►
From YouTube: IETF104-CACAO-20190329-0900
Description
CACAO meeting session at IETF104
2019/03/29 0900
https://datatracker.ietf.org/meeting/104/proceedings/
A
B
Good
morning,
welcome
to
the
collaborative
automated
course
of
action
off
also
known
as
cacao.
Is
that
the
right
way
to
pronounce
it
/
a
couple
different
pronunciations?
But
so
you
guys
I'm
sure
this
is
Friday
morning.
The
note!
Well,
if
you're
not
familiar
with
it,
then
there's
probably
a
problem,
but
here
it
is,
for
you
I.
Think.
B
So
our
agenda
is
going
to
be
pretty
simple.
Today
we
have
all
our
of
our
administrivia
taken
care
of
we're,
going
to
have
a
presentation
on
the
kind
of
problem
statement
and
in
the
space
that
cacao
is,
is
looking
at
and
then
we'll
go
to
find,
making
sure
everybody
kind
of
understands
what
that
is
and
ask
some
questions
of
the
group
as
to
how
we
should
move
forward.
So
I
think
we'll
ask
Brett
to
come
up
and
start
the
show.
C
Thank
you
so
I
wanted
to
spend
some
so
we're
here
this
morning
to
talk
a
little
bit
about
cacao
and
what
it
means
from
a
security
defense.
Cyber
defense
perspective
and
I
want
to
first
start
talking
about.
Do
some
basic
level
setting
talk
about
the?
Why?
Why
is
this
important?
What
is
the
problem
statement?
You
know
why
is
this
in
shuh
in
modern-day
socks,
security,
operation,
center
and
and
kind
of
what
is
a
proposed
solution
so
the
why?
What
how
of
this
aspect?
C
Note
well
so
know
that
note
well,
they
did
so
noted.
Well
so
Alan
Thompson
from
Looking
Glass,
Jody
Verma
from
Cisco
and
myself,
Bret
Jordan
from
Symantec,
have
been
working
with
a
large
group
of
individuals
for
about
18
months,
trying
to
find
a
potential
solution
for
this
space
we've
you
know
been
working
with
a
lot
of
large
enterprise,
a
lot
of
banks,
a
lot
of
governments
trying
to
look
at
a
different
way
that
we
could
potentially
solve
this.
C
We
did
a
lot
of
work
to
flesh
out
the
possibility,
and
then
we
got
to
a
point
where,
okay,
now
we
need
to
take
it
to
an
sto
and
try
to
see
if
we
could
standardize
it.
So
we
could
do
some
interoperability.
We
could
guarantee
that
different
systems
and
networks
and
components
and
stacks
could
be
able
to
consume
these
things
and
do
whatever.
So
we
decided
we
try
and
come
here
to
the
IETF.
C
We
felt
that
this
group
would
have
a
lot
of
great
experience
and
a
lot
of
things,
especially
when
it
comes
time
to
do
the
picking
of
a
protocol
and
and
those
sort
of
things,
so
so
on
the
problem
statement
just
to
do
level
setting.
You
know,
as
you
know,
and
as
you've
probably
read
through
a
lot
of
the
information
that
comes
out.
You
know,
threat
actors
and
their
intrusion
sets
are
advancing
and
they're
becoming
more
prolific,
an
intrusion
set
for
those
that
aren't
familiar
with
the
term.
C
C
They
can
be
sold
off
and
use
my
the
ones
and
and
overtime
intrusion
sets,
do
actually
change
and
morph,
but
an
intrusion
said
a
lot
of
times
in
the
commodity
literature
they
refer
to
them
as
an
apt
like
apt,
one
or
apt
to
those
sort
of
things
and
I
think
the
most
important
thing
is
the
amount
of
time
available
for
organizations
to
respond
and
to
keep
themselves
adequately.
Protective
is
decreasing.
So
you
know
when
we
know
when
we
look
at
like
the
Lockheed
Martin
kill
chain
and
you
go
through
the
reconnaissance
phase.
C
You
know
a
threat
actor
group
may
spend
months
and
months
years
doing
investigation
doing
you
know
connaissance,
and
then
it
takes
minutes
to
compromise
the
network
and
then
they're,
typically
in
the
network
for
months
to
years.
Okay,
so
the
defense
is
manual,
it's
slow,
it's
very
reactive,
it's
very
siloed,
various
parts
of
the
group
or
various
parts
of
the
organization,
don't
typically
talk
well
with
each
other
and
especially
if
you're,
in
a
larger
enterprise,
where
you
have
different
business
units
or
different
enclaves.
C
You
have
a
lot
of
coordination
that
needs
to
take
place
so
and
there's
really
not
a
great
way
currently
to
share.
You
know:
play
books,
run
books,
courses
of
action
across
these
groups
and
there's
no
way
to
collaborate
on
them
across
a
trust
group
or
an
ecosystem
or
like
a
vertical
sector
like
the
telco
space
or
financial
services
or
healthcare.
Okay,
so
I
drew
a
little
picture
here
to
kind
of
help,
help
everybody
kind
of
understand
kind
of
what
this
would
mean
and
what
this
would
look
like.
C
So
on
this
problem
statement,
if
you
look
at
you
know
where
that
compromise
might
come
in
and
how
it
would
prolific,
eight
throughout
the
network,
so
say
it
comes
in
across
the
mobile
device
and
then
it
moves
laterally
through
the
organization
you
know:
it'll
hit,
endpoint
devices,
it'll
hear
IOT
devices,
potentially
security
cameras
move
through
the
network.
You
know
compromising
servers,
compromising
applications
and
going
on
the
point
from
the
this
work
from
Kakao
is
that
all
of
these
different
groups
need
to
be
involved
through
the
mitigation
and
remediation
of
this
attack.
C
It's
not
just
one
person
or
one
tiny
little
group,
so
you're
going
to
have
you
know
the
mobile
engineering
desktop
Network
support,
you're
gonna
have
network
engineering
unit
security
operations
and
these
play
books.
They
have
to
be
shared
and
be
communicated,
and
a
lot
of
work
has
to
be
done
today.
Play
books
are
in
prolific,
use,
they're
used
in
nearly
every
major
sock
on
the
planet,
so
this
isn't
a
new
concept.
The
difference
is,
is
a
play.
C
Book
is
typically
written
down
and
put
in
a
binder
or
put
in
a
PDF
or
put
it
in
like
a
knowledgebase
article
and
there's
no
way
for
these
play
books
to
be
collaborated
or
shared
and
in
a
sense
it's
in
a
knowledgebase
article.
A
lot
of
organizations
think
that
oh,
this
is
a
trusted
knowledge.
We
don't
want
to
share
this.
We
don't
want
to
leak
information.
We
don't
want
to
work
with
other
entities
in
this
space,
so
I
wanted
to
help,
try
and
do
some
level
setting
and
talk
you
know.
C
Maybe
some
pictures
might
help
express
that.
So
what
is
cacao?
It's
a
collaborative
automative
course
of
action.
You
know
or
series
of
operations
for
defense
for
cyber
security,
cyber
defense,
it's
not
for
physical
security.
So
we
want
to
make
sure
that
we're
not
talking
about
that's
basically
well.
This
design
could
potentially
be
used
for
a
lot
of
other
spaces.
We
wanted
to
not
boil
the
ocean
and
we
wanted
to
focus
on
a
pretty
narrow
problem
space,
so
it
deals
with
the
creation,
distribution
and
monitoring
of
the
execution
of
the
individualized
actions
that
would
be
make.
C
That
would
be
part
of
an
overall
PlayBook,
so
the
goal
with
a
playbook
and
all
of
the
individual
actions
is
to
prevent
mitigate
remediate,
a
threat
and
then
also
to
monitor,
to
make
sure
that
the
actions
were
processed
correctly
and
makes
sure
that
the
threat
and
attack
has
actually
been
mitigated.
So
the
the
hope
and
the
goal
of
all
of
this
work
is
to
build
upon
a
lot
of
existing
technologies
that
are
used
either
here
in
the
IETF
or
out
of
other
SDO.
C
C
C
So,
as
I
said,
you
know
playbooks
today,
you
know
their
security
processes.
You
know
they
involve
procedures.
There's
technical,
there's,
human
capabilities
and
I
can
have
an
example
here
in
a
second,
but
sometimes
part
of
the
playbook
might
be.
You
know,
call
this
individual
if
they
don't
respond
within
20
minutes.
Call
this
individual,
if
they
don't
respond
in
20
minutes,
call
the
CIO
and
get
them
out
of
bed.
C
You
know
go
and
block
this
on
the
firewall
and
then
go
in
and
block
this
on
the
proxy
and
then
start
working
your
way
down
through
the
network,
because,
as
you
know,
deploying
solutions
or
mitigation
or
mediation
steps
across
the
large
organization
takes
a
lot
of
time.
All
of
the
end
points
aren't
necessarily
always
available,
and
so
you
rely
on
the
various
network
pieces
to
actually
to
get
this
done.
C
So
all
of
that
is
typically
documented
in
a
playbook
now
play
books
can
be
very
specific
to
an
organization,
but
they
can
also
be
somewhat
generalized
as
well,
okay,
and
so
as
an
example.
