Re: [cacao] [EXT] [cacao] Remaining work items

[aa tt <atcyber1000@gmail.com>]

Hi Dez - Your suggestion "I suggest that the TC reconsider the term âtargetâ as well as consider whether both target and actuator should be defined.â Was exactly what we had discussed on a call that I attended where we went over the attack framework. 

Basically the term âtargetâ in cacao has been used to represent both a system that executes a command as part of action and also the target of an attack being executed by a system executing an attack simulation against the target. Command is the thing that executes on that target. 

So in my mind 

Cacao target == OpenC2 Actuator

Cacao command == OpenC2 Target

Cacao action == a combined instruction (with logic) that may define Cacao target or list of +Cacao command. There is no equivalent (I believe) in OpenC2 to this concept.

Cacao workflow is a set of Cacao actions.

I guess this prior discussion didnât stick and I appreciate you sharing how OpenC2 has defined some aspects of this. However, one of the primary reasons why CACAO exists is that OpenC2 didnât support all that we needed to do and after working with folks in OpenC2 it was obvious that we need to form a playbook TC that would allow us to define playbooks that could include the various elements defined such as OpenC2, Kestrelâetc.

One suggestion that I thought we had also previously discussed was changing the name of the attack âtargetâ to something more specific such as âAttackVictimâ or just âVictimâ. This might be a less intrusive change than changing all uses of the term target everywhere else.

Allan

On Nov 2, 2022, at 1:26 AM, Dr. Desiree A Beck <dbeck@mitre.org> wrote:

Iâve figured out what for me seems off about the Attacker target type - it's that the definition of "target" shifts and expands.

 

In Section 9.14, the definition of the target data type is "The target data type captures detailed information about the entities or devices that accept, receive, process, or execute one or more commands as defined in a workflow stepâ"

 

The Attacker target type adds dimensions (executor and subject), which makes me question the specâs use of the term âTargetâ (something Iâve mentioned before). It might be helpful to consider the OpenC2 Command object. It has four main components, two required and two optional:

 

* Action (required) - the "verb." The task or activity to be performed. I think this is like the commands property of the CACAO Action Step.

 

* Target (required) - the "object" of the Action. The Action is performed on the Target. This doesn't seem to correspond to a property of the CACAO Action Step, but I think this is what the Attacker target type defines via its subject property.

 

* Actuator (optional) - the "subject" of the Action. The Actuator executes the Action on the Target. I think this is like the targets property of the CACAO Action Step (and as defined in Section 9.14), as well as the executor property of the Attacker target type.

 

* Args (optional) â provide additional info on how the command is to be performed. This is like the in_args/out_args of the CACAO Action Step.

 

I think what seems off to me is that the Attacker target type considers both Target (subject) and Actuator (executor), which the rest of the spec does not. However, I think the rest of the spec should define both concepts. This would change the way the Attack target type is defined â hopefully in a way that feels right. Another odd thing about Attacker target type is that the subject is of type target which doesnât work with the Section 9.14 definition.

 

Also, the text in Section 4.5 for Action Step says, "This workflow step contains the actual commands to be executed on one or more targets" - which suggests a âtargetâ is an object (Target in OpenC2) rather than the subject (Actuator in OpenC2) as defined in Section 9.14.

 

I suggest that the TC reconsider the term âtargetâ as well as consider whether both target and actuator should be defined.

Thanks,

Dez

 

 

From: Dr. Desiree A Beck
Sent: Tuesday, November 1, 2022 2:55 PM
To: Bret Jordan <jordan.oasisopen@gmail.com>; cacao@lists.oasis-open.org
Subject: RE: [EXT] [cacao] Remaining work items

 

Regarding the attack target types â I agree with Bret that something seems off, but I canât articulate anything specific at the moment. Iâll be thinking about it and will respond with details soonâ

Dez

 

From: cacao@lists.oasis-open.org <cacao@lists.oasis-open.org> On Behalf Of Bret Jordan
Sent: Thursday, October 27, 2022 1:24 PM
To: cacao@lists.oasis-open.org
Subject: [EXT] [cacao] Remaining work items

 

All,

 

We have very few remaining work items that need to be addressed before we can ship the next version of the CACAO specification. We really need people to speak up and voice their opinions on the following:

 

1) MITRE/DHS has proposed a new property to track some of the features of a playbook. Several people seem to like this and support this. However, there is some concern on if this property should be "required" or if it should be "optional". Allan strongly views this should be optional. MITRE/DHS really want it to be required. But I have not heard from the rest of you. 

 

Please respond to this email with your views on this subject.

 

2) A while back Allan proposed the attack target types. I think we all generally agree that this is a good idea. However, when I have played around with it, it feels like there are some minor issues with the modeling. I have not yet been able to put my finger on it. To be clear I really like the idea of the Attack stuff that Allan proposed and really want it. But something just feels off with it. Has anyone else seen issues while playing around with it? 

 

Bret