[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Related work (was Re: [cacao] [EXT] [cacao] Remaining work items)
> it was obvious that we need to form a playbook TC
Yes.
OpenC2 defines an API between automated systems that supports both small atomic actions and high-level (conceptual) actions like investigate, mitigate and remediate. CACAO defines data objects (playbooks) that can both call for atomic actions and be carried as parameters of high-level actions to translate intent into detail. With the discussion of is_executable I infer that playbooks provide another level of translation, from template to executable. You may be interested in another related activity: the proposed "Heimdall Data Format" OASIS TC. According to Chet Ensign the schedule looks like:
âthough I haven't seen the call for comment yet.
HDF is a component of MITRE's
Security Automation Framework for examining systems for vulnerabilities and performing corrective action. It includes 'check texts' and 'fix texts' that are, as the name implies, scripts rather than structured data playbooks, but there may be some common
interests between the TCs.
Regards, David
From: cacao@lists.oasis-open.org <cacao@lists.oasis-open.org> on behalf of aa tt <atcyber1000@gmail.com>
Sent: Wednesday, November 2, 2022 7:45 PM To: Dr. Desiree A Beck <dbeck@mitre.org> Cc: Bret Jordan <jordan.oasisopen@gmail.com>; cacao@lists.oasis-open.org <cacao@lists.oasis-open.org> Subject: Re: [cacao] [EXT] [cacao] Remaining work items Hi Dez - Your suggestion "I suggest that the TC reconsider the term âtargetâ as well as consider whether both target and actuator should be defined.â Was exactly
what we had discussed on a call that I attended where we went over the attack framework.
Basically the term âtargetâ in cacao
has been used to represent both a system that executes a command as part of action and also the target of an attack being executed by a system executing an attack simulation against the target. Command is the thing that executes on that target.
So in my mind
Cacao target == OpenC2 Actuator
Cacao command == OpenC2 Target
Cacao action == a combined instruction (with logic) that may define Cacao target or list of +Cacao command. There is no equivalent (I believe) in OpenC2 to this concept.
Cacao workflow is a set of Cacao actions.
I guess this prior discussion didnât stick and I appreciate you sharing how OpenC2 has defined some aspects of
this. However, one of the primary reasons why CACAO exists is that OpenC2 didnât support all that we needed to do and after working with folks in OpenC2 it was obvious that we need
to form a playbook TC that would allow us to define playbooks that could include the various elements defined such as OpenC2, Kestrelâetc.
One suggestion that I thought we had also previously discussed was changing the name of the attack âtargetâ to something more specific such as âAttackVictimâ or just âVictimâ. This
might be a less intrusive change than changing all uses of the term target everywhere else.
Allan
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]