So
I
just
make
you
know,
I
wasn't
sure
who
would
be
in
the
room
and
what
you're
familiar
you'd
be
so
I
wanted
to
document
what
a
very
basic
playbook
might
look
like
the
help
level
set
so
from
a
sample.
C
You
know,
I,
you
take
a
piece
of
malware
in
this
piece
of
malware
I'm
calling
fuzzy,
Panda
X,
and
it's
for
a
Windows
10
mitigation
remediation
strategy.
So
one
of
the
first
things
that
might
be
in
the
PlayBook
would
be
for
the
security
operation
center.
You
know
they
would
open
a
ticket.
You
know,
based
on
an
indicator
of
compromise
that
identifies
this.
You
know
level
two.
They
don't
call
network
support
and
they'll
go
through
that
process
of
identifying
the
person.
The
network
support
to
take
it
to
the
next
thing.
C
The
network
support
is
going
to
quarantine
the
system
into
a
sandbox
VLAN
in
your
security
zone
architecture,
and
then
it
will
probably
go
back
to
security
operations
where
they're
going
to
go
in
and
start
talking
to
desktop
support,
they're
going
to
do
the
response
process,
they're
going
to
do
any
elevation
and
remediation
that
goes
desktop.
Support
is
going
to
run
through
a
series
of
processes
and
things
that
would
need
to
be
due
for
that
specific
piece
of
malware
in
a
non
security,
mature
organization
that
doesn't
have
their
own
playbooks.
C
Typically,
what
the
IT
people
will
do
is
go
out
to
a
blog
post
and
try
and
figure
out
like
what
do
you
do?
And
you
know
there
won't
be
you
know
a
lot
of
there
might
be
competing
information.
Some
people
say:
oh,
you
just
got
to
delete
this
registry
key
and
delete
this
file.
Other
people
will
know
you
can't
do
it
in
that
order.
You've
actually
got
to
delete
this
process.
Then
you
got
to
delete
the
registry
key.
You
got
a
reboot
in
safe
mode.
C
You
got
to
go
through
and
delete
these
things,
and,
and
do
this
whatever
so
a
lot
of
the
things
you
know
like
I
said
would
either
be
documented
in
a
some
sort
of
playbook
or,
if
you're,
a
lower
in
organization
that
doesn't
have
the
really
high
security
maturity
you
might
be
relying
on
on
the
internet
and
blog
posts
and
then,
as
it
would
come
through.
It'll
finish
up.
You
know
on
the
desktop
support
side
where
they
go
through
and
they
patch
the
OS
and
they
patch
the
security
software.
C
They
rerun
the
various
scans
to
do
various
checking
and
then
that
traffic
that
system
would
more
than
likely
be
monitored
for
a
period
of
time.
It'll
probably
be
then
put
into
a
different
VLAN
where
the
computer
can
actually
be
used.
For
you
know
normal
operations,
but
it's
highly
monitored
I
may
be
doing
full
packet
captures
may
be
doing
you
know
an
IPS.
You
know
right
in
front
of
that
machine
to
check
for
a
you
know
abnormal
behavior
and
then,
after
a
period
of
time,
that
system
will
be
moved
back
into
a
production
network.
C
Obviously
the
back
out
clause
for
any
one
of
these.
These
line
items
is.
If
this
doesn't
work,
then
the
machine
is
just
reimaged,
okay
and
then
also
depending
on
your
appetite
for
risk
and
the
type
of
system
it
is.
That
might
be
one
of
the
things
that
they
first
do.
They
just
you
know,
format
the
system
and
and
reimage
it,
but
it
depends
right,
there's
different
levels
of
risk
in
your
appetite
for
risk
changes.
C
So
when
we
look
at
playbooks,
obviously
they
can
span
multiple
groups
and
multiple
technology
stacks,
there's
a
lot
of
different
groups
that
need
to
be
involved.
If
you
have
different
business
units
or
different
enclaves,
you
know
the
number
of
people
that
need
to
be
involved
can
can
grow
rapidly
very
quickly,
and
you
know
it's
because
those
are
axé
they
can.
You
know
it
doesn't
just
come
in
and
keep
itself
within
one
or
two
systems.
Lateral
movement
is
usually
very
easy.
C
When
I
was
on
the
other
side
of
the
fence,
we
used
to
refer
to
this
as
the
escargot
model
of
security,
where
things
are
nice
and
hard
and
crunchy
on
the
outside,
but
soft
and
chewy
on
the
inside,
and
so
you
know
thread
actors
can
usually
move
very
quickly
laterally
through
the
organization,
and
so
you
have
a
lot
of
people
that
you
need
to
get
involved,
and
then
you
know
the
you
know:
they're
gonna.
You
know
these
attacks
occur
across
multiple
technologies,
multiple
technology
stacks.
C
When
you
do
the
remediation,
it
would
be
nice
if
the
automated
parts
of
the
playbook
of
the
kakao
playbook
could
actually
be
done
and
shipped
around
between
technology
stacks.
So
the
different
you
know,
tips
or
different
management
consoles
or
different
tools
could
pick
up
process
the
parts
that
they
know
how
to
process
and
then
report
back.
So
how
do
we
get
there?
What
does
this
coordinated
response?
Look
like
so
we
have.
You
know
the
define
piece.
We
have
the
verify.
C
You
know
that
it
was
actually
created
correctly
and
that
it
works
and
there's
the
distribution
and
the
the
execute
part
and
then
the
monitoring
to
make
sure
it's
done
and
I'd
like
to
pause
here
and
just
see.
I
know
Alan
who's,
one
of
the
co-authors.
On
this
he's
on
the
phone
and
I.
Don't
our
first
time
using
the
me
deco
stuff,
so
I
just
like
to
pause
and
see
if
he
has
any
comments
before
I
continue.
B
D
You
awesome
yeah,
thank
you
thanks,
Brett
I
I
think
you've
done
an
excellent
job.
Introducing
the
topic.
I
think
the
the
key
part
of
this.
This
slide
here
is
really
talking
about
five
different
phases
of
where
we
are
going
to
focus
our
efforts
and
and
I
think
one
of
the
first
things
that
I
think
Brett
has
a
slide
later
on
in
the
deck
that
talks
about
one
of
the
first
things
that
we're
going
to
focus
on
is
really
understanding.
D
What
at
defining
a
playbook
looks
and
that's
going
to
be
our
initial
focus
and
then
we're
going
to
start
looking
at
okay
once
you
have
a
definition
of
that
playbook.
How
do
you
then
roll
it
out
to
the
different
technologies
and
across
the
different
protocols
and
interfaces
that
need
to
exist,
but
that
first
pop
billet
on
the
slide?
Around
definition,
is
really
our
initial
focus
to
make
sure
that
we
come
up
with
a
format
of
defining
playbooks?
D
C
So
you
have
a
once
again.
This
is
maybe
for
a
fuzzy,
Panda
X
type
malware
exploit.
You
know
or
pick
your
favorite
apt
name
of
choice
and
you
might
have
some
pieces
that
are
defined.
That
say:
Apple
goes
through
and
figures
out
how
do
they
mitigate
this
for
OS
X
and
then
Google
figures
out
how
they
solve
this
for
Android
and
Cisco
identifies
well.
If
you
do
this
on
your
Cisco
aasa,
then
you
can
mitigate
this
or
remediate
this.
This
threat
and
Microsoft
may
go
through
and
and
figure
out.
C
You
know
what
they
need
to
do
for
Windows
10,
and
it
may
not
be
microsoft
itself.
It
may
be
some
other
trusted
enterprise
or
some
their
entity.
That
does
it,
but
the
idea
is
that
these
various
pieces
could
in
fact
be
digitally
signed
and
then
that
signature
could
be
included.
You
know
as
a
plain
text
signature
inside
of
this
data
and
then
that
could
be
rolled
up
and
say
it.
You
know
I'm
gonna
use,
you
know,
banks
that
people
can
understand-
or
at
least
you're
here
from
the
US.
C
But
you
know
you
have
one
very
large
bank
and
it
goes
through.
It
says:
oh
we've
tested
all
these
things,
we've
actually
deployed
it.
We
can
guarantee-
or
we
verify
that
you
know
these
at
least
work
for
this
specific
threat
on
these
systems.
They,
obviously
you
would
need
something
like
the
coast,
wid
or
the
Szwed
tags,
or
something
like
that
in
order
to
identify
the
targeting
of
the
systems
that
would
be
affected,
but
that
could
also
then
turn
around
and
be
bubbled
up
to
maybe
another
large
Bank.
C
You
know
go
from
Bank
of
America
to
JP
Morgan
Chase
and
they
go
in
and
they
can
verify
oh
yeah,
and
so
we're
gonna
sign
it
as
well.
So
now,
when
this
gets
hooked
into
threat,
intelligence
and
it
gets
distributed
out
through
the
ice
axe
and
ice
house
in
this
case,
through
FSI
sack
it'll
get
disseminated
out
to
all
of
the
member.
