IETF
cacao
cacao@jabber.ietf.org
Friday, March 29, 2019< ^ >
Room Configuration
Room Occupants

GMT+0
[07:45:32] VirtualQueue_tpPPoOLX joins the room
[07:53:51] Meetecho joins the room
[07:55:09] Nabil Bitar joins the room
[07:55:10] Justin Richer joins the room
[07:55:11] Allan Thomson joins the room
[07:56:17] Stephen Banghart joins the room
[07:56:30] Jason Webb joins the room
[07:56:59] Carolin Baumgartner joins the room
[07:57:02] Melinda joins the room
[07:58:07] Bjorn Hjelm joins the room
[07:59:00] <Stephen Banghart> Hello everyone, I'll be the jabber scribe. Please put "mic:" on anything you want read aloud at the microphone.
[08:00:21] mcr joins the room
[08:00:25] <mcr> https://etherpad.ietf.org/p/notes-ietf-104-cacao?useMonospaceFont=true for notes.
[08:00:50] Michael Mauch joins the room
[08:01:36] Roman Danyliw joins the room
[08:02:30] <Stephen Banghart> Bret Jordan Presenting, slides: https://datatracker.ietf.org/meeting/104/materials/slides-104-cacao-cacao-proposal-deck-00
[08:03:00] Huaru Yang joins the room
[08:03:45] kaduk@jabber.org/barnowl joins the room
[08:03:54] Yoshiro Yoneya joins the room
[08:04:19] metricamerica joins the room
[08:05:28] Jyoti Verma joins the room
[08:15:39] Kathleen joins the room
[08:19:08] <kaduk@jabber.org/barnowl> FS-ISAC : Financial Services - Information Sharing and Analysis Center
[08:22:18] <Nabil Bitar> How would that be different or related to what is implemented by SOAR systems?
[08:23:02] <Stephen Banghart> Nabil, would you like that read aloud?
[08:23:53] <Nabil Bitar> yes please
[08:25:44] <Jyoti Verma> SOAR systems could render and execute the distributed CACAO playbooks for mitigating and remediating the threat
[08:26:20] Huaru Yang leaves the room
[08:30:59] Kathleen leaves the room
[08:31:53] <Allan Thomson> products such as phantom already do some of this but are done in a vendor specific manner
[08:32:00] <Nabil Bitar> SOAR systems would enable you to define the workflow for threat remediation and execute i, which is the playbook. So, yes, a SOAR system could consume a playbook or stitches a playbook. I just dint hear the connection here
[08:33:03] <Nabil Bitar> or what is lacking
[08:33:19] Martin Thomson joins the room
[08:34:16] cjsu joins the room
[08:34:47] <Allan Thomson> an intrusion set is a common set of TTPs shared across multiple campaigns. a campaign is typically executed by a single actor/actor group but intrusion sets can be more abstract that may be sshared across campaigns/actorgroups
[08:38:53] <Allan Thomson> both
[08:41:01] <Allan Thomson> its both aspects. both definition and distribution.
[08:45:39] Michael Mauch leaves the room
[08:45:43] Michael Mauch joins the room
[08:46:00] Eliot Lear joins the room
[08:52:59] Roman Danyliw leaves the room: Disconnected: closed
[08:55:57] Eliot Lear leaves the room: Stream reset by peer
[08:55:59] Eliot Lear joins the room
[08:56:14] Roman Danyliw joins the room
[08:57:44] <mcr> STIX?
[08:57:44] <mcr> TAXI?
[08:57:50] <mcr> are those the right TLAs?
[08:57:55] <kaduk@jabber.org/barnowl> yes
[08:58:24] Eric Burger joins the room
[08:58:35] <Stephen Banghart> Its actually TAXII
[08:58:50] <Stephen Banghart> Two Is for reasons unknown
[08:58:53] <kaduk@jabber.org/barnowl> whoops, sorry
[08:59:04] <Allan Thomson> bret, jyoti and myself are very active in STIX/TAXII v2 standards. Both bret and I are co-chairs.
[09:00:23] <Jyoti Verma> STIX Courses of Action cannot represent a structured sequence of actions like CACAO is attempting to define
[09:00:58] <Allan Thomson> as bret said in the room. STIX has an object in its datamodel that allows you to connect intelligence to course of action. a course of action can be a single action or a playbook. both the single action and playbooks are not defined in STIX at all. It relies on those aspects being defined externally from STIX
[09:01:51] <Stephen Banghart> So STIX cannot, for example, list a series of OpenC2 commands, only one?
[09:02:06] <Stephen Banghart> Which is why you need a playbook format
[09:02:23] <Allan Thomson> it has a single textual string for course of action and with STIX2.1 we introdued the ability to point to external things such as a playbook
[09:02:57] <Allan Thomson> correct to the question on playbook format
[09:03:44] <Stephen Banghart> (This is getting into the weeds, apologies) When you say point to, do you mean a resolvable URI, or is this embeddable?
[09:04:02] <Allan Thomson> both but the expectation is primarily URI
[09:04:28] <Allan Thomson> thats partly because who defines intelligence vs defines a playbook are likely different groups/functions in org
[09:05:23] <mcr> "Q: Kathleen... iodef has the ability nest and order. and RIF also has some of this."  <- is RIF the right TLA?
[09:05:30] <kaduk@jabber.org/barnowl> RID
[09:05:33] <Stephen Banghart> RID
[09:05:33] <mcr> thank you.
[09:10:33] <Roman Danyliw> https://datatracker.ietf.org/doc/rfc6545/
[09:11:05] Justin Richer leaves the room
[09:11:05] Justin Richer joins the room
[09:11:20] Michael Mauch leaves the room
[09:20:38] <kaduk@jabber.org/barnowl> "executed by humans currently automated in the future" needs some
punctuation or conjunction or something
[09:21:25] <Stephen Banghart> no the humans are currently automated in the future, its all about time travel and cyborgs
[09:23:18] Kathleen joins the room
[09:23:22] Eliot Lear leaves the room: Stream reset by peer
[09:23:25] Eliot Lear joins the room
[09:23:47] <kaduk@jabber.org/barnowl> Perhaps "what YANG did for router administration, for incident
response" is a glib summary
[09:28:25] Kathleen leaves the room
[09:28:37] Eliot Lear leaves the room: Stream reset by peer
[09:28:47] Eliot Lear joins the room
[09:28:48] <mcr> +1
[09:31:07] <Martin Thomson> ask how many people are unsure about whether the problem is tractable
[09:31:51] <Martin Thomson> As Kathleen said off-mic - it's fine to have another BoF
[09:32:01] <kaduk@jabber.org/barnowl> And to work on the mailing list before then, too!
[09:32:42] Melinda leaves the room
[09:33:15] Martin Thomson leaves the room
[09:33:43] Eric Burger leaves the room
[09:33:51] Allan Thomson leaves the room
[09:33:51] Nabil Bitar leaves the room
[09:33:51] Carolin Baumgartner leaves the room
[09:33:51] Jason Webb leaves the room
[09:33:51] Justin Richer leaves the room
[09:33:51] Jyoti Verma leaves the room
[09:33:51] Bjorn Hjelm leaves the room
[09:33:52] Stephen Banghart leaves the room
[09:33:56] metricamerica leaves the room
[09:33:56] Roman Danyliw leaves the room: Disconnected: closed
[09:35:48] Meetecho leaves the room
[09:36:45] Martin Thomson joins the room
[09:38:50] Yoshiro Yoneya leaves the room
[09:39:06] VirtualQueue_tpPPoOLX leaves the room
[09:42:28] Martin Thomson leaves the room
[09:50:12] Eliot Lear leaves the room: Connection failed: connection timed out
[09:52:49] mcr leaves the room: Disconnected: No route to host
[09:54:22] cjsu leaves the room
[09:55:42] Roman Danyliw joins the room
[09:57:33] kaduk@jabber.org/barnowl leaves the room
[09:58:12] cjsu joins the room
[10:04:56] Eliot Lear joins the room
[10:10:16] Eliot Lear leaves the room
[10:36:52] Martin Thomson joins the room
[10:37:06] Martin Thomson leaves the room
[10:57:41] Melinda joins the room
[11:03:56] Melinda leaves the room
[11:41:46] Roman Danyliw leaves the room: Disconnected: closed
[12:23:06] Roman Danyliw joins the room
[12:30:39] cjsu leaves the room
[12:59:31] Roman Danyliw leaves the room
[13:48:45] metricamerica joins the room
[13:50:13] metricamerica leaves the room
[14:11:32] Melinda joins the room
[14:20:46] Melinda leaves the room