all very much for all the excellent contributions to this space and I look forward to the continued development of CACAO.

Â

Kurt Karolenko

JHUAPL

Â