Re: (CACAO) for Cyber Security TC - Feedback

[Bret Jordan <bj@ctin.us>]

Vaman,

We are trying to understand how to add these features to CACAO. I know we have talked a bit about this, before the holidays. But that was some time ago. Can you help us better understand through some examples and maybe some proposed descriptions? We have talked about these a few times as a TC, and I think we generally understand what you are looking for. But we want to make sure.  

Thanks

Bret

On Nov 4, 2021, at 11:43 AM, Vaman Amarjeet Gokuldas Kini <vkini@worldbankgroup.org> wrote:

Dear All, 

 

I am sorry for delayed feedback. Sharing my thoughts on the content.  

 

1. While some of the facts might be covered by 2.1.3 â Investigation playbook , I think most orgs would start their journey with enriching events . My suggestion would be to have a dedicated enrichment playbook which enriches the event. 
2. Another type of Playbook that I would suggest is âGuardrail/Safety â These need to be the ones that are hooked into the remediation playbook is invoked and will have components of  actions  that never should be taken.  ( Shut down a core system , Kill a core process on the host etc) and should generate a feedback to the decision point in the OODA loop.
3. In the Portions where User /identity is defined (mainly in sec 6) it might be beneficial to also include the role of that identity .  Often, we might want to only use a read only role to pull data but a more powerful role ( where the credential is taken from a vault ) for a remediation action

 

Please let me know, if this is helpful and I will find more time to contribute.  I am in the process of setting up an internal process of SOAR use case management and find this document to be very helpful.

 

 

Vaman Kini

Senior Information Security Officer

Office of Information Security

Information and Technology Solutions

E vkini@worldbankgroup.org

<image001.png>