You
know
units
all
of
the
different
banks
and
credit
unions
all
across
the
fabric,
and
so
when
they
have
their
indicators
of
compromised
and
it
fires
and
identifies
that.
Oh,
this
is
a
threat.
C
Then
you
know
oh,
and
here
is
a
course
of
action
or
a
kakao
playbook
that
could
mitigate
that
threat.
Now
it
might
not
be
a
hundred
percent
applicable
to
their
organization,
but
they
would
be
able
to
look
at
it
and
be
able
to
say
all
for
these
types
of
machines.
You
know
this
is
what
these
different
entities
have
done
and
it
worked
for
them,
and
you
know
so.
They
have
some
level
of
assurance
because
these
larger
entities
have
been
able
to
verify
it
and
they've
been
able
to
digitally
sign
it.
C
C
Intelligence
comes
into
the
security
operation
center
and
as
secure
a
sock
security
operation
center
is
going
to
go
through
and
it's
going
to
create
these
playbooks
and
typically,
like
I,
said
they're
going
to
be
in
either
PDF
form
or
they're,
going
to
be
printed
out
and
put
in
a
manual
on
a
shelf
or
they're
gonna
be
in
a
knowledgebase
article,
and
what
we
want
to
do
is
want
to
get
to
where
it's
automated,
or
at
least
some
parts
of
it
or
a
lot
of
it,
is
automated.
There's
always
going
to
be
some
parts.
C
It
will
always
be
human
process
oriented,
but
you
know
those
could
be
identified
as
manual
steps,
and
then
you
know
when
it
comes
time
for
delivery
of
items
out
of
out
of
this
group.
If
this
actually
gets
chartered
and
formed
here
in
the
IETF
or
in
some
other
SDO
is
we
want
to
you
know
crawl,
walk
jog
and
run
so
we
can't
boil
the
ocean.
C
We
can't
do
everything
upfront
and
what's
important
is
that
we
start
to
get
things
out
to
industry
and
get
industry
adopting
so
that
it
can
can
be
rolled
out
in
phases,
and
so
some
notional
and
I'll
stress
this.
This
notion,
alright,
because
it
would
be
up
to
any
working
group
or
study
group
or
technical
committee
to
decide
this
isn't
just
my
you
know
my
wish
list,
but
some
notional
idea
is
for
that.
You
know
the
phase.
One
goal
would
be
doing
the
JSON
data
model.
You
know
which
would
be.
C
You
know
the
multiple
actions
you
know
any
of
the
logic,
the
temporal
logic
conditional
logic
being
able
to
version
them,
because
you're
going
to
need
to
be
able
to
collaboratively
work
on
them
any
targeting.
You
know
the
specification
of
using
Szwed
tags
or
cosas
wit,
or
s
Kapoor,
and
all
these
other
little
things
that
might
be
available
and
then
being
able
to
do
syntax
verification
to
make
sure
that
these
are.
You
know,
formed
and
structured
in
a
way
that
is
interoperable.
A
stretch
goal
in
my
opinion,
you
know,
would
be
able
to
do
partial
automation.
C
You
know
doing
digital
signatures
being
able
to
do
distribution.
You
know
protocol
so
that
you
could
communicate
either
between
entities
or
potentially
between
technology
stacks
or
but
you
know,
maybe
even
you
know
the
connections
off
to
some
devices.
You
know
actuators
where
they
could
process
it
and
then
a
phase
2
and
phase
3
goal.
You
know
phase
2
would
be
you
know
like
a
longer
term,
maybe
a
second
release.
You
know
doing
some
of
the
more
automated
action
pieces.
You
know
execution
verification.
C
B
Yeah
so
well,
I
think
what
we'd
like
to
do
right
now
is
I.
Think
Brett's,
given
a
kind
of
pretty
good
overview
of
kind
of
the
problem
space
and
like
to
have
some
discussion
now
in
the
room.
Just
make
sure
people
understand,
because
some
people
are
gonna
be
very
familiar
with
this
space
and
for
some
people
it's
going
to
be
something
that
they're
not
so
if
people
are,
please
feel
free
to
come
the
mic
and
and
ask
questions
or
provide
input.
Oh
sorry,
yeah
yeah.
E
Okay,
so
yeah
take
a
bit
forward,
yeah
for
making
this
presentation
so
I
have
some
clarification,
a
question
about
what
you
had
visited
so
far
and
the
first
question
with
regard
to
the
creation
of
the
playbook
itself.
You
because
for
me
this
is
just
this
one.
This
single
task
is
really
I
would
say,
Stefan's
really
difficult
to
to
be
done
in
a
generic
manner
and
for
all
the
attacks.
So
do
you
do
you
think
that
this
is?
This
is
really
a
key?
E
A
key
I
would
say,
expected
output
from
this
from
this
work,
or
we
assume
that
the
PlayBook
is
done
somewhere
handed
somewhere
and
then
the
problem
is
how
can
I
pass
it
through,
something
which
is
released
on
the
rise
in
terms
of
the
communication
interfaces
between
evil
parties?
This
is
my
first
question.
E
The
second
one
is
that
do
you
assume
that
all
this
work,
because
what
you
have
to
present
it
so
far
is
really
for
me
is
really
I
would
say
one
single
network
provider
there
and
which
is
dealing
with
some
I,
would
say,
sources,
vendors
and
so
on
this
kind
of
stuff.
I,
quite
don't
see,
the
need
for
I
would
say
a
standardized
interface
for
that
one
because
you
can
receive
for
whatever
interface
from
a
server.
Just
you
connect
the
server.
E
E
I
would
say
the
collaboration
between
multi,
multiple
network
providers,
because
for
me
this
is
this
is
this
is
only
which
is
really
missing
today
we
we
are,
we
are
confronting,
the
I
would
say
distributed
attacks
and
the
attack
starts
everywhere
from
the
world
and
everyone
in
his
own
network
is
trying
to
dig
into
the
problem
and
try
to
do
to
look.
How
can
I
fix
this
problem
and
we
are
repeating
the
same
story
and
some
are
going
to
forums
looking
for
I
would
say
hint
suggestion
for
mitigation
and
and
so
on.
E
So
if
we
I
would
say,
if
we
add
up
the
same
strategy
for
this
distributed,
attacks
to
have
I
would
say
distributed
mitigation.
If
and
if
we
wanted
this
distributed
mitigation,
we
have
to
open
the
collaboration
between
the
multiple
involved
party
that
are
network
providers.
So
I
would
like
to
see
this
in
the
face
to
have
something
which
is
more
collaborative
in
term
of
cheering
just
to
say
that
I
have
this
kind
of
attacks.
This
is
what
I
am
doing.
Just
take
it
as
an
information.
You
don't
stick
it
as
a
fact.
E
You
can
try
it
in
your
own
context.
If
you
have
this
kind
of
problem
and
and
so
on,
so
we
are
just
sharing
the
learning
and
the
lessons
from
from
from
the
problems
we
are,
we
are
second
so
clarified.
I
would
say
the
specific
context
and
justify
why
we
need
to
have
something
which
is
more
collaborative
between
little
providers.
Thank.
C
You
thank
you
for
the
question
so
in
looking
at
this.
You
know
at
some
level
you
have
to
have
the
thing
that
you
are
going
to
be
able
to
exchange
and
to
be
able
to
share,
and
obviously
I
think
this.
This
thing
this
this
you
know
structured
object,
will
evolve
over
time,
but
we
need
to
have
the
basic
foundational
pieces
in
in
the
beginning.
C
In
order
for
that
to
be
shared
and
then
to
be
able
to
be
action
on,
it
needs
to
be
able
to
be,
it
needs
to
be
able
to
be
processed
and
be
able
to
be
consumed
in
a
machine
possible
form.
We
have
a
lot
of
experience
with
this
in
the
the
threat
intelligence
world
and
we
understand
kind
of
how
these
things
work
across
ice
axe
and
I
sales,
and
so
we're
we're
trying
to
build
on
that
model
and
I'll
pause
for
Alan.
My
co-author
to
try
and
respond
as
well
I
think.
D
Yeah,
thank
you.
So
one
additional
thing
that
I
would
add
to
the
answer
that
Brett
gave
was
that
if
some
people
may
know
be
familiar
but
there's
a
standard
being
developed
by
oasis
called
open
situ.
That
is
a
basic
mechanism
to
respond
to
threats.
But
it's
focused
on
individual
actions
across
different
security
infrastructure.
They.
That
group
has
specifically
said
that
they
don't
do
not
want
to
tackle
the
how
you
connect
all
those
commands
together
in
a
sequence
or
in
a
temporal
logic.
D
So
what
we
feel
is
that
there
is
other
efforts
trying
to
standardize
and
normalize
languages
to
be
able
to
respond
to
threats.
You
know
such
as
open
c2,
as
well
as
stakes
for
intelligence
aspects,
and
what
we're
looking
to
do
is
going
to
build
a
playbook
that
can
have
wrapped
some
of
those
things
together,
so
that
you
can
start
to
chain
them
together
in
a
more
coordinated
fashion.
