openc
What is cyber security orchestration and why do you need it? First of all, it pertains to operational cyber security. Applying cyber security during system and software development is another topic altogether (google DevSecOps for pointers). Data networks are growing every way you can imagine: size, power, value, capability, and hence, complexity. The growth is exponential, and it causes great challenges in securing a network. Major networks contain a huge number of network security elements, each with many features that must be configured properly at all times to ensure the system is working right. We know how hard this is because of the number of security breaches reported on in the media (did you get free credit monitoring from Target?), and that this has been going on for decades. It is not that the security equipment is bad, but it is impossible to use at the speed (how fast a person can change or update a security system) and accuracy (an error free configuration) needed to run in an orchestrated fashion across an entire network as required to support a strong cyber security defense. Advance cyber defense depends upon the ability to maneuver (yes, move the network in cyberspace) a network and orchestration lets you do that.
什么是网络安全协调,为什么需要它? 首先,它与运营网络安全有关。 在系统和软件开发过程中应用网络安全是另一个主题(有关指针的Google DevSecOps)。 数据网络正在以您可以想象的所有方式增长:规模,能力,价值,能力以及因此的复杂性。 增长是指数级的,这给网络安全带来了巨大的挑战。 主要网络包含大量网络安全元素,每个元素都具有许多功能,必须始终对其进行正确配置,以确保系统正常运行。 我们知道这是多么困难,因为媒体上报道了许多安全漏洞(您是否从Target获得了免费的信用监控?),而且这种情况已经持续了数十年。 并不是说安全设备是坏的,而是不可能以协调的方式在整个系统中运行所需的速度(一个人可以更改或更新安全系统的速度)和准确性(无错误的配置)来使用支持强大的网络安全防御所需的网络。 先进的网络防御取决于机动性( 是的,在网络空间中移动网络 )的能力,而编排可以使您做到这一点。
Software Engineering has addressed the problem of system deployment complexity by using Infrastructure as Code (IaC) practices. This creates repeatable processes, which are fundamental to all fields of engineering. These processes increase the speed and accuracy of deployments and manage all network elements in a system. IaC runs at machine speed and has enabled great technology like Continuous Integration/Continuous Development. How do you apply these concepts to cyber security? This is where orchestration and OpenC2 come in. (C2 means Command and Control)
软件工程通过使用基础结构即代码(IaC)实践解决了系统部署复杂性的问题。 这将创建可重复的过程,这对于工程的所有领域都是至关重要的。 这些过程提高了部署的速度和准确性,并管理系统中的所有网络元素。 IaC以机器速度运行,并实现了诸如持续集成/持续开发等伟大的技术。 您如何将这些概念应用于网络安全? 这是编排和 OpenC2引入的 地方。( C2表示命令和控制)
编排 (Orchestration)
the planning or coordination of the elements of a situation to produce a desired effect
对情况要素进行计划或协调以产生预期效果
All network elements must work together to create the most secure environment. Because these elements come from multiple vendors and use different communication protocols, an overarching and open standard is needed. OpenC2 (www.openc2.org) provides the open standard software developers need to create interfaces that transform OpenC2 messages into the proprietary formats needed by existing security systems. When making a new system, you can skip the adapter and just use an OpenC2 interface! I will not go into “why open standards?,” since you use the Internet and already know that open standards create value, speed innovation, and enable huge economies of scale.
所有网络元素必须协同工作以创建最安全的环境。 由于这些元素来自多个供应商并使用不同的通信协议,因此需要一个总体的开放标准。 OpenC2( www.openc2.org )提供了开发人员创建接口所需的开放标准软件,这些接口将OpenC2消息转换为现有安全系统所需的专有格式。 制作新系统时,可以跳过适配器,而仅使用OpenC2界面! 我不会讨论“为什么要开放标准?”,因为您使用Internet并且已经知道开放标准可以创造价值,加快创新并实现巨大的规模经济。
机动 (Maneuvering)
Can you: Update the IP addresses in a subnet in real-time? Deny a network flow by blocking a port? Redirect a flow elsewhere? Start a new network using a cluster of Docker containers? Restart your services to remove corruption? Restore a container to its original state? The terms in italics are just a few OpenC2 commands. They can be used to maneuver the network from one state to another, like maneuvering a military unit on a battlefield. Your security equipment must implement the commands with the meaning you expect. An OpenC2 interface to a Software Defined Network manager will support network maneuver. If there are components outside the control of the SDN, you can add additional OpenC2 interfaces for them. This requires flexibility, another place OpenC2 shines.
您可以:实时更新子网中的IP地址吗? 通过阻塞端口来拒绝网络流量? 将流重定向到其他地方? 使用Docker容器集群启动新网络? 重新启动服务以删除损坏? 将容器还原到原始状态? 斜体字只是一些OpenC2命令。 它们可以用来从一个州到另一个州操纵网络,就像在战场上操纵军事单位一样。 您的安全设备必须按照您期望的含义实施命令。 与软件定义的网络管理器的OpenC2接口将支持网络操作。 如果SDN无法控制组件,则可以为其添加其他OpenC2接口。 这需要灵活性,OpenC2的另一个亮点。
杀戮链 (The Kill Chain)
Regarding cyber threats, every part of the kill chain could have its own post. Below are some threats from the MITRE ATT&CK Matrix for Enterprise (https://attack.mitre.org/matrices/enterprise/) and OpenC2 proactive and reactive actions that could be taken to mitigate the threat, when combined with an underlying system to implement the actions.
关于网络威胁,查杀链的每个部分都可以有自己的职位。 以下是针对企业的MITER ATT&CK矩阵( https://attack.mitre.org/matrices/enterprise/ )以及OpenC2主动和被动操作(与基础系统结合实施时可采取的缓解威胁的措施)的一些威胁行动。
Initial Access — Contain and Scan before putting new hardware online
初始访问-在使新硬件联机之前包含并扫描
External Remote Services — Update ports on the fly between sessions
外部远程服务-在会话之间动态更新端口
Persistence — Restart or Restore containers to remove persistent threats
持久性— 重新启动或还原容器以消除持久性威胁
Exploitation for Defensive Evasion — Update your software and firmware
防御防御利用— 更新您的软件和固件
Service Discovery — Stop or Deny unneeded services
服务发现- 停止或拒绝不需要的服务
Lateral Tool Transfer — Redirect flows for inspection; don’t just trust
横向工具转移— 重新安排流程进行检查; 不只是相信
If you want to learn more about the cyber kill chain that you are defending against, the ATT&CK Matrix is the place to start. Then start reading Blackhat presentations for an extra dash of paranoia. The scope and depth of the cyber kill chain show very tangible reasons to orchestrate your defenses with OpenC2.
如果您想了解有关防御的网络杀手链的更多信息,ATT&CK Matrix是一个起点。 然后开始阅读Blackhat演示文稿,以获得更多的偏执狂。 网络查杀链的范围和深度显示了使用OpenC2协调防御的非常明显的原因。
OpenC2如何工作 (How OpenC2 Works)
There is a very simple and familiar analogy for OpenC2 commands- English sentence structure. Commands are composed of a Subject, Verb, and Object, just like a sentence. In OpenC2 terms, it goes like this:
OpenC2命令有一个非常简单和熟悉的类比-英语句子结构。 命令由主语,动词和宾语组成,就像句子一样。 用OpenC2术语来说,它是这样的:
Actuator is the subject. It performs an Action, which is the verb. The Target is the object the action is performed on.
执行器是主体 。 它执行一个动作,即动词 。 目标是要对其执行操作的对象 。
A single software orchestrator can be the producer for many commands and can (should!) talk to multiple different consumers (security units that can be appliances or software or anything in between). You select an action and the target, and then put them in a command message that is sent to the consumer. The consumer uses one of its actuators to perform the action on the target. An OpenC2 consumer will likely have multiple actuators, and each will have one or more profiles describing the action-target pairs (commands) that the actuator can perform. Got all that? Time for a picture.
单个软件协调器可以是许多命令的生产者,并且可以(应该!)与多个不同的使用者(可以是设备或软件或两者之间的任何安全单元)进行对话。 您选择一个动作和目标,然后将它们放入发送给使用者的命令消息中。 消费者使用其致动器之一对目标执行动作。 OpenC2使用者可能会具有多个执行器,并且每个执行器都将具有一个或多个描述执行器可以执行的动作目标对(命令)的配置文件。 知道了吗? 拍照时间。
OpenC2 uses JSON for commands. The simplest one is the query command, which all consumers must support.
