idnits 2.17.1 draft-jordan-cacao-charter-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. (A line matching the expected section header was found, but with an unexpected indentation: ' Security' ) ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 02, 2019) is 1820 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IETF B. Jordan 3 Internet-Draft Symantec Corporation 4 Intended status: Informational A. Thomson 5 Expires: November 3, 2019 LookingGlass Cyber 6 J. Verma 7 Cisco Systems 8 May 02, 2019 10 Collaborative Automated Course of Action Operations (CACAO) for Cyber 11 Security 12 draft-jordan-cacao-charter-04 14 Abstract 16 This is the charter for the Working Group: Collaborative Automated 17 Course of Action Operations (CACAO) for Cyber Security 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on November 3, 2019. 36 Copyright Notice 38 Copyright (c) 2019 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Goals and Deliverables . . . . . . . . . . . . . . . . . . . 3 55 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4 57 1. Introduction 59 To defend against threat actors and their tactics, techniques, and 60 procedures, organizations need to manually identify, create, and 61 document prevention, mitigation, and remediation steps. These steps 62 when grouped together into a course of action (COA) / playbook are 63 used to protect systems, networks, data, and users. The problem is, 64 once these steps have been created there is no standardized and 65 structured way to document them, verify they were correctly executed, 66 or easily share them across organizational boundaries and technology 67 stacks. 69 This working group will create a standard that implements the 70 playbook model for cybersecurity operations. 72 This solution will specifically enable: 74 1. the creation and documentation of COAs in a structured machine- 75 readable format 77 2. organizations to perform attestation including verification and 78 authentication on COAs 80 3. the sharing and distribution of COAs across organizational 81 boundaries and technology stacks that may include protocols, 82 apis, interfaces and other related technology to support sharing. 84 4. the verification of COA correctness prior to deployment. 86 5. the monitoring of COA activity after successful deployment. 88 This solution will contain (at a minimum) a standard JSON based data 89 model, a defined set of functional capabilities and associated 90 interfaces, and a protocol. This solution will also provide a data 91 model for systems to confirm the status of the COA execution, 92 however, it will be agnostic of how the COA is implemented by the 93 system. 95 Each collaborative course of action, such as recommended prevention, 96 mitigation and remediation steps, will consist of a sequence of cyber 97 defense actions that can be executed by the various systems that can 98 act on those actions. Further, these COAs will be coordinated and 99 deployed across heterogeneous cyber security systems such that both 100 the actions requested and the resultant outcomes may be verified. 101 These COA actions will be referenceable in a data structure like the 102 OASIS STIX V2 model that provides support for related data such as 103 threat actors, campaigns, intrusion sets, malware, attack patterns, 104 and other adversarial techniques, tactics, and procedures. 106 Where possible the working group will consider existing efforts, like 107 OASIS OpenC2 and IETF I2NSF that define the atomic actions to be 108 included in a process or sequence. The working group will not 109 consider how shared actions are used/enforced, except where a 110 response is expected for a specific action or step. 112 2. Goals and Deliverables 114 This working group has the following major goals and deliverables 116 o CACAO Use Cases and Requirements 118 * Specify the use cases and requirements 120 o CACAO Functional Architecture: Roles and Interfaces 122 * Specify the system functions and roles that are needed to 123 enable Collaborative Courses of Action 125 o CACAO Protocol Specification 127 * Specify and standardize the configuration for at least one 128 protocol that can be used to distribute courses of action in 129 both a direct delivery and publish-subscribe method 131 o CACAO Distribution and Response Application Layer Protocol 133 * Specify the protocol which may include apis, interfaces and 134 other related technology to support the requirements identified 135 for the protocol. 137 o CACAO JSON Data Model 139 * Create a JSON data model that can capture and enable 140 collaborative courses of action 142 o CACAO Interoperability Test Documents 143 * Define and create a series of tests and documents to assist 144 with interoperability of the various systems involved. 146 The working group may decide to not publish the use cases and 147 requirements; and test documents. That decision will be made during 148 the lifetime of the working group. 150 Authors' Addresses 152 Bret Jordan 153 Symantec Corporation 154 350 Ellis Street 155 Mountain View CA 94043 156 USA 158 Email: bret_jordan@symantec.com 160 Allan Thomson 161 LookingGlass Cyber 162 10740 Parkridge Blvd, Suite 200 163 Reston VA 20191 164 USA 166 Email: athomson@lookingglasscyber.com 168 Jyoti Verma 169 Cisco Systems 170 170 West Tasman Dr. 171 San Jose CA 95134 172 USA 174 Email: jyoverma@cisco.com