So
we
are
not
going
to
be
necessarily
relying
or
defining
individual
protocols
or
commands
to
execute
like,
for
example,
block
actions
or
response
to
an
anti-virus,
etc.
F
As
you
see
so,
thanks
Greg,
this
is
a
very
important
topic.
I
believe
and
I
think
this
coming
having
an
enterprise
background
myself,
I
think
this
is
very
relevant,
especially
with
transition
to
cloud
and
enterprises
having
less
and
less
control
over
what
gets
deployed
and
how
things
are
deployed
in
the
cloud.
So
I
just
wanted
to
ask
you
if
you
have.
How
do
you
envision
this
in
the
cloud
deployment
and
and
how
do
you
think
this
lets
fit?
This
fits
in
the
cloud
story
because
that
seems
to
be
the
way
forward.
F
C
I
think
is
going
to
be
very
valuable.
I
know
some
governments
like
Australia,
for
example,
they
set
up
trust
groups
specifically
for
identified
threat,
and
so
they
will
pull
in
people
across
the
nation
and
they
will
bring
them
into
a
trust
group,
and
then
they
share
information
and
it.
But
it's
all
over
slack
or
it's
over
Skype
or
things
like
that,
and
it
would
be
nice
if
these
things
were
done
in
a
machine
possible
way,
so
that
tooling
could
process
it
and
an
action
on
it.
G
C
Think
initially,
you
know
if
I
was
to
give
realistic
expectations
from
a
vendor.
Deployment
model
is
initially
that
they
will
be
collaborated
on
and
documented
in
the
machine
possible
form,
but
they'll
still
probably
be
human
action.
Some
of
them
may
have
the
actual
commands
that
you
would
use
on
a
device
say
like
on
a
Palo
Alto
firewall
here
is
the
CLI
command
that
you
would
copy
and
paste
and
then
over
time
the
vendors
will
begin
to
adopt
this
and
be
able
to
process
these
commands
and
then
you'll
start
to
see.
C
C
You
know
when
we
look
at
this,
like
how
do
we
gain
vendor
adoption
and
how
do
we
gain
people
to
start
using
this
and
one
of
the
first
things
that
we
look
at
from
experience
with
threat
intelligence
is,
is
you
need
to
have
the
data
model
and
you
need
to
have
the
structured
form
so
that
tools
like
a
tip
or
something
like
that
could
under
it
they
could
process
it.
They
could
link
it
into
a
case
management
system.
They
could
be
able
to
build
automatic.
C
You
know
messaging,
you
know
back
and
forth
between
our
teams
and
stuff
like
that,
and
so
it's
like
you
know,
that's
the
first
nut
that
we
need
to
get
standardized
and
then
my
hope
is.
You
know
I'm
like
what
the
was
a
Mohammed
Mohammed
from
Orange
has
mentioned.
You
know
that
you
know
getting
this
to
be
able
to
collaborate
between
the
various
groups
and
in
his
case,
telcos,
which,
which
we're
very
partial
to
and
when
we
really
want
to
help
solve
that.
It's
just.
C
C
C
But
where
those
solutions
don't
have
you
know
an
option,
we
can
either
request
that
they
add
it
and
if
they
say
no,
then
then
we
could
out
of
here
I
think
some
things
we'll
probably
have
to
do
like
the
manual
pieces
will
have
to
define
what
that
that
part
of
the
ontology
actually
looks
like,
but
because
most
of
the
other
ones,
don't
don't
do
that,
but
I
mean
there's
gonna
be
a
little
bit
of
work
that
we
need
to
identify,
but
I
think
where
we
can
leverage
other
technologies.
I
think
that
would
be
great.
Okay.
H
Hi
there
this
is
Steven
bang,
Hart,
channeling
Nebel
Betar
on
jabber.
How
would
this
be
different
or
related
to
what
is
implemented
by
soar?
Soa
our
systems
and
Jody
Verma
already
responded
and
mentioned
that
they
could
render
and
execute
the
distributed.
Kakao
playbooks
for
mitigating
and
remediating.
The
threat
forgot
to
give
you
a
chance
to
follow
up.
If
you
have
any
other
answers
to
that,
Bret
I
would
respond
very
similar
to
a
Jody.
Did
so
I.
I
C
C
So
if
you
have
you
know,
five
thousand
servers
in
your
toolkit
that
are
processing
for
your
data
exfiltration
and
that
changes
from
you
know
one
data
center
to
another
data
center.
Every
week,
then
the
number
of
people
you
have
involved
is
very
large,
because
that
takes
a
lot
of
work.
So,
but
if
things
are
pretty
static,
then
you
might
have
a
very
smaller
crime
syndicate
other.
I
C
D
Just
on
that
point
about
patching
one
of
the
most
common
things
that
people
do
is
exploit
vulnerabilities
are
on
public
infrastructure
after
they've
discovered
that
that
is
a
vulnerable
system.
So
one
of
the
things
that
people
want
to
do
is
be
able
to
do
that
scanning
or
detection
of
vulnerabilities
themselves,
and
then
they
run
play
books
that
patch
those
systems
so
that
those
systems
are
novo
no
longer
vulnerable.
D
C
Yeah
and
a
follow
on
that
would
be
maybe
like
a
SAN
stop
20
a
preventive
or
see
is
top
20.
You
know
preventive,
you
know
scenarios,
they
may
not
be
specific
to
target
specific
systems,
but
they
would
be
generalized
things
that
could
be
distributed
and
and
then
you
know
and
like
I
said
in
a
trust
group,
they
could
be
collaborated
on
and
they
could
be
worked
on
and
refined
and
added
to
so
and.
J
Been
Caidic,
so
you
mentioned
like
being
able
to
collaboratively
work
on
and
iteratively
update
these
sorts
of
things.
Do
you
think
it's
important
to
have
sort
of
technical
measures
to
foster
that,
in
terms
of
like
the
versioning
structure,
or
are
we
not
gonna
worry
about
that
too
much
like
in
the
actual
technical
details,
and
these
that's
who
a.
C
C
J
C
K
From
the
chair,
can
we
kind
of
stick
hopefully
a
little
bit
more
to
problem
understanding
I
mean
so
there's
a
whole
nother
part
of
the
presentation
about
requirements
and
and
solution
space.
If
you
can,
what
we're
trying
to
get
to
at
this
point
is
to
make
sure
that
everybody
has
a
chance
to
make
sure
they
understand
the
problem
definition
and
then
we'll
progress
past
that
hi.
L
Rome
engineer
so
I
think
I
understood
the
vision
but
I'm
trying
to
understand
what
that
means
relative
to
standards.
Action
with
the
phases,
so
I
didn't
exactly
track
it.
So
if
you
could
help
me
clarify
so
I
get
the
binder
issue,
you
know
we're
passing
around.
You
could
have
binders
that
are
PDFs
or
in
wiki's,
and
it
seems
like
there's
also
the
other
half
was
this
idea
of
well
now
that
I
have
an
automated
version
of
or
a
machine
readable
version
of
the
binder
I
want
to
task
systems
to
act
on
that
so
read.
L
C
So
I,
you
know
in
my
personal
perspective.
Obviously
this
would
be
a
working
group
decision,
or
you
know,
decision
by
whatever
group
allows
us
to
do
this,
but
the
first
thing
that
needs
to
be
done
is
the
data
model
needs
to
be
defined
so
that
there's
a
structured
way
that
you
can
document
them,
and
so
you
know
if
you're
sharing
these
over
HTTP
or
even
if
you're,
sharing
them
over
email.
C
They
could
then
turn
around
be
processed
by
a
machine,
the
goal
being
that
tip
vendors
and
other
management
consoles
in
the
network
or
orchestration
devices
like
a
phantom
to
misto
swimlane.
Something
like
that
could
then
turn
around
and
consume
this
and
be
able
to
render
something
to
the
user
or
to
the
sock
in
a
structured
way.
So
obviously
we
have
to
crawl
walk
jog
run,
but
then
the
follow-on
phases
would
be
to
enable
vendors
and
solutions
to
be
able
to
pull
out
the
atomic
actions
and
be
able
to
you
know
operate
on
them
in
somewhat.
L
C
Think
that
you
know
the
most
important
thing
is
to
be
able
to
get
a
structured
ontology
for
these
for
this
data
model
so
that
vendors
can
implement
to
it.
So
we
need
to
make
sure
that
when
you
define
the
individualized
actions
and
the
conditional
logic
and
temporal
logic
that
binds
those
actions
together,
that
they
would
be
able
to
be
consumed.
C
So
hypothetically
an
action
might
say
you
know
manual,
and
you
know:
do
this
or
you
know
phone
call
and
you
know
call
hook
into
your
Cisco
call
manager
and
wake
cio
out
of
bed
or
another
one
might
be
net
comp
and
do
this
command
to
configure
your
switch
or
I
to
NSF.
You
know:
do
this,
and
so
there's
gonna
be
some
things
that
we're
going
to
need
to
pull
in,
to
enable
people
to
automate,
so
so
I'm
not
quite
sure
how
to
answer
your
question.
