If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on signalscorps.com for the full interactive viewing experience.
In this post I will look at integrating CACAO playbooks into other products (MISP) and other standards (STIX 2.1).
Note: this tutorial is written for CACAO version 1.1 (published on 2022-03-01). Some of the concepts discussed might not be correct for future versions of CACAO.
The CACAO playbook specification is still in draft state. As such, adoption by vendor (and thus ultimately end users) is very low at the time of writing.
However, CACAO is designed to be easily integrated into existing tooling, following many existing playbook concepts.
In fact some tooling is already supporting CACAO playbooks, most notably, MISP as MISP Security Playbook objects.
CACAO -> MISP Security Playbook
The playbook-file property in MISP Security Playbook objects can be used to encompass an entire playbook file/document in its native format (for example, a MISP Security Playbook could contain an entire CACAO JSON).
By creating a MISP Security Playbook from a CACAO playbooks makes it much easier to share and collaborate on them using the ever-popular MISP as the distribution tool.
What makes it even easier it that many of the properties of CACAO Playbooks map directly to MISP Security Playbook object attributes.
In order to automate the entire flow of creating a MISP Security Playbook from a CACAO playbook I have devised the following mappings (note fields in <> are from the CACAO playbook properties);
{
"attributes": {
"playbook-id": "<ID>",
"description": "<DESCRIPTION>",
"revoked": "<REVOKED>",
"playbook-abstraction": "<TYPE>",
"playbook-creation-time": "<CREATED>",
"playbook-modification-time": "<MODIFIED>",
"playbook-valid-from": "<PLAYBOOK_VALID_FROM>",
"playbook-valid-until": "<PLAYBOOK_VALID_UNTIL>",
"playbook-creator": "<CREATED_BY_REF>",
"labels": [
"<LABELS>"
],
"playbook-standard": "<PLAYBOOK_STANDARD>",
"playbook-type": "<PLAYBOOK_TYPE>",
"playbook-priority": "<PLAYBOOK_PRIORITY>",
"playbook-severity": "<PLAYBOOK_SEVERITY>",
"playbook-priority": "<PLAYBOOK_IMPACT>",
"playbook-file": "<REF TO CACAO JSON OBJECT>"
}
}
Although MISP is a popular tool, it is built on its own concepts (which are comprehensive, but as a result can often lead you confused – well, me anyway).
Seeing as most of the work I do at Signals Corps is built on the STIX 2.1, I decided to take a look at the compatibility of STIX and CACAO (they’re both maintained after OASIS after all).
STIX 2.1 and CACAO
For those familiar with STIX, the structure and properties of CACAO Playbooks are very similar, and in some time identical, to STIX (both are managed by OASIS).
The benefit of STIX is that it’s a standard that is widely adopted (including by MISP) for describing threat intelligence. One of these descriptive objects (STIX Domain Objects), Course of Action Objects;
A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress.
A CACAO Playbook could, in my mind, be considered a course of action as defined above.
However, the standard STIX 2.1 Course of Action Object properties do not sufficiently provide the ability to fully map a CACAO playbook.
Though I am not the only one with this line of thinking. The team at Fovea Research have already extended the STIX 2.1 Course of Action Object to support CACAO.
If you are unfamiliar with extending STIX 2.1 Objects using extension definitions I recommend reading my post; STIX 2.1 104: Customisation.
Fovea Research have built a STIX 2.1 extension-definition Object that defines how CACAO Playbooks can be nested inside STIX 2.1 Course of Action Objects using an extension definition.
Here is an example of a STIX 2.1 Course of Action Object with a CACAO Playbook embedded;
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--e06259ad-a154-4e23-bc0a-e229ccb3456f",
"created_by_ref": "identity--ae82a5e5-ec07-4863-ad88-6504b29f24e9",
"created": "2022-01-18T23:22:03.934698Z",
"modified": "2022-08-25T19:14:15.437976Z",
"name": "playbook",
"description": "A course of action for CVE-2021-44228.",
"extensions": {
"extension-definition--1e1c1bd7-c527-4215-8e18-e199e74da57c": {
"extension_type": "property-extension",
"playbook_id": "cf5997e8-e387-426a-a32d-694e4f55f80b",
"created": "2022-01-18T23:22:03.934698Z",
"modified": "2022-08-25T19:14:15.437976Z",
"playbook_creator": "identity--ae82a5e5-ec07-4863-ad88-6504b29f24e9",
"revoked": false,
"labels": [
"CVE-2021-44228"
],
"description": "A playbook that, via SBOM processing, detects assets vulnerable to CVE-2021-44228. The same playbook will investigate if there have been attempts to exploit vulnerable assets.",
"playbook_valid_from": "2022-03-18T00:00:00.000000Z",
"playbook_creation_time": "2022-01-09T08:00:33.432637Z",
"playbook_impact": 1,
"playbook_severity": 90,
"playbook_priority": 0,
"playbook_type": [
"detection",
"investigation"
],
"playbook_standard": "cacao",
"playbook_abstraction": "executable",
"playbook_bin": "ewogICJ0eXBlIjogInBsYXlib29rIiwKICAic3BlY192ZXJzaW9uIjogIjEuMCIsCiAgImlkIjogInBsYXlib29rLS02Yjc0MTk5ZC00MmE2LTQzYTEtOTljYi03NWQ1MjIwN2E3NzgiLAogICJuYW1lIjogIlByZXZlbnQgRnV6enlQYW5kYSBNYWx3YXJlIiwKICAiZGVzY3JpcHRpb24iOiAiVGhpcyBwbGF5Ym9vayB3aWxsIGJsb2NrIHRyYWZmaWMgdG8gdGhlIEZ1enp5UGFuZGEgZGF0YSBleGZpbCBzaXRlIiwKICAicGxheWJvb2tfdHlwZXMiOiBbCiAgICAicHJldmVudGlvbiIKICBdLAogICJjcmVhdGVkX2J5IjogImlkZW50aXR5L="
}
}
}
You can see the entire CACAO Playbook JSON (base64 encoded) under the playbook_bin property embedded under the extension-definition--1e1c1bd7-c527-4215-8e18-e199e74da57c – in the example above I’ve only encoded the first few lines of a playbook so it isn’t too long for this page.
