On the Integration of Course of Action Playbooks into Shareable Cyber Threat Intelligence
This work addresses interoperability challenges in cybersecurity operations by enabling better sharing and management of playbooks, though it appears incremental as it builds on existing standards like CACAO.
The paper tackles the problem of integrating machine-readable course of action playbooks into cyber threat intelligence systems by introducing a uniform metadata template, and demonstrates its applicability through two use-case implementations with MISP and OASIS platforms.
Motivated by the introduction of CACAO, the first open standard that harmonizes the way we document courses of action in a machine-readable format for interoperability, and the benefits for cybersecurity operations derived from utilizing, and coupling and sharing course of action playbooks with cyber threat intelligence, we introduce a uniform metadata template that supports managing and integrating course of action playbooks into knowledge representation and knowledge management systems. We demonstrate the applicability of our approach through two use-case implementations. We utilize the playbook metadata template to introduce functionality and integrate course of action playbooks, such as CACAO, into the MISP threat intelligence platform and the OASIS Threat Actor Context ontology.