C
M
Michael
Richardson,
so
I
have
a
bit
of
a
scope
question
as
well
and
I
guess
it
I
was
going
to
ask
a
question
about
you
know:
were
these
play
books,
procedural
or
declarative
and
maybe
I
realized.
That
was
too
much
of
a
solution,
space
question,
but
it
actually
does
go
to
my
scope.
Question
which
is,
is
the
point
here
to
mitigate
an
attack?
Is
it
to
identify
an
attack,
in
which
case
we've
done
some
work
and
mile
an
inch
and
other
things
like
that?
M
Or
is
the
goal
to
arm
document
a
potential
fix
for
the
intrusion
or
the
issue
and
because
they
seem
to
be
kind
of
mixed
together?
Like
you
know,
you
said:
change
some
juice.
Am
I
to
NSF
to
change
some
things
for
guest
protective
devices?
Then
people
are
talking
about.
Oh
there's,
the
mess
magic
patch
level
that
you
should
be
at,
which
would
be
fixing
things
and
I'm
confused
by
what
seems
to
be
a
mishmash
of
reactions
and
actions,
and
things
like
that
great.
C
Thank
you
for
the
question,
so
the
purpose
is
to
be
able
to
document
what
is
in
play,
books
and
rum
books
today.
So
it's
not
about
the
identification
of
the
threat
that
is
handled
through
various
means,
whether
they're
here
in
the
mile
sockem,
you
know
groups
here
or
whether
they're
in
the
Styx
community,
which
is
outside
of
ietf
or
you
know,
through
something
else
right.
So
indicators
of
compromise.
The
industry
knows
how
to
do
that.
There
is
structured
oncology's
for
identifying
and
sharing
that
information,
so
that
we're
definitely
not
doing
that.
C
What
we
want
to
be
able
to
do
is
document.
You
know
the
the
process,
the
procedures
that
you
would
use
to
mitigate
remediate
or
prevent
a
threat,
and
those
initially
will
probably
be
very
human
oriented
human
task
commands,
but
in
a
structured
ontology,
but
over
time
they
will
be
automated
and
they
will
be
call-outs
either
to
a
native
API
to
a
CLI
command
or
to
one
of
the
other
solutions,
like
I
said
like
I
to
NSF
or
Netcom
4,
or
open
C,
2
or
or
one
of
those
sort
of
things.
C
M
And
but
I'm
just
I'm
having
it's
a
stretch
to
my
credit
I'm
a
bit
in
credit
lists
that
these
very
specific
commands
are
are
don't
require
significant
localization
across
organizations
right.
Oh
they
do
that!
That's
where
I'm
skeptical
about
the
automation
part,
so
I
got
the
let's
sign
this
thing's.
This
was
what
worked
for
me.
I
get
that
and
I
like
the
picture
with
this.
The
red
boxes,
and
that
was
really
cool.
M
How
do
we
recognize
that
they
are
now
good
that
they
have
been
through
a
playbook
of
some
kind?
So
that's
where
my
interest
comes
from,
but
I
don't
think
that
that
we're
ready
to
discuss
that
question
yet
here.
So
thank.
D
There
was
the
there
were
several
questions
there
if
I
go
by
to
the
original
question,
which
I
think
you
were
saying
about,
is
it
mitigation
or
is
it
detection?
One
of
the
things
that
is
not
a
very
black-and-white
is
exactly
whether
something
is
a
threat
or
not,
and
so
oftentimes
the
ability
to
copy
traffic
redirect
traffic
so
that
you
can
do
for
closer
inspection.
D
Your
behavioral
analytics,
for
example,
may
identify
something
suspicious,
but
you're
not
exactly
certain
what
it
is,
and
so
the
ability
to
have
automated
playbooks
so
that
you
can
instruct
the
network
and
potentially
endpoints
to
do
things
to
be
able
to
start
looking
at
things
more
closely
is
an
aspect
of
investigation
and
an
analysis
that
would
then
potentially
determine
this
is
absolutely
concrete,
a
threat,
and
then
then
you
would
go
into
the
phase
of
mitigation,
so
it
is
not
just
oh
you've.
Absolutely
defect
detected.
D
Something
as
a
threat
is
also
be
able
to
investigate,
to
be
able
to
say
that
it's
a
threat
for
certain.
So
that's
the
first
part
I
think
the
second
part
of
your
question
was
about.
Well.
How
do
you
make
this
reusable
across
different
customer
specific
environments?
One
of
the
things
that
we've
defined
in
the
requirements
is
the
specific
ability
to
modularize
the
playbooks
so
that
you
can
construct.
D
You
know
not
just
sign
the
aspects
but
also
modular
aspects,
so
you
could
imagine
a
little
module
or
function
that
can
then
be
constructed
to
be
able
to
do
very
specific
things
that
ultimately
are
shareable.
So
it's
it's
almost
like
sharing
open-source
functions
that
do
very
small
things
that
can
then
be
constructed
into
larger
play
books.
That
is
absolutely
a
goal
so
that
that
customization
for
a
specific
enterprise
environment
can
be
more
easily
made
available
to
people.
D
C
You,
let
me
just
take
one
quick
stab
at
it.
So
another
way
that
I
explain
this
when
I
talk
about
this
with
industry
is
hypothetically
I
could
see
an
entire
ecosystem
of
startup
companies
getting
created
that
produce
playbooks
for
identified
threat
for
targeting
specific
systems.
So
you
know
Windows
10
service
pack,
3
Service,
Pack
4
serves
like
five,
maybe
there's
a
cloud
service.
You
get
an
indicator
of
compromise
for
some
piece
of
malware.
C
You
have
the
hash
like
a
virus
total,
you
could
go
up
and
you
could
provide
that
hash
and
then
say
what
type
of
operating
system
may
be
the
Szwed
tag,
and
then
you
can
download
a
playbook
and
it
would
show
you
who
it
cited,
who
had
verified
it
and
give
you
the
commands
in
a
structured
form.
Obviously
we
have
to
crawl
before
we
can
walk
jog
and
run,
and
so
we
need
to
be
able
to
get
to
where
we
can
do
what
we
do
today
in
playbooks,
but
do
those
in
a
structured
way,
Dave.
N
Dave
Walter
Meyer,
so
I'm
I
thought
it
was
clear
on
what
the
what
the
problem
was,
what
the
scope
of
this
was
initially
and
now
I'm
a
little
confused
part
of
it
is
I,
hear
things
like
ontology.
My
eyes
start
to
you
know
to
glaze
over,
but
just
to
go
back
to
what
Roman
was
was
was
saying.
So
he
asked
you
know
is
the
focus
of
this
least.
Is
the
initial
focus
of
this
effort
on
the
binder
making
a
machine,
readable,
structured
representation
of.
O
N
Binder
or
is
it
on
the
atomic
actions,
and
what
I'm
hearing
I
think
is
that
this
effort
wants
to
some
framings
a
machine-readable
framing
around
that
PDF
binder
in
a
way
that
that
becomes
machine
processes
processable,
you
know
which
deals
with
some
of
the
conditional
logic.
Some
of
the
tracking
as
information
is
passed
between
organizations,
maybe
even
the
integrity
of
that
document.
As
it's
being
passed
around
that
you
were
gonna
defer
on
the
action
piece,
the
atomic
action
piece
to
leverage
existing
standards,
at
least
initially,
maybe
fill
gaps
long
term
there
is.
C
P
C
C
P
Well,
okay
kind
of
kind
of
touristy
can
mean
in
IETF
universe.
Well,
okay,
you
can
also
say
cross
area
visitors
or
something
I'm
working
at
torch
telecom,
essentially
as
a
routine
architect
and
so
I'm
dealing
with
the
threat
with
the
fairly
general
general
general
threat
of
well,
okay,
what's
happening
in
grouping
system,
and
my
observation
and
my
observation
when
talking
with
security
folks,
is
that
it
looks
that
there
seems
to
be
a
fairly
large
gap
between
what
the
expertise
and
the
focus
of
of
the
typical
security
guys
is.
P
On
the
other
hand,
a
kind
of
understanding
what
the
infrastructure
threats
are
is
something
that
is
kind
of
a
different
world
and
some
well
okay,
sometimes
or
most
of
the
time
I
think
not
integrated,
very
well,
and
integration
for
all
of
the
security
functions
obviously,
is
something
that
you
would
want
to
have,
but
it
seems
in
some
places
to
be
hard
to
do
and
I
have
been
watching
the
presentation,
and
essentially
everything
that
I
heard
was
telling
me
well.
Okay
kind
of
the
place
were
to
in
were
actually
to
integrate
and
cover
the
infrastructure
stuff.
P
Well,
ok,
atomic
actions
about
well,
okay,
what
do
I
do
about
route?
Hijack
yeah
kind
of
I
would
like
to
have
that
I
I
completely.
A
hundred
percent
agree
with
our
and
kind
of
what
I'm
seeing
is
that
gap
I
think
is
not
often
discussed
explicitly
like
I'm
trying
to
do
right
now
and
as
activity
like
this
kicks
off.