In attempt to automate the creation of the Course of Action object with the extension definition from CACAO playbooks I came up with the following CACAO playbooks -> STIX Course of Action with extension-definition--1e1c1bd7-c527-4215-8e18-e199e74da57c properties (note fields in <> are from CACAO playbooks);
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--<ID>",
"created_by_ref": "<CREATED_BY>",
"created": "<CREATED>",
"modified": "<MODIFIED>",
"revoked": "<REVOKED>",
"description": "<DESCRIPTION>",
"labels": [
"<LABELS>"
],
"object_marking_refs": {
"DATA_MARKING_DEFINITIONS"
},
"external_references": [
"DATA_MARKING_DEFINITIONS"
],
"extensions": {
"extension-definition--1e1c1bd7-c527-4215-8e18-e199e74da57c": {
"extension_type": "property-extension",
"playbook_id": "<ID>",
"description": "<DESCRIPTION>",
"created": "<CREATED>",
"modified": "<MODIFIED>",
"revoked": "<REVOKED>",
"playbook_creation_time": "<CREATED>",
"playbook_modification_time": "<MODIFIED>",
"playbook_valid_from": "<VALID_FROM>",
"playbook_valid_until": "<VALID_UNTIL>",
"playbook_creator": "<CREATED_BY>",
"labels": [
"<LABELS>"
],
"playbook_standard": "cacao",
"playbook_type": [
"PLAYBOOK_TYPES"
],
"playbook_severity": "<SEVERITY>",
"playbook_priority": "<PRIORITY>",
"playbook_bin": "<ENTIRE PLAYBOOK BASE64 ENCODED>"
}
}
}
It doesn’t matter that all the CACAO playbook property values are not mapped to the STIX Course of Action Object, as they are all still available by decoding the entire playbook in the playbook_bin property.
By embedding the CACAO playbook into the STIX Course of Action Object the other contextual information around the playbook itself can also be easily access and understood (e.g. relationships to other STIX 2.1 Objects).
I’ve seen this used particularly well for detection playbooks, where the intelligence about the threat is mapped in STIX, and the CACAO Playbook added to the knowledge graph as a STIX 2.1 Course of actions.
There are a heap of other benefits into writing CACAO playbooks into STIX Course of Action Objects;
- lots of tooling already understands STIX 2.1
- these tools can be used to collaborate and share STIX 2.1 Object without any customisation
- lots of threat intelligence is now stored exclusively as STIX 2.1
STIX 2.1 Course of Action -> MISP Security Playbook
During my research I discovered FOVEA had also been looking into mapping their Course of Action extension definition properties into MISP Objects.
STIX 2.1 Course of Action Objects (without the CACAO extension definition) have long been mapped by MISP Course of Action Objects (in the misp-stix library) which provides a good starting point.
However STIX 2.1 Course of Action Objects with the CACAO extension definition, the team at the Fovea needed to, and have, conducted a similar exercise mapping them to MISP Security Playbook objects.
Here is how the STIX 2.1 Course of Action Objects with the CACAO extension definition can be mapped to MISP Security Playbook Object Attributes (note fields in <> are from the STIX 2.1 Course of Action Properties);
{
"attributes": {
"playbook-id": "<ID>",
"description": "<DESCRIPTION>",
"revoked": "<REVOKED>",
"playbook-creation-time": "<CREATED>",
"playbook-modification-time": "<MODIFIED>",
"playbook-valid-from": "<EXTENSION.PLAYBOOK_VALID_FROM>",
"playbook-valid-until": "<EXTENSION.PLAYBOOK_VALID_UNTIL>",
"playbook-creator": "<CREATED_BY_REF>",
"labels": [
"<LABELS>"
],
"playbook-standard": "<EXTENSION.PLAYBOOK_STANDARD>",
"playbook-type": "<EXTENSION.PLAYBOOK_TYPE>",
"playbook-severity": "<EXTENSION.PLAYBOOK_SEVERITY>",
"playbook-priority": "<EXTENSION.PLAYBOOK_IMPACT>",
"playbook-base64": "<EXTENSION.PLAYBOOK_BIN>"
}
}
By modelling CACAO Playbooks as STIX Objects and/or MISP Objects, the ease of sharing is massively increased (and will hopefully lead to wider adoption).
Note, the difference between this approach (STIX -> MISP) and the first (CACAO -> MISP) is subtle. If I had to choose, I’d take the STIX approach as STIX is more widely adopted right now (should the consumer want to go back to the original source object). You might wanted to use a mix of the two mappings. I’m just hear to spark your imagination!
That said, a few years ago (2019) a lot of big name companies got behind CACAO, although in the intervening years it seems none have delivered a productised offering around CACAO, sadly.
To me it comes down to lack of CACAO playbook content…
Next up: Getting hands on
In the next post in this tutorial I will help you practice what I’m preaching.
For that I will take some examples of existing playbooks and convert them into CACAO format.
CACAO Certification (Virtual and In Person)
The content used in this post is a small subset of our full training material used in our CACAO training.
If you want to join a select group of certified CACAO professionals, subscribe to our newsletter below to be notified of new course dates.
Discuss this post
Never miss an update
Sign up to receive new articles in your inbox as they published.