2-June-2022 DC CAW
Cybersecurity Automation is proposed to be a OCA subproject similar to stixshifter, Kestrel, PACE, and IoB.
The initial focus of the Cybersecurity Automation SubProject (CASP) will be the Cybersecurity Automation Workshops. Cybersecurity Automation Workshops are a series of events to prototype and test interoperability among cybersecurity automation technologies. CASP will maintain this website as well as may produce documentation aiding awareness/adoption and/or interoperability of cybersecurity automation interfaces. CASP will attempt to use existing specifications/standards wherever possible, but may create specifications/standards if necessary.
Intent is late 1QCY23 or early 2QCY23 but venue/dates are yet to be decided. First step is to make CASP an OCA supproject so that decisions can be made as part of the open project.
The most recent Cybersecurity Automation Workshop was 2-June-2022 at the AT&T Forum in Washington, DC. See {need to make archive}. Previous workshops were {need to make archive}.
Posture Attribute Collection & Evaluation (PACE) is a comprehensive automated strategy for understanding security posture and what to do about it. At the last Cybersecurity Automation Workshop, use cases for cybersecurity automation where demonstrated where automation was used for PACE collecting SBOMs as security attributes. Use cases were also conceptualized for using PACE evaluation (ie security posture) for decision making within CACAO playbooks to initiate OpenC2 actions.
Kestrel is a threat hunting language, providing an abstraction for threat hunters to focus on what to hunt instead of how to hunt. At the last Cybersecurity Automation Workshop, Kestrel use cases showed automated threat hunting. Use cases were also conceptualized for PACE security posture being used in CACAO playbooks initiating Kestrel threat hunting using OpenC2 actions.
The Indicators of Behavior (IoB) Subproject is creating a structured representation of reusable adversary behaviors, detections of those behaviors, and correlation workflows to aid network defenders. IoB is data that can control workflows in CACAO playbooks in automation scenarios.
Stixshifter is a patterning library which allows data to be normalized across domains for comprehensive security analysis.
Collaborative automated course of action operations (CACAO) defines the schema and taxonomy for security playbooks and how these playbooks can be created, documented, and shared in a structured and standardized way across organizational boundaries and technological solutions. Much of the automation demonstrated at Cybersecurity Automation Workshops can be shared using CACAO playbooks.
Threat Actor Context seeks to resolve ambiguity across different sources and solutions to support organizing what is known and sharing information about threat actors. It establishes a common knowledge framework that enables semantic interoperability of threat actor contextual information and develop standardized vocabularies for threat actor characterization. Similar to IoB, PACE, STIX, and stixshifer, TAC is data that can control workflows in CACAO playbooks in automation scenarios.
Open Command & Control (OpenC2) is a standardized language for the command and control of technologies that provide or support cyber defenses. By providing a common language for machine-to-machine communication, OpenC2 is vendor and application agnostic, enabling interoperability across a range of cyber security tools and applications. The use of standardized interfaces and protocols enables interoperability of different tools, regardless of the vendor that developed them, the language they are written in or the function they are designed to fulfill.
Software Bill of Materials (SBOM) has emerged as a key building block in software security and software supply chain risk management. An SBOM is a nested inventory, a list of ingredients that make up software components. SBOM is a valuable security posture driving PACE automation.
Vulnerability Exploitability eXchange (VEX) allows a software supplier or other parties to assert the status of specific vulnerabilities in a particular product. Examples include:
VEX information enhances SBOM information in PACE usecases and both are valuable security posture driving PACE automation.
The Common Security Advisory Framework (CSAF) has a VEX profile for automated creation/consumption of VEX information. See previous question.