P
P
I
can't
I
don't
have
a
lot
of
things
to
help
I'm
working
on
V
on
the
routing
security
but
kind
of
yes,
if
I
see
something
like
a
tool
set
that
you
are
for
handling
stuff
and
processes,
a
kind
of
yes
I
would
like
to
see
something
where
I
can
tell
my
sock
that
hey,
you
usually
don't
know
about
the
routing
and
it's
there
is
a
possibility
to
integrate
exactly
these.
Please
please,
please,
please
have
an
explicit
look
into
that
direction.
Again.
I
feel
touristy
here
my
day
job
my
day,
job
is
demanding
enough.
No.
C
I
think
you're,
thank
you
for
the
question
and
thank
you
for
standing
to
the
mic.
I
I
do
talk
about
that
when
I
I
mentioned
this,
you
know
in
another
context,
but
I
usually
always
start
with
the
Machine
and
the
the
malware
example
simply
because
most
people
can
relate
to
that.
But
I
could
very
well
see.
You
know
you
have
an
indicator
of
compromise
that
identifies
you,
know,
bgp,
hat
hijacking
or
maybe
domain
fronting
or
something
else.
You
know
some
sort
of
router
compromise.
C
You
know
your
your
sis,
you
know
protocol
got
compromised
your
Eid,
you
know
protocol
is
doing
something
weird
and
you
know
what
are
the
things
for
that
and
that
you
could.
You
know
I
would
hope
that
our
our
design
of
the
data
model
would
easily
allow
you
to
document
that
a
solution
for
that
you
know
I
come
from
your
side
of
the
fence,
so
I'm
very
familiar
with
you
know
with
the
network
side
of
it.
C
So
I
just
don't
usually
lead
off
with
that,
because
most
people
in
the
room
don't
usually
understand
and
so
I'm
trying
to
phrase
it
in
context
of
things
that
hopefully
people
can
can
understand.
So
if
you
come
from
a
sock,
then
you
understand
what
these
playbooks
are.
But
if
you
don't
come
from
a
sock,
then
it's
sometimes
a
little
confusing
room.
L
Engineer
so
yeah
good
with
the
interchange
with
Dave
that
helped
me
understand
so
machine
readable
binders,
whose
atomic
actions
are
coming
from
someplace
else
we're
providing
the
ability
to
procreate
the
more
complicated
version
of
those
actions
and
then
kind
of
follow
up
is,
and
then
we
want
to
provide
tooling
to
exchange
that
machine,
readable
binder
in
an
enterprise
across
administrative
domains.
Can
you
talk
a
little
bit
about
what
you
think
we
need
to
do
with
that
machine?
Well,
which
part,
which
is
that
part
of
the
problem
a.
C
Very
great
question
so
I
think
you
know
the
sharing
between
organizations.
I
think
you
know,
could
be
done
in
a
lot
of
the
same
ways
that
threat
intelligence
is
done
through
ice
axe
and
I
saw,
as
you
know,
defining
some
you
know
mandatory
to
implement.
You
know
solution
like
a
rolly
from
here
or
some
other
solution
or
just
HTTP,
but
having
this
structured,
binding
right.
The
data
model
is
important.
C
Longer-Term
you're
gonna
want
to
be
able
to
integrate
this
in
a
consumable
way
with
various.
You
know.
Orchestration
tools,
like
I,
said
you
know
not
to
call
out
vendor
specifically,
but
in
case
you're,
familiar
with
them
like
a
phantom
or
Domestos
or
swimlane,
or
something
like
that
with
various
tip
solutions
like
a
looking-glass
or
an
eclectic
IQ
or
other
tools
like
that.
But
initially
you
have
to
have
a
data
model,
so
so
the
chairs
I
want
to
get
a
sorry.
K
K
Q
R
So
looks
like
your
problem
looks
like
a
dependency
but
as
I
understand
that
the
oasis
standard
body
they
already
have
a
Styx
and
also
top
protocol
of
taxi.
So
I
wondering
what
is
that
I'm,
a
difference
between
your
proposal,
one
and
the
Styx,
so
they
already
providing
the
threat
yeah
information
representin
is
very
good,
so
yeah,
could
you
clarify
difference?
Is
it
from
there.
C
R
C
Offline
I
am
an
editor
on
sticks,
an
author
there,
so
I
understand
that
spec
very
well,
so
Stix
is
solving
a
slightly
different
part
of
the
problem,
they're
focusing
on
doing
the
cyber
threat
intelligence
side
of
it,
identifying
the
threat
actors,
their
campaigns,
the
indicators
of
compromised,
the
malware,
the
pieces
like
that
and
a
very
loose
binding
to
a
course
of
action,
and
if
you
look
at
what
Stix
is
doing,
for
course,
of
action,
we've
already
put
in
a
hook
to
call
out
to
link
to
a
cacao.
Playbook
so
because
sticks
the
sticks.
C
Community
does
not
have
the
expertise
nor
the
desire
to
work
on
the
PlayBook
side,
because
it's
outside
of
the
scope
of
their
charter
open
situ.
It's
also
out
of
the
scope
of
their
charter,
because
they're
dealing
with
the
atomic
actions,
the
individualized,
you
know
command
that
would
be
sent
to
an
actuator,
and
so
what
we
need
is
we
need
this.
This
higher
level
thing
that
can
be
shared
across
the
internet
that
can
be
shared
between
business
units
enclaves,
trust
groups
that
allows
collaborations
of
these.
R
C
If
you
were
in
the
room
and
I
went
through
this,
but
a
playbook
is
a
collection
of
processes
that
an
organization
uses
to
mitigate
remediate
or
prevent
a
threat
they're.
Typically
today
they
can
be
very
elaborate,
but
they're,
usually
written
down
in
a
knowledgebase
article
or
in
a
PDF
document
or
in
some
organizations
they're
in
a
binder
on
a
shelf
and
that
you
pull
that
binder
off
and
then
you
go
through
and
you
start
processing
through
the
playbook.
So
an
example-
and
this
is
once
again
I
apologize
for
my
friend
at
Deutsche
Telekom.
C
But
this
is
not
the
network
side
of
it
or
you
know
the
telco
side
of
it.
This
is
the
system.
You
know,
endpoint
malware
side
is
to
give
an
example.
So
you
know
your
security
operation
center
is
going
to
go
through
and
it's
going
to
do
various
things.
It's
going
to
open
up
a
ticket.
You're
gonna
probably
have
escalation
past.
You
know
you're
going
to
call
the
network
operations
team
and
this
person.
If
they
don't
answer
in
20
minutes,
you're
gonna
call
this
person
and
then
you're
gonna
call.
You
know
further
down
the
line.
C
You
know
here
is
an
example
of
some
things
that
would
need
to
be
done
on
from
the
desktop
engineering,
desktop
support,
side
of
it
and
they're
gonna
go
through
and
they're
gonna
process
all
of
these
steps
and
then
in
the
playbook.
It
would
then
go
back
to
network
support
where
they're
gonna
monitor
the
machine
to
make
sure
did
it
actually
get
cleaned
up.
C
Obviously
a
classic
point
on
any
one
of
these
things
is:
if
there
is
a
problem
or
something
doesn't
work,
the
conditional
logic
is
to
reimage
the
machine
so
okay,
so
this
is
kind
of
what
a
playbook
would
look
like.
This
is
very
simple,
but
I
wanted
to
give
something
that
everybody
could
kind
of
understand.
You
know
a
lot
of
these.
Have
you
know
very
elaborate
things?
You
know
you
might
imagine.
C
If
it's
a
internet
facing
web
apple,
you
might
need
to
involve
PR
because
you
might
need
to
you
know,
identify
the
call
center,
because
you're
gonna
have
to
contact
the
press.
You
may
have
mandatory
reporting,
you
may
have
gdpr
issues
that
are
involved,
and
so
playbooks
can
get
elaborate
pretty
quickly.
R
I
think
it
is
a
pretty
cool,
also
a
Linda,
and
they
all
they
are
working
for
I
too
and
I.
Also
I
am
working
for
a
tone.
Sf
Aeterna
service
I
think
is
a
very
good,
a
platform
to
provide
what
you
are
proposing
because
I
turn
except
consisting
of
security
control.
The
network
security
functions
such
as
you
are
talking
about
some
security,
some
application
over
system,
so
we
are
having
some
monitoring
some
interfaces
to
monitor
what
they
are
doing.
Something
like
that.
So
I
think
you
take
advantage
of
i2
Network
yeah
yeah
I
mentioned.
C
K
S
What
you
were
looking
for,
okay,
Oh,
a.
S
Few
efforts
have
already
looked
at
aspects
of
this.
There
was
some
that
were
mentioned
already:
iof
had
the
has
the
ability
to
nest
in
order
respond
and
rid
had
the
signature
aspect,
well-defined
and
nesting
of
signatures
and
multi-hop
authentication
and
policy
aspects.
I
haven't
seen
a
good
analysis
of
the
overlap
of
each
of
these
and
the
barriers
to
adoption
that
each
of
those
have
faced.
S
S
You
know
we
don't
have
to
say,
like
you
know,
I'm
fine
with
you
know,
my
stuff
is
old,
so
I,
oh,
definitely
stay
rid
piece.