OpenC2将JSON用于命令。 最简单的查询命令是所有使用者必须支持的查询命令。
{ “action”: “query”, “target”: { “features”: [“versions”, “profiles”, “pairs”, “rate_limit”] }}
{“动作”:“查询”,“目标”:{“功能”:[“版本”,“配置文件”,“对”,“ rate_limit”]}}
This command asks the consumer, “what can you do?” The consumer replies with JSON that describes the language versions it knows, the profiles it contains, the action-target pairs it can execute, and the commands per minute it can execute.
此命令问消费者“您能做什么?” 使用者使用JSON进行回复,该JSON描述了它所知道的语言版本,它包含的配置文件,它可以执行的操作目标对以及每分钟可以执行的命令。
编排层次 (Orchestration Hierarchy)
Protecting a large enterprise network, made up of many separate networks (autonomous systems- AS) distributed around the country or the globe, requires more than a single orchestrator. One approach to this scenario is to have an orchestrator in each AS. These systems still need to communicate with each other and be able to receive commands from a Security Operations Center (SOC). Keep in mind that they are still able to operate on their own and that being decentralized has advantages in case a cyber attack affects the ability of the SOC to send commands. The lower level orchestrators can collaborate as discussed below using OpenC2. For SOC commands, I see great advantages to using a pub/sub model. OpenC2 is working on the use of Message Queuing Telemetry Transport (MQTT; https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html) as a transport mechanism for OpenC2 messages. The orchestrator in a given AS would subscribe to channels matching the profiles of the security components in the AS it serves, effectively making the profile a filter on commands from the SOC. Think of a profile like a software interface, with its list of commands (functions). The details of how the commands are implemented are encapsulated in the security components in the AS. Overall, you can think of this like Object Oriented Security.
保护由分布在全国或全球的许多独立网络(自治系统AS)组成的大型企业网络,需要的不仅仅是一个协调器。 这种情况的一种方法是在每个AS中都有一个协调器。 这些系统仍然需要彼此通信,并且能够从安全操作中心(SOC)接收命令。 请记住,它们仍然可以自己操作,并且在网络攻击影响SOC发送命令的能力的情况下,分散管理具有优势。 较低级别的协调者可以使用OpenC2进行协作,如下所述。 对于SOC命令,我看到使用发布/订阅模型的巨大优势。 OpenC2正在致力于将消息队列遥测传输(MQTT; https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html )用作OpenC2消息的传输机制。 给定AS中的协调器将订阅与其所服务的AS中的安全组件的配置文件相匹配的通道,从而有效地使该配置文件成为SOC命令的筛选器。 可以将配置文件想像成软件接口及其命令(功能)列表。 如何实现命令的详细信息封装在AS的安全组件中。 总体而言,您可以将其视为面向对象的安全性。
OpenC2安全性 (OpenC2 Security)
You cannot just have anybody sending OpenC2 commands to your security infrastructure. HTTPS is the transport of the moment, with work on other transports (such as MQTT) in progress. Not only is HTTPS (TLS) used for encrypting commands and responses, but OpenC2 requires mutual authentication of producers and consumers through PKI (digital certificates).
您不能只让任何人向您的安全基础结构发送OpenC2命令。 HTTPS是当前的传输,正在进行其他传输(例如MQTT)的工作。 HTTPS(TLS)不仅用于加密命令和响应,而且OpenC2要求通过PKI(数字证书)对生产者和消费者进行相互认证。
- Every producer needs a client digital certificate 每个生产者都需要一个客户数字证书
- Every consumer needs a server digital certificate 每个消费者都需要服务器数字证书
You can create and self-sign these for test and development, but as soon as you go to a plugfest or beyond, you will need to use a real Root Certificate Authority for obtaining the certificates, or your system will NOT talk to other ecosystem members, unless you provisioned your certificates into them (not recommended).
