CACAO Roaster - Feb 2024

Roseann Guttierrez [00:00:00]:
Our guest today is Vasilios Mavroides. He is a professor of cybersecurity at the University of Oslo, and he's also a member of our OCA governing board. We're going to be talking to him today about the CACAO roaster subproject. Very excited to hear about this. Hi, Vasilios. How are you doing today? Thanks for joining us.

Vasileios Mavroeidis [00:00:19]:
I'm great. Thank you. Thank you for the invitation. Glad to be here.

Roseann Guttierrez [00:00:23]:
Wonderful. Wonderful. Why don't we start by having you give kind of, like, a little mini story as to how you how you got in cybersecurity, how you got here today?

Vasileios Mavroeidis [00:00:33]:
Sure. Well, basically, my studies were in cybersecurity, but at some point, you know, after I did actually my masters, I found a job, but then I'd said that I wanted to do a PhD. Then, you know, I relocate from the UK to Norway. I'm originally from Greece, actually. So I've been all over the world. In any case, I started looking at Norway, and I did my PhD here. And then my post doc here, I worked a little as a researcher.

Vasileios Mavroeidis [00:00:57]:
Then finally, I got a professorship after a lot of effort. So, currently, I'm a professor for cybersecurity at the University of Oslo. Basically, conduct, mostly research, with a particular focus on cyber threat intelligence and security automation, and mostly in the context of European projects, EU funded projects, basically. I'm also an ambassador of open standards and open source. I guess this is the reason also I'm here today. Have contributed massively to the community. I joined OWASP actually almost, 8 years ago, and I supported the development of different standards such as, open c2, STIX, CACAO, the effect of the feedback for context ontology, and many others. I'm also currently having a chair at the board of directors of OASIS and the project governing board of Open Cybersecurity Alliance.

Vasileios Mavroeidis [00:01:50]:
What else? I'm also co chairing FIRST, Automation Special Interest Group, and I'm a member of different Ad hoc working groups related to cybersecurity. This is more or less cybersecurity domain for about, 10 years now.

Roseann Guttierrez [00:02:04]:
Okay. Well, why don't you tell us the elevator pitch for the CACAO roaster project?

Vasileios Mavroeidis [00:02:10]:
Right. So what is the CACAO roasters sub-project? Basically, you know, within Oasis, we identified the need of developing cybersecurity playbook standard, and, we always have this. To make the long story short, we try to do for playbooks, what, STIX, for example, did for cyber threat intelligence. So we needed a robust method to encode cybersecurity playbooks so defenders can exchange them, and the full focus is on interoperability. Basically, the pain point was, we have structural approaches that can be machine processable, basically, for threat intelligence. These standard generally involve, are doing great in encoding detection engineering but then the concept of, "So now what?" was still unresolved.

Roseann Guttierrez [00:02:57]:
Right.

Vasileios Mavroeidis [00:02:57]:
And for this reason, you know, we established this technical committee within OASIS. It's, by Brett Jordan and Alan Thompson. I'm also the secretary of this, technical committee, and I have contributed so massively to the development of the specification among other, people and many organizations that have been participating. At some point, the standard, you know, came into a robust stage and, you know, it's all about adoption and verifying basically the standard. You can imagine people that know, STIX, you know, it's exactly the same principle. We'll have a specification. The specification is encoded basically into a machine readable format in particular, JSON. But then, you know, it's really impossible to start creating your playbooks manually.

Vasileios Mavroeidis [00:03:43]:
So you can't expect some people to start writing their playbooks, you know, in JSON. So we came up with the idea of developing a software to support adoption and basically allow defenders to start creating their own interoperable playbooks, to experiment with CACAO playbooks. And and this is like, you know, 2 fold or 3 fold. Or so, basically, you know, it's not only about the project itself, but will allow you to create playbooks, exchange playbooks, visualize playbooks, digitally sign playbooks, and verify them, but it's also, you know, a means to validate, the specification. Because we develop products such as the specification. But then, you know, when you start developing an actual software, right, it's a it's a good means for validating it, how good it is. So we also expect that the, you know, the community started creating playbooks. I assume that the community have started, have started adopting the CACAO roster.

Vasileios Mavroeidis [00:04:40]:
I have multiple use cases to discuss later. But at the same time, we also identify, you know, you know, a new use cases, some fascinating use cases, but also issues with the specification we'll have to address in the future. So we can have a perfect standard for security playbooks.

Roseann Guttierrez [00:04:59]:
That's great. Yeah. I I checked out the project over the weekend and really like, the ease of use on it. And and I do definitely see how it makes it easier for people to jump in and start creating things right away. So that's really great. So what makes the subproject important to you? Why is it important?

