To defend against threat actors and their tactics, techniques, and procedures, organizations need to manually identify, create, and document prevention, mitigation, and remediation steps. These steps when grouped together into a course of action (COA) / playbook are used to protect systems, networks, data, and users. The problem is, once these steps have been created there is no standardized and structured way to document them, verify they were correctly executed, or easily share them across organizational boundaries and technology stacks.
This presentation introduces work underway by a group of interested industry companies to define a standard way to implement a playbook model for cybersecurity operations.
We’ll cover aspects of CACAO including:
- How playbooks are created and document COAs in a structured machine-readable format.
- How organizations perform attestation including verification and authentication on COAs and their playbooks.
- How sharing and distribution of COAs across organizational boundaries and technology stacks may include protocols, apis, interfaces and other related technology to support sharing across different vendors, organizations.
- How organizations can verify COA and playbook correctness prior to deployment.
- How organizations would monitor COA activity after successful deployment.
Learning objectives:
- An introduction to the requirements and issues that CACAO addresses specifically on cybersecurity response collaboration and orchestration
- The relationship of CACAO to other standards work (STIX2, OpenC2...etc) and proprietary mechanisms interplay (Cisco IOS, JunOS...etc)
- Practical examples on how CACAO would work and help organizations define standards-based cybersecurity response playbooks
- How either consuming organizations or vendors could engage to further define/improve the CACAO work
