idnits 2.17.1 draft-jordan-cacao-charter-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. (A line matching the expected section header was found, but with an unexpected indentation: ' Security' ) ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 12, 2019) is 1780 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IETF B. Jordan 3 Internet-Draft Symantec Corporation 4 Intended status: Informational A. Thomson 5 Expires: December 14, 2019 LookingGlass Cyber 6 J. Verma 7 Cisco Systems 8 June 12, 2019 10 Collaborative Automated Course of Action Operations (CACAO) for Cyber 11 Security 12 draft-jordan-cacao-charter-05 14 Abstract 16 This is the charter for the Working Group: Collaborative Automated 17 Course of Action Operations (CACAO) for Cyber Security 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on December 14, 2019. 36 Copyright Notice 38 Copyright (c) 2019 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Goals and Deliverables . . . . . . . . . . . . . . . . . . . 3 55 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 3 57 1. Introduction 59 To defend against threat actors and their tactics, techniques, and 60 procedures, organizations need to manually identify, create, and 61 document prevention, mitigation, and remediation steps. These steps 62 when grouped together into a course of action playbook are used to 63 protect systems, networks, data, and users. The problem is, once 64 these steps have been created there is no standardized and structured 65 way to document them or easily share them across organizational 66 boundaries and technology stacks. 68 This working group will create a standard that implements the course 69 of action playbook model for cybersecurity operations. Each 70 collaborative course of action, such as recommended prevention, 71 mitigation and remediation steps, will consist of a sequence of cyber 72 defense actions that can be executed by the various systems that can 73 act on those actions. These courses of actions should be 74 referenceable by other cyber threat intelligence that provides 75 support for related data such as threat actors, campaigns, intrusion 76 sets, malware, attack patterns, and other adversarial techniques, 77 tactics, and procedures. 79 This solution will specifically enable: 81 1. the creation and documentation of course of action playbooks in a 82 structured machine-readable format 84 2. organizations to digitally sign course of action playbooks 86 3. the securely sharing and distribution of course of action 87 playbooks across organizational boundaries and technology stacks 89 4. the creation and documentation of processing instructions for 90 course of action playbooks in a machine readable format 92 . 94 This solution will contain at a minimum a data model specifying the 95 course of action playbooks; a defined set of functional capabilities 96 and associated interfaces; and an exchange protocol between products. 97 Where possible the working group may reuse and/or reference existing 98 data models, like OASIS OpenC2 and other IETF standards (e.g., I2NSF, 99 YANG, NETCONF, etc) that define the atomic actions to be included in 100 a process or sequence. 102 2. Goals and Deliverables 104 This working group has the following major goals and deliverables 106 o CACAO Use Cases and Requirements 108 * Specify the use cases and requirements 110 o CACAO Functional Architecture: Roles and Interfaces 112 * Specify the system functions and roles that are needed to 113 enable Collaborative Courses of Action 115 o CACAO Protocol Specification 117 * Specify and standardize the configuration for at least one 118 protocol that can be used to distribute courses of action in 119 both a direct delivery and publish-subscribe method 121 o CACAO JSON Data Model 123 * Create a JSON data model that can capture and enable 124 collaborative courses of action 126 o CACAO Interoperability Test Documents 128 * Define and create a series of tests and documents to assist 129 with interoperability of the various systems involved. 131 The working group may decide to not publish the use cases and 132 requirements; and test documents. That decision will be made during 133 the lifetime of the working group. 135 Authors' Addresses 137 Bret Jordan 138 Symantec Corporation 139 350 Ellis Street 140 Mountain View CA 94043 141 USA 143 Email: bret_jordan@symantec.com 144 Allan Thomson 145 LookingGlass Cyber 146 10740 Parkridge Blvd, Suite 200 147 Reston VA 20191 148 USA 150 Email: athomson@lookingglasscyber.com 152 Jyoti Verma 153 Cisco Systems 154 170 West Tasman Dr. 155 San Jose CA 95134 156 USA 158 Email: jyoverma@cisco.com