您可以创建这些证书并对其进行自我签名以进行测试和开发,但是一旦进入plugfest或以后,您将需要使用真实的根证书颁发机构来获取证书,否则您的系统将无法与其他生态系统成员进行通信,除非您将证书设置为证书(不推荐)。
好处 (Benefits)
数据采集 (Data Collection)
You really need to create, own and extract value from all the data you can. OpenC2 can help. Do you know the security status of your network? All the software versions? Where certain equipment is physically? Know your current firewall rules on every firewall? Knowing what is going on in your network is very valuable. OpenC2 gives you the means to directly collect data with commands like scan, query, and locate. The other commands also provide data about what they did and if it succeeded or not. If you know the command you issued and save the response, you can get a complete picture (but the commands do need to return complete information, not just the minimum for compliance). This leads to being able to model your network with a “digital twin”. This lets you do many things; calculate the cost and time of an upgrade or overhaul, audit firewall rules against what they should be, or audit a router. These last two are great for finding simple mistakes or unauthorized changes to your security posture.
您确实需要从所有数据中创建,拥有和提取价值。 OpenC2可以提供帮助。 您知道网络的安全状态吗? 所有软件版本? 某些设备在物理上在哪里? 知道您当前在每个防火墙上的防火墙规则吗? 了解网络中发生的事情非常有价值。 OpenC2使您可以使用诸如扫描,查询和定位之类的命令直接收集数据。 其他命令还提供有关它们执行的操作以及是否成功的数据。 如果您知道发出的命令并保存了响应,则可以获得完整的图片(但是命令确实需要返回完整的信息,而不仅仅是返回遵从性的最低要求)。 这样就可以使用“数字孪生”对您的网络进行建模。 这使您可以做很多事情; 计算升级或大修的成本和时间,根据防火墙规则应检查的内容对其进行审核,或对路由器进行审核。 最后两个非常适合发现简单的错误或对安全状态的未经授权的更改。
巨集 (Macros)
OpenC2 standardizes communications between a Security Operations Center and the multitude of security elements in the enterprise, but that is NOT enough. Note the C2 Macro Storage and Search blocks in my simple architecture. Creating macros allows you to create automated and repeatable processes, which gives you speed and accuracy. To get real value from OpenC2, your orchestrator must be able to perform a series of operations (think of it like a macro), involving multiple consumers (the instruments in your orchestra) and targets. At the very least, you should be able to make a macro consisting of multiple actions available in the profiles supported by a single consumer.
OpenC2标准化了安全运营中心和企业中众多安全元素之间的通信,但这还不够。 注意我的简单体系结构中的C2宏存储和搜索块。 创建宏使您可以创建自动化且可重复的过程,从而提高速度和准确性。 为了从OpenC2获得真正的价值,您的协调器必须能够执行一系列操作(将其视为宏),涉及多个使用者(您的乐队中的乐器)和目标。 至少,您应该能够在单个使用者支持的配置文件中使包含多个动作的宏组成。
合作 (Collaboration)
Another important aspect of cyber defense is the ability to collaborate, especially in a large enterprise. Passing information about attacks and successful defenses can help others. OpenC2 has an investigate action defined as: “Task the recipient to aggregate and report information as it pertains to a security event or incident.” This creates the opportunity to create a collaboration function, and to close the loop on security problems others have seen. Use the information in this report to target other OpenC2 actions such as contain, deny, scan, or update, and you can see how a valuable system starts to emerge. For example, a report may indicate a threat from a certain malware. Your system can scan for the malware and then contain it. Another case would be a threat from a given IP address. The deny command can update firewall protection. A new threat on a given OS can be found and shared. The update command could be issued to perform security patching.
网络防御的另一个重要方面是协作能力,尤其是在大型企业中。 传递有关攻击和成功防御的信息可以帮助其他人。 OpenC2的调查行为定义为:“责成收件人汇总和报告与安全事件或事件有关的信息。” 这创造了创建协作功能并关闭其他人已经看到的安全问题的机会。 使用此报告中的信息来定位其他OpenC2操作,例如包含,拒绝,扫描或更新,您可以看到有价值的系统是如何开始出现的。 例如,报告可能指示来自某种恶意软件的威胁。 您的系统可以扫描恶意软件,然后将其包含。 另一种情况是来自给定IP地址的威胁。 deny命令可以更新防火墙保护。 可以找到并共享给定操作系统上的新威胁。 可以发出update命令来执行安全修补程序。
最超值 (Best Value)
OpenC2 allows you to secure your enterprise with a best of breed collection of security elements. For example, if you have a choice of two firewalls that both “speak” OpenC2, you can choose the one that has the best features for you, knowing your orchestrator will still be able to control it. This helps with price negotiations, too!