Was
it's
pretty
old,
so
I'm
sure
it's
not
perfect,
but
I'd
like
to
see.
What's
the
the
big
difference
and
from
the
Karis
workshop
one
of
the
things
that
came
out
of
it
when
we
looked
at
some
of
the
efforts
that
have
failed
because
we
were
trying
to
analyze
what
failed
in
this
space?
What
went
forward,
and
why
was
looking
at
what
do?
S
C
You
thanks
for
the
question
so
on
the
threat,
intelligence
piece
which
I'm
very
familiar
with.
So
let
me
tackle
that
one
first
standards
take
a
while
to
get
adopted.
I
know
on
the
sticks
and
taxi
piece.
It
is
getting
adopted
pretty
quickly
at
this
point.
Most
vendors
are
implementing
it.
Ibm's
new
solution
that
they
have
just
released
at
RSA
is
all
back
ended
off
of
sticks
and
taxi.
C
I
spoke
about
cacao
at
the
first
conference
last
week
in
London
and
nearly
everybody
there
is
using
tips
that
are
using
sticks
and
taxi,
so
that
probably
interoperable
yes,
because
they're
sharing
information
through
their
eye
sack
and
ice
house,
so
so
things,
but
it's
still
probably
three
years
before
that
actually
goes
like
full
main
string.
Open
situ
is
definitely
much
more
nascent.
It's
it's
still
trying
to
get
legs
under
it
and
you
know
I
would
give
it.
C
You
know,
maybe
I
shouldn't
say
this
over
the
mics,
if
I
recorded
but
they're
there,
it's
just
very
nascent
its
up-and-coming
and
it's
you
know
going
along
I.
Think
a
lot
of
the
work
that
you've
done
personally
is
brilliant.
I
would
hope
that
a
lot
of
that
could
either
be
reused
or
incorporated,
or
something
like
that
you
know
going
forward,
but
the
purpose
of
this
is
really
about
understanding
how
we
can
document.
C
S
L
Roman
general
quickly-
and
this
is
more
for
the
chairs-
if
we're
gonna,
ask
the
question:
is
this
suitable
problem
for
the
IDF?
We
actually
presented
a
very
broad
vision?
Should
we
be
answering
that
question
with
a
more
narrow
version
of
something
cuz
I
heard
different
phases
so
retaking
about
all
the
phases?
One
of
the
phases.
U
T
Jessica
Fitzgerald,
okay
and
I,
say
I
wanted
to
point
out
that
maybe
this
vision-
maybe
this
is
in
line
with
what
REM
saying.
Actually
maybe
this
vision
could
be
better
captured
as
starting
with
a
data
model
that
could
be
incorporated
into
things
like
sticks
and
tax
lien
could
carry
things
like
open
situ
in
order
to
sort
of
you
know
box
it
appropriately.
So
people
aren't,
as
concerned
about
the
overlap.
T
C
And
I
apologize
for
any.
You
know
any
confusion
that
I
would
give
in
presenting
of
the
material
and
kind
of
you
know.
I
only
have
an
hour
and
a
half
to
kind
of
talk
through
it,
so
I'm
trying
to
get
everybody
up
to
at
least
the
base
understanding,
but
I
would
agree
with
you
that
that
is
you
know
the
objective.
C
The
the
first
and
primary
goal
is
to
get
that
basic
data
model
done,
and
maybe
that's
where
we
stop
right
and
then
we
leave
it
to
NIST
or
other
standards
bodies
to
do
further
work
on
it.
I
don't
know,
but
but
yeah.
It's
I
I
tried
to
put
some
of
these
things
in
here
to
help
people
understand
like
what
this
solution
could
look
like
longer-term,
especially
when
you
look
at
how
do
we
as
an
industry,
move
the
needle
to
improve
cyber
defense
and
enable
more
rapid
response
so
hi?
V
C
You
perfect
yeah
just
one
data
model,
so
you
identify
how
you
wrap
atomic
actions
and
then
how
those
actions
obviously
have
that
basic
targeting
and
versioning
in
those
atomic
actions.
And
then
what
is
the
conditional
temporal
logic
pieces
that
would
bind
those
together
to
form
a
a
more
higher
level
structured.
They
look
Thank
You
Alyssa.
C
Is
correct
and
so
yeah
so
employee
books.
Today
we
document
we
document
the
commands
and
some
of
them
may
be
process
based.
Some
of
them
may
be
human
base.
Some
of
them
may
be
run
this
command
on
your
firewall
and
they'll
actually
put
in
the
CLI
command
from
your
Cisco
ASAE,
your
Palo
Alto
firewall,
or
for
Dannette
or
whatever
you
have
and
you
you
know
an
operator.
C
You
know
in
the
NOC
or
in
sauk,
depending
on
who
has
access
rights
to
it,
would
just
copy
and
paste
that
in
so
the
idea
being
that
you
would
have
a
tool
like
an
orchestration
device,
your
hand
wavey
around
which
one
you
you
like
the
flavor
of
the
week
that
could
consume
this
playbook
display
it
and
then
some
of
them,
depending
on
your
appetite
for
risk
and
what
your
procedures
are
in
your
organization,
some
of
them
may
be
processed
automatically.
Some
of
them
may
be
bubbled
up
to
a
human
to
say,
click
here.
C
If
you
want
to
process
this,
some
of
them
may
just
be
completely
manual.
So
but
it's
the
idea
so
that
when
organizations
produce
these,
they
can
collaborate
across
the
trust
group
which
they
do
today,
so
that
we're
not
we're
not
envisioning
like
something
that
might
happen
in
the
future.
These
trust
groups
do
this
today
and
they
share
the
PlayBook
information
across
site
channels,
usually
over
Skype
or
slack,
or
something
like
that,
and
then
somebody
will
come
along
and
they'll
post,
various
blog
post
entries
about
it,
and
so,
but.
W
C
What
we're
trying
to
get
to
a
some
level
of
automation?
Yes,
automation
has
to
come
in
phases,
and
so
we
have
to
start.
You
have
to
learn
to
crawl
first
and
then,
hopefully,
over
time.
You
know
in
overtime,
I
mean
over
the
you
know:
5
7,
10
year
event
horizon.
We
can
get
to
where
a
stock
can
mostly
operate
at
automation
at
some
level
of
risk
profile.
D
C
And
I
can
comment
on
that:
I
can't
name
which
one,
but
we
worked
with
a
large
group
that
has
fully
implemented
their
own
proprietary
internal
solution
to
this,
and
it's
very
excited
about
this
because
then
it
would
add
interoperability
across
technology
stacks
and
across
organizations,
but
they've
fully
automated
their
playbooks.
So,
and
so
this
is,
this
is
being
done.
So,
okay.
W
Thanks
I
mean
so
this
is
like
way
outside
my
area,
so
I
might
be.
You
know
just
really
ill
informed.
To
my
naive
mind,
it's
it's
very
hard
to
understand
how
you
can
possibly
capture
all
of
those
things
and
and
also
have
them
mixed
together
off
of
the
basis
of
a
single
data
model
at
a
single
set
of
protocols
that
will
be
executing
off
of
individual
pieces
of
data
that
are
exchanged
in
one
of
these
playbooks
I
I
I.
Think
you
explained
it
fully
I'm
just
saying
that
for
me,
it's
it's
hard
to
croc
yeah.
C
You
know
I,
you
can
go
and
look
at
any
of
the
demos
from
you
know,
current
providers
of
orchestration
and
you
can
get
a
feel
for
what
they
can
do
today.
So
at
least
that
would
be
the
commercially
available
solutions,
but
in
your
role
at
Cisco,
as
a
fellow
I'm
sure
you
can
talk
to
some
of
the
same
people
that
I
talk
to
you
so.
V
C
O
O
O
And
I
actually
kind
of
like
automating
us
hurry,
because
it's
all
point
of
sre
and
I'm
kind
of
trying
wondering
you
know
how
do
we
keep
this
scope
in
this
working
group
from
going
bat
large,
because
that
seems
like
now:
we've
boiled
all
the
oceans
on
this
planet
and
now
we're
going
to
put
oceans
back
on
Mars
and
boil
them
I'm,
really
interested
in
boiling
the
oceans
on
Mars
right,
but
so
I'm
really
concerned
and
would
like
to
see
and
I
think
Chris
you're
typing
us
up
right
now.
O
So
would
like
to
see
how
we
restrict
this
so
that
it
is
only
mostly
impractical
to
do
as
opposed
to
entirely
impractical
to
do
and
I
and
and
I'm
not
really
sure
how
to
do
that,
because,
like
that,
the
temptation
will
be
you
know,
and
a
loss
of
availability
due
to
a
security
incident
is
not
that
much
different
in
a
loss
of
availability
due
to
something
else.
Failed
reflux
there'll
be
a
lot
of
temptation
to
scope
creep
this
and
I'm
gonna
be.
O
If
this
happens,
I'm
gonna
be
one
of
the
people
tend
to
disco
creep
it
so
I'm
really
interested
in.