Vasileios Mavroeidis [00:05:17]:
So as I said, you know, I'm a standards person, and, my focusing is on, cybersecurity automation. And if you should take it up a little higher, level, you know, our shares here at the University of Oslo deals a lot with, enhancing, the capacity of security operation centers, and we are focusing on national security authorities and, operators of essential services. Maybe what you call the critical infrastructure. They are or would mean in the US. Right? There were many needs regarding that. So the authorities need to, you know, we have these directives, in the EU that all about cross border collaboration slash cooperation, the ability to exchange intelligence equally, the ability to collaborate in, incident response activities. That was our motivation when we start, the committee. We developed, the project, and now we validate the Roster itself and the request within the context of European projects.

Vasileios Mavroeidis [00:06:12]:
So we have multiple national security authorities that use their Roster to create playbooks, couple these playbooks with a cyber threat intelligence in particular, STIX, and not only now exchange. Right? Threat intelligence, but basically as we call it here, defensive trade craft.

Roseann Guttierrez [00:06:28]:
Right.

Vasileios Mavroeidis [00:06:29]:
And multiple use cases. Right? I mean, most of the people will will think about, you know, about incident response and methodologies, but we have use cases regarding business continuity, resilience, regulatory compliance, security policy, compliance, whatever is related with cybersecurity operations from detection, to response. No. Writing exercises, playbooks for engagement, basically, you know, like, how you engage with adversaries in real time active defense. And and most importantly, you know, how these things, come together because the cybersecurity of specific entities or I would say of too many entities, you know, is quite, immature. So, you know, if you have a standard that will allow you to exchange this defensive knowledge, you know, as we're saying in the past, for, CTI detection can become another prevention. So it's it's a similar concept now with, playbooks.

Roseann Guttierrez [00:07:33]:
Right. I I love how you can sign them too. That's great. Okay. So as a new project, where can you use some help?

Vasileios Mavroeidis [00:07:39]:
The main, thing that we want to do here is to create a community around the Roster. So, you know, this was developed by us. Certainly, it's not perfect. It's an open source project. We developed it, basically, our spare time. So we would like the community to contribute, not only to, code to improve, the project. So it doesn't like finding bugs that, you know, initiating pull request to fix something, but also coming up with, you know, use cases, such as we have the use case that we would like the roster to export STIX 2.1 course of action objects that can also incorporate cybersecurity playbooks. Right? So we need the community to support the project.

Vasileios Mavroeidis [00:08:28]:
We would like to create a playbooks knowledge base. This is a common issue, right now because people saw the Roster, but, immediately, they start asking, but but why you have not made, you know, a series of playbooks available? I mean, it's a reasonable request, but it takes time to do that, especially if you want to make you know, to develop and contribute playbooks that make sense. It will be nice if we have the community supporting us, with, generating and, making available their playbooks. And, also, we would like to identify, use cases to, let's say, extend the project. One, let's say, complex use case would be that, okay, we have now, an application that will allow us to generate playbooks. Right? Let's call it a user interface right now. What about the orchestration power? Basically, the orchestrator itself. So I do know, though, that there are, there is a European entity.

Vasileios Mavroeidis [00:09:27]:
Thay have already, contact us. They are developing, a native, CACAO Orchestrator. So, you know, another project will be to couple our application, which will be the user interface of their orchestrator. We would like to have such kind of, use cases. Right? We need to create also, an API based on the needs of the community. We'd like to interconnect the system with incident case management system, with, CM, you know, to expand. And, I mean, the the the underlying, cause is that, we want to create environments, cybersecurity environments that can be as automated as possible. When I say when I when I see people that use the the Roster or, like the CACAO specification, I say that, you know, even though that it's a machine processable format, right, you should not have only in your mind that, you could create something that is fully automated.

Vasileios Mavroeidis [00:10:23]:
I think that this specification can be used in the context of, you know, in the principle of automate as you go. Right? You can even have these playbooks, generated basically to your standard operating procedures now. Right? They're not going to be encoded in a slide deck or a word document. Now you can have them in a format. We have a software. You can exchange them even if the actions are performed fully manually. Right?

Roseann Guttierrez [00:10:54]:
Right. Just a place to start. Right?

Vasileios Mavroeidis [00:10:53]:
Correct. Correct. You can have a knowledge base of playbooks. The playbooks have, so many, really contextual metadata. You can filter your playbooks based on your needs, based on your sector, based on, the, adversary, basically based, you know, on the intrusion set, let's say, based on TTPs, based on what they address. So I I think the the the community will shift to this direction in the future to have, you know, a knowledge base of playbooks, but then also you need to have a knowledge management system to be able to find the right information there and the right playbooks.

Roseann Guttierrez [00:11:30]:
Right. It sounds like there's lots of places, yeah, lots of places that you can get that assistance for sure. Thank you so much for being here with me today, and letting me ask you questions.