OpenC2允许您使用最佳的安全元素集合来保护您的企业。 例如,如果您选择两个都“说” OpenC2的防火墙,则可以知道编排器仍然可以控制它,从而选择最适合您的功能。 这也有助于价格谈判!
运行蜜网 (Running a Honeynet)
This might be a little exotic, but fun all the same! OpenC2 has create, restore, start, stop, allow, and detonate commands. These commands could manage a Docker system (or Kubernetes), enabling a safe environment for accessing bad web sites or running malware tests.
这可能有点异国情调,但仍然很有趣! OpenC2具有创建,还原,启动,停止,允许和引爆命令。 这些命令可以管理Docker系统(或Kubernetes),从而为访问错误的网站或运行恶意软件测试提供安全的环境。
呼吁采取行动 (Call To Action)
If you have a security product, study the OpenC2 language specification, the HTTPS use requirements, and the profile for how to control a firewall.
如果您有安全产品,请研究OpenC2语言规范,HTTPS使用要求以及如何控制防火墙的配置文件。
http://docs.oasis-open.org/openc2/open-impl-https/v1.0/cs01/open-impl-https-v1.0-cs01.zip
http://docs.oasis-open.org/openc2/open-impl-https/v1.0/cs01/open-impl-https-v1.0-cs01.zip
http://docs.oasis-open.org/openc2/oc2slpf/v1.0/cs01/oc2slpf-v1.0-cs01.zip
http://docs.oasis-open.org/openc2/oc2slpf/v1.0/cs01/oc2slpf-v1.0-cs01.zip
Publish a profile for your product and write the OpenC2 actuator software that implements the functionality of the profile.
发布产品的配置文件 ,并编写实现配置文件功能的OpenC2执行器软件。
Go to a plugfest to test your product against others and make sure it is compliant to the specification.
进行Plugfest测试,以针对其他产品测试您的产品,并确保其符合规范。
Create OpenC2 interfaces to existing products (they don’t even have to be your own) that have open API’s. Publish the code and get famous!
创建具有开放API的现有产品 (甚至不必是您自己的产品)的OpenC2接口 。 发布代码并出名!
Create an orchestrator product that interacts through OpenC2 to aid in cyber defense. It does not have to do the defending, per se, it just uses Open C2 to delegate to the components handling defense.
创建一个通过OpenC2进行交互以帮助网络防御的协调器产品。 它本身不必做防御,它仅使用Open C2委派给处理防御的组件。
摘要 (Summary)
I hope this has at least inspired you to take a look at OpenC2. There are many things I touched upon in this article, some very lightly, but the seeds are planted. I think an OpenC2-enabled security ecosystem is on its way, and that it will be full of opportunities. As for me, I am already writing software that uses OpenC2 to control a signals intelligence system and putting the technology into other proposals where it fits.
我希望这至少激发了您对OpenC2的了解。 我在本文中谈到了很多东西,有些东西很轻,但是种子已经种了。 我认为支持OpenC2的安全生态系统正在发展之中,并且将充满机遇。 对于我而言,我已经在编写使用OpenC2来控制信号智能系统的软件,并将该技术应用于其他合适的方案中。
进一步阅读 (Further Reading)
If you really want to dig in, have a look at the intersection of the OODA Loop, Army Theory of Maneuver (yes, the concepts map to offensive and defensive cyber), and cyber security. Just search google for “ooda cyber maneuver.” It is not a simple topic with a single reference to read so a search is the best route.
如果您真的想深入研究,请查看OODA循环,陆军机动理论(是的,这些概念映射到进攻性和防御性网络)和网络安全的交叉点。 只需在Google上搜索“ ooda网络操作”即可。 阅读一个参考文献并不是一个简单的主题,因此搜索是最佳途径。
特色图片 (Featured Image)
Anon. (Italian), Fortification study, after 1600. Pen and ink and coloured washes on paper with some fanciful additions by yours truly.
阿农 (意大利语),1600年以后的设防研究。笔,墨水和有色洗涤在纸上加上您自己的一些奇妙的添加。
翻译自: https://medium.com/swlh/openc2-orchestration-vs-the-cyber-kill-chain-8cfcbde96763
openc
1272
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
