On the Integration of Course of Action Playbooks into Shareable Cyber Threat Intelligence

Motivated by the introduction of CACAO, the first open standard that harmonizes the way we document courses of action in a machine-readable format for interoperability, and the benefits for cybersecurity operations derived from utilizing, and coupling and sharing course of action playbooks with cyber threat intelligence, we introduce a uniform metadata template that supports the management and integration of course of action playbooks into knowledge representation and knowledge management systems. We demonstrate the applicability of our approach through two use-case implementations where the proposed playbook metadata template is utilized to introduce and integrate course of action playbooks, such as CACAO, into the MISP threat intelligence platform and the OASIS Threat Actor Context ontology.



There are no comments yet.


page 4

page 5


Threat Actor Type Inference and Characterization within Cyber Threat Intelligence

As the cyber threat landscape is constantly becoming increasingly comple...

Extracting Features From Process Variants in Case Management

Case Management supports knowledge workers in performing knowledge-inten...

Evidential Cyber Threat Hunting

A formal cyber reasoning framework for automating the threat hunting pro...

Intelligence-based Cybersecurity Awareness Training- an Exploratory Project

Cybersecurity training should be adaptable to evolving the cyber threat ...

Non-repudiable provenance for clinical decision support systems

Provenance templates are now a recognised methodology for the constructi...

Taxonomy driven indicator scoring in MISP threat intelligence platforms

IT security community is recently facing a change of trend from closed t...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

To respond effectively and in a timely manner to cybersecurity events and incidents, defenders create and utilize security playbooks, also known as course of action playbooks. Security playbooks document processes and procedures that can guide, coordinate, and speed up security operations and incident response, ensure organizational policy and regulatory framework compliance, or purely automate security functions.

CACAO is a security playbook standard developed by the OASIS Collaborative Automated Course of Action Operations Technical Committee (CACAO TC) [1]. CACAO defines a playbook schema and a taxonomy that standardize the way we create, document, and share course of action workflows [2]. A standard, machine-readable playbook schema like CACAO allows sharing playbooks across organizational boundaries and technological solutions seamlessly. Prior to CACAO, creating executable security playbooks relied on proprietary technologies that prevented their programmatic cross-utilization and sharing, also making it hard for users to compare generic playbooks and understand which offer the best models to leverage.

Cyber threat intelligence is evidence-based knowledge about adversaries and their operations. It increases defenders’ threat situational awareness, supports decision making, and drives their proactive, active (i.e., active defense), and retroactive postures against threats. A course of action is a set of specific actions that could be taken to prevent or respond to an attack [3]. Available structured cyber threat intelligence representation and sharing standards and threat intelligence platforms provide textual course of action descriptions that are far away from being able to be directly machine operationalized. With the introduction of CACAO, defenders can propel the contextuality and actionability of cyber threat intelligence by populating and sharing logically structured machine-readable course of action playbooks.

In support of programmatically managing and sharing course of action playbooks, this paper introduces a standard metadata template to assist their integration into cyber-threat-intelligence-focused knowledge representation and knowledge management systems. We demonstrate the feasibility and the benefits derived from our standard templating approach by providing two use-case implementations. We show how security playbooks, such as CACAO, are integrated, managed, and shared using the MISP threat intelligence knowledge management, analysis, and sharing platform [4][5] and a cyber threat intelligence ontology known as the Threat Actor Context ontology (TAC ontology) [6][7].

The rest of the paper is organized in the following way. Section II introduces the CACAO security playbook standard. Section III presents our proposed metadata template, which functions as a contextual integration layer between security playbooks and knowledge management systems. Sections IV and V provide an overview of the MISP threat intelligence platform and the TAC ontology and discuss how our metadata template was utilized to introduce functionality for collecting, organizing, managing, and sharing security playbooks. Section VI concludes the paper.

Ii CACAO Security Playbooks

Security playbooks are a fundamental component of Integrated Adaptive Cyberspace Defense (IACD) [8], guiding systems, subsystems, and human agