idnits 2.17.1 draft-jordan-cacao-charter-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. (A line matching the expected section header was found, but with an unexpected indentation: ' Security' ) ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 31, 2019) is 1883 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IETF B. Jordan 3 Internet-Draft Symantec Corporation 4 Intended status: Informational A. Thomson 5 Expires: August 4, 2019 LookingGlass Cyber 6 J. Verma 7 Cisco Systems 8 January 31, 2019 10 Collaborative Automated Course of Action Operations (CACAO) for Cyber 11 Security 12 draft-jordan-cacao-charter-03 14 Abstract 16 This is the charter for the Working Group: Collaborative Automated 17 Course of Action Operations (CACAO) for Cyber Security 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on August 4, 2019. 36 Copyright Notice 38 Copyright (c) 2019 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Goals and Deliverables . . . . . . . . . . . . . . . . . . . 3 55 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4 57 1. Introduction 59 To defend against threat actors and their tactics, techniques, and 60 procedures, organizations need to manually identify, create, and 61 document prevention, mitigation, and remediation steps. These steps 62 when grouped together into a course of action (COA) / playbook are 63 used to protect systems, networks, data, and users. The problem is, 64 once these steps have been created there is no standardized and 65 structured way to document them, verify they were correctly executed, 66 or easily share them across organizational boundaries and technology 67 stacks. 69 This working group will create a standard that implements the 70 playbook model based on current industry best practices for 71 cybersecurity. 73 This solution will specifically enable: 75 1. the creation and documentation of COAs in a structured machine- 76 readable format 78 2. organizations to perform attestations on COAs 80 3. the sharing and distribution of COAs across organizational 81 boundaries and technology stacks 83 4. the verification of deployed COAs. 85 This solution will contain (at a minimum) a standard JSON based data 86 model, a defined set of functional capabilities and associated 87 interfaces, and a mandatory to implement protocol. This solution 88 will also provide a data model for actuators to confirm the status of 89 the COA execution, however, it will be agnostic of how the COA is 90 implemented by the actuator. 92 Each collaborative course of action will consist of a sequence of 93 cyber defense actions that can be executed by the various systems 94 that can act on those actions. Further, these COAs will be 95 coordinated and deployed across heterogeneous cyber security systems 96 such that both the actions requested and the resultant outcomes may 97 be verified. These COA actions will be referenceable in a connected 98 data structure like the OASIS STIX V2 model that provides support for 99 connected data such as threat actors, campaigns, intrusion sets, 100 malware, attack patterns, and other adversarial techniques, tactics, 101 and procedures (TTPs). 103 Where possible the working group will consider existing efforts, like 104 OASIS OpenC2 and IETF I2NSF that define the atomic actions to be 105 included in a process or sequence. The working group will not 106 consider how shared actions are used/enforced, except where a 107 response is expected for a specific action or step. 109 2. Goals and Deliverables 111 This working group has the following major goals and deliverables. 112 Some of the deliverables may be published through the IETF RFC stream 113 as informational or standards track documents. 115 o CACAO Use Cases and Requirements 117 * Specify the use cases and requirements 119 o CACAO Functional Architecture: Roles and Interfaces 121 * Specify the system functions and roles that are needed to 122 enable Collaborative Courses of Action 124 o CACAO Protocol Specification 126 * Specify and standardize the configuration for at least one 127 protocol that can be used to distribute courses of action in 128 both a direct delivery and publish-subscribe method 130 o CACAO Distribution and Response Application Layer Protocol 132 * Identify and document the requirements to effectively report 133 and alert on the deployment of CACAO actions and the potential 134 threat response to those actions 136 o CACAO JSON Data Model 138 * Create a JSON data model that can capture and enable 139 collaborative courses of action 141 o CACAO Interoperability Test Documents 142 * Define and create a series of tests and documents to assist 143 with interoperability of the various systems involved. 145 The working group may decide to not publish the use cases and 146 requirements and test documents as RFCs. That decision will be made 147 during the lifetime of the working group. 149 Authors' Addresses 151 Bret Jordan 152 Symantec Corporation 153 350 Ellis Street 154 Mountain View CA 94043 155 USA 157 Email: bret_jordan@symantec.com 159 Allan Thomson 160 LookingGlass Cyber 161 10740 Parkridge Blvd, Suite 200 162 Reston VA 20191 163 USA 165 Email: athomson@lookingglasscyber.com 167 Jyoti Verma 168 Cisco Systems 169 170 West Tasman Dr. 170 San Jose CA 95134 171 USA 173 Email: jyoverma@cisco.com