As cyber systems become increasingly complex and
cybersecurity threats become more prominent, defenders must
prepare, coordinate, automate, document, and share their response methodologies to the extent possible. The CACAO standard was developed to satisfy the above requirements providing a
common machine-readable framework and schema to document
cybersecurity operations processes, including defensive tradecraft
and tactics, techniques, and procedures. Although this approach
is compelling, a remaining limitation is that CACAO provides no
native modeling notation for graphically representing playbooks,
which is crucial for simplifying their creation, modification, and
understanding. In contrast, the industry is familiar with BPMN,
a standards-based modeling notation for business processes that has also found its place in representing cybersecurity processes. This research examines BPMN and CACAO and explores the feasibility of using the BPMN modeling notation to graphically
represent CACAO security playbooks. The results indicate that mapping CACAO and BPMN is attainable at an abstract level;
however, conversion from one encoding to another introduces a
degree of complexity due to the multiple ways CACAO constructs
can be represented in BPMN and the extensions required in
BPMN to fully support CACAO.
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
IEEE-CSR-DS4CS-Reviewing BPMN as a Modeling Notation for CACAO Security Playbooks.pdf
1. Reviewing BPMN as a Modeling
Notation for CACAO Security
Playbooks
Authors: Mateusz Zych, Vasileios Mavroeidis, Konstantinos Fysarakis, Manos Athanatos
Cyentific AS
Projects supported this research:
2. Ph.D. Research Fellow Mateusz Zych
Cyentific AS
Present Status of Cybersecurity
● Increasing and more sophisticated cyber attacks
● Asynchronous time advantage between adversaries and defenders
● Defenders must prepare, coordinate, automate, document and share their response
methodologies
● EU: NIS Legislation (Network and Information Security)
● Collaborative Automated Course of Action Operations (CACAO)
2 of 13
3. Ph.D. Research Fellow Mateusz Zych
Cyentific AS
Collaborative Automated Course
of Action Operations (CACAO)
● Schema and taxonomy for cybersecurity playbooks
● Machine-readable
● Vendor-agnostic
● Maintained by the OASIS CACAO TC
● Early adoption
3 of 13
4. Ph.D. Research Fellow Mateusz Zych
Cyentific AS
Problem Statement/The Need
● CACAO:
○ New OASIS standard (upcoming)
○ Early adoption
○ No tools
○ No modeling notation
○ Challenging to work with
4 of 13
5. Ph.D. Research Fellow Mateusz Zych
Cyentific AS
Our Aim
● Examine the use of BPMN modeling notation as a candidate to graphically represent CACAO
playbooks
● Provide a high-level construct mapping between CACAO and BPMN.
5 of 13
6. Ph.D. Research Fellow Mateusz Zych
Cyentific AS
Business Process Model Notation (BPMN)
● Maintained by Object Management Group (OMG)
● Published in 2011, ISO/IEC 19510 since 2013
● Mature
● Support different levels of abstraction
● Rich set of graphical elements
● Wide range of tools and platforms.
● Also used for cybersecurity purposes
6 of 13
8. Ph.D. Research Fellow Mateusz Zych
Cyentific AS
Use case
8 of 13
Template playbook
in any format
CACAO JSON BPMN Visualization
Create Translate
9. Ph.D. Research Fellow Mateusz Zych
Cyentific AS
Use Case: Vulnerability Response Process (CISA)
9 of 13
CISA template playbook
CACAO JSON
BPMN (+ BPMN XML)
https://github.com/cyentific-rni/bpmn-cacao
10. Ph.D. Research Fellow Mateusz Zych
Cyentific AS
Limitations
● Troublesome 1-1 mapping, however attainable
● Some CACAO construct can be modeled in several ways in BPMN
● BPMN Sub-Processes solves few problems but introduces complexity
● User need to be restricted to utilize 1-1 translator
10 of 13
11. Ph.D. Research Fellow Mateusz Zych
Cyentific AS
Further Work
● One-to-one mapping (in progress)
● BPMN extensions to support all metadata (finishing)
● Translator: CACAO->BPMN and BPMN->CACAO
○ Lossless conversion
11 of 13
12. Ph.D. Research Fellow Mateusz Zych
Cyentific AS
Conclusion
● Presented and analyzed the mapping
● Validated the feasibility of using BPMN to graphically represent CACAO
● Great value for defenders
○ Decreased time needed for working and understanding CACAO playbooks.
12 of 13
13. Ph.D. Research Fellow Mateusz Zych
Cyentific AS
Thank you for your attention
Questions?
13 of 13
Get in touch!
Linkedin