[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [EXT] [cacao] Remaining work items
|
Iâve figured out what for me seems off about the Attacker target type - it's that the definition of "target" shifts and expands. In Section 9.14, the definition of the target data type is "The target data type captures detailed information about
the entities or devices that accept, receive, process, or execute one or more commands as defined in a workflow stepâ"
The Attacker target type adds dimensions (executor and subject), which makes me question the specâs use of the term âTargetâ (something Iâve mentioned before). It might be helpful to consider the OpenC2 Command object. It has four main
components, two required and two optional: * Action (required) - the "verb." The task or activity to be performed. I think this is like the
commands
property of the CACAO Action Step. * Target (required) - the "object" of the Action. The Action is performed on the Target. This doesn't seem to correspond to a property of the CACAO Action Step, but I think this is what the Attacker target type defines via
its subject
property. * Actuator (optional) - the "subject" of the Action. The Actuator executes the Action on the Target. I think this is like the
targets property of the CACAO Action Step (and as defined in Section 9.14), as well as the
executor property of the Attacker target type. * Args (optional) â provide additional info on how the command is to be performed. This is like the
in_args/out_args of the CACAO Action Step. I think what seems off to me is that the Attacker target type considers both Target (subject) and Actuator (executor), which the rest of the spec does not. However, I think the rest of the spec
should define both concepts. This would change the way the Attack target type is defined â hopefully in a way that feels right. Another odd thing about Attacker target type is that the subject is of type
target which doesnât work with the Section 9.14 definition. Also, the text in Section 4.5 for Action Step says, "This workflow step contains the actual commands to be executed
on one or more targets" - which suggests a âtargetâ is an object (Target in OpenC2) rather than the subject (Actuator in OpenC2) as defined in Section 9.14. I suggest that the TC reconsider the term âtargetâ as well as consider whether both target and actuator should be defined. Thanks, Dez From: Dr. Desiree A Beck Regarding the attack target types â I agree with Bret that something seems off, but I canât articulate anything specific at the moment. Iâll be thinking about it and will respond with details soonâ Dez From: cacao@lists.oasis-open.org <cacao@lists.oasis-open.org>
On Behalf Of Bret Jordan All, We have very few remaining work items that need to be addressed before we can ship the next version of the CACAO specification. We really need people to speak up and voice their opinions on the following: 1) MITRE/DHS has proposed a new property to track some of the features of a playbook. Several people seem to like this and support this. However, there is some concern on if this property should be "required" or if it should be "optional".
Allan strongly views this should be optional. MITRE/DHS really want it to be required. But I have not heard from the rest of you. Please respond to this email with your views on this subject. 2) A while back Allan proposed the attack target types. I think we all generally agree that this is a good idea. However, when I have played around with it, it feels like there are some minor issues with the modeling. I have not yet been
able to put my finger on it. To be clear I really like the idea of the Attack stuff that Allan proposed and really want it. But something just feels off with it. Has anyone else seen issues while playing around with it? Bret |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]