In
in
making
sure
that
we
have
a
way
to
at
least
draw
the
box
and
I
think
it's
by
saying:
oh
we're
gonna
talk
about
raid
in
taxi
or
in
talk
about
all
these
things
that
are
in
the
space
that
are,
you
know
the
it's,
not
the
orchestration
system,
that's
going
to
have
the
restriction
of
scope,
it's
all
of
the
things
that
the
orchestration
system-
it's
built.
R
O
Know
yeah
yeah
when
you
think
about
this
a
little
bit
more,
but
I
I
would
I
would
so
let
me
just
make
this
caution.
You
know
still
no
hats.
You
know
make
sure
that
we
scope
this
in
a
way
they.
It
won't
do
that.
Oh.
M
M
M
But
then
I
hear
things
about
all
these
protocols
and
other
things
in
data
models
and
I
think
wow.
If
it
was
just
something
like
a
jupiter
notebook,
then
I
think
that
all
we
need
to
do
is
find
a
way
to
sign,
multiply,
sign
parts
of
documents
that
don't
always
overlap
such
that
we
can
have
those
nice
boxes
on
the
other
side.
That
would
be
the
scope
of
the
the
the
the
world
of
the
solution
to
me,
and
I
would
say
well
that
sounds
like
an
xml
awaits
this
kind
of
thing,
and
it's
not
our
problem.
N
Dave
Walter
Meyer
so
comment
on.
What's
up
on
the
screen,
perfect,
so
I
think
the
one
thing
I'm
bristling
at
is
executed
by
humans,
because
I
think
part
of
what
I
heard
we're
trying
to
solve
here
is
to
do
better
than
the
current
PDF
model,
which
is
really
designed
to
be
executed
by
humans.
I
think
what
we
want
is
is
that
could
be
executed
by
machines
with
the
interaction
of
humans.
N
Then,
to
speak
a
little
bit
to
what
Alyssa
was
talking
about,
or
maybe
it
was
Michael
I
think
there
is
some
scope
creep
risk
when
we
start
talking
about
how
you
contextualize,
when
a
command
should
be
run
or
not,
I
think
as
far
as
tightening
a
charter
around
this
we're,
probably
gonna,
have
to
try
to
put
some
safeguards
in
to
keep
that
scope.
Small
because
yeah
when
we
start
dealing
with
all
of
the
contextual
information
and
the
enterprise-
and
you
know
some
of
the
really
complex
conditional
logic
that
you
know
could
potentially
exist
here.
X
Hey
micros
is
DHS,
so
I
personally
have
been
liking.
Everything
I
hear
so
far.
Dhs
has
openly
been
supportive
of
playbooks
for
a
long
time
now,
we've
collaborated
with
NSA
in
the
past
as
well.
Working
towards
this
playbooks
I
agree,
scope,
scope
creep
is
definitely
a
problem.
The
Charter
needs
to
make
sure
that
we're
not
going
to
get
out
of
hand
focusing
on
these
specific
points
that
we've
been
talking
about
today
is
definitely
important
rather
than
running
amuck
and
trying
to
solve
everyone's
problems,
but
I'm
not
worried
about
it.
X
O
Y
Eliot
Lehrer
I
agree
I'm,
not
too
worried
about
the
scope
creep,
but
what
I
would
like
to
see
is
a
little
bit
better
diagramming,
if
you
will
of
the
actors
involved
and
as
you're
going
forward
and
also
the
trust
relationships
that
are
expected
and
how
how
those
are
intended
to
be
implemented.
As
you
move
forward,
okay,.
C
Thank
you,
yeah
I
do
have
a
lot
more
content
and
we
we
spent
a
year
and
a
half
on
this.
We
have
a
good
80,
some
odd
pages
of
stuff,
but
we
have
some
groups
that
have
been
contributing
that
can't
contribute
that
work
until
there's,
an
official
working
group
technical
committee
study
group
something
that
locks
in
IPR
because
they're
oh
gee
C,
says
we
can't
submit
it
anywhere
publicly
until
there
something
there.
Z
Sanjay
Mishra
verison
thanks
Brett
for
the
presentation,
just
a
question
on
the
suitability
for
the
IETF.
What
I
was
trying
to
get
my
hands
around
is
that
so
that
play
books?
Are
there
and
you
know
much
of
that
is
PDF
and,
as
you
said
and
so
forth,
but
then
there's
also
automation
that
exists
today
and
the
corporation's
what
they
have.
You
know:
phishing
malware
viruses,
and
all
of
that
you
know
automated.
You
know
running
so.
Z
You
know,
there's
that's
ongoing
all
the
time
in
the
systems,
but
have
have
some
ways
of
data
model
that
basically
can
sort
of
run
these
things
in
a
in
a
way
that
the
output
from
those
machine-
you
know,
code
that
is
running
24
hours
to
be
able
to
sort
of
get
the
information
parse
it
and
present
it,
and
then
v1
I'm,
just
trying
to
envision
how
that
what
the
data
model
will
do
that
really
makes
it
an
ITF
work.
Yeah.
C
So
we're
looking
close
to
time,
but
in
the
long
term
long
vision
view
you
know
you
would
have
an
indicator
fire
through
some
means,
and
then
that
would
connect
to
your
graph.
You
know
for
threat
intelligence.
It
could
pull
down
a
kakao
playbook
for
the
targeted
systems
that
you
have
and
then
bubble
that
up
into
some
sort
of
workflow
process
or
through
an
orchestration
tool
and
then
go
through
and
start
processing
down
the
things
that
you
know.
Maybe
you
know
you.
C
Your
risk
profile
is,
as
you
immediately
block
on
your
firewall
and
proxy
automatically
just
right
out
of
the
get-go
and
then,
if
it's
a
system
that
you
automatically
reprovision
that
into
a
sandbox
VLAN,
and
you
completely
automate
that
that
seems
like
a
very
you
know,
it's
a
step
that
a
lot
of
people
do
today.
You
know
there
might
be
a
set
of
Perl
scripts
or
Python
scripts
or
something
that
is
used
to
to
do
that.
C
But
a
lot
of
this
happens
today
and
then
you
know
the
reason
why
I
think
this
might
be
IETF
is
we
have
70
over
70
somewhat
people
in
the
room?
There's
a
lot
of
people
have
interest
here,
and
you
know:
I
see
this
as
being
used
across
the
Internet
in
the
form
of
being
able
to
collaborate
across
ecosystems
and
trust
groups
that
are
not
necessarily
all
inside
with
an
organization.
It
does
need
to
be
standardized
either
in
this
SDO
or
another
one,
because
we
need
to
get
vendor
interoperability.
K
K
W
C
C
K
K
D
AA
Y
I
have
two
issues.
Number
one
I
agree
with
with
with
Kathleen
on
unready
is
number
two
is.
This
really
does
seem
to
be
very
closely
related
to
the
work
that's
going
on
in
Oasis
and
and
I
do
and
I'm
wondering
and
I'm
wondering
if,
if
they're
the
right
people
to
do
this
before
us
right,
because
that
with
the
other
work,
so
can
you
comment
on
that?
I.
C
Have
three
minutes:
I
think
that
there
is
a
group
of
individuals
that
we
would
like
to
bring
into
this
work
that
are
not
in
Oasis
and
there
a
lot
of
them
are
here
in
this
room.
So
we
we
like
the
expertise
that
exists
in
the
IETF
and
I
think
this
is
a
little
bit
I'm
very
familiar
with
the
laces
and
ITU
T's
Study
Group
17
and
I
Triple
E
some
extent
you
know
familiar
with
IETF,
but
I
think
that
if
it
doesn't
work
here,
then
yes,
we
will
have
to
go
somewhere
else.
N
S
I
Watson
very
briefly,
please
please,
please
do
not
be
let's
reinvent
Sultan
puppet
there's
massive
problems
there
and
I
think
that,
ultimately,
is
where
this
work
ends
up
having
to
go.
When
you
want
target
stuff
and
you
wanna
have
commands,
you
want
work
across
systems.
I
work,
I
work
with
a
package
managing
system.
There
are
problems
in
package
management
we
haven't
solved
so
even
just
updating,
outdated
versions
and
stuff.
It's
hard
for
programmatically,
like.
AB
K
K
AC
Caste
pnc
si
just
I'm
confused
because
when
we
first
asked,
if
people
understand
the
problem
space,
there
was
a
huge
show
of
hands.
Yes,
I
understand
the
problem
space
and
then
I've
heard
some
questions
that
may
suggest
you
don't
know
the
problem
space
and
we're
asking
if
the
problem
is
tractable
or
not.
If
you
know
the
problem
space,
you
should
know
so
you
may
be.
D
AD
K
Q
K
C
C
K
N
There
was
a
lot
of
talk
about
other
work
that
could
be
leveraged
here,
I
think
part
of
the
tractability.
For
me,
part
of
the
reason
why
I
think
this
is
tractable
is
because
I've
seen
some
of
the
existing
work
that
might
be
leveraged
here
and
I
think
that
work
actually
makes
this
more
tractable
I
would
encourage,
maybe
some
presentations
on
how
this
could
leverage
that
additional
work
as
part
of
maybe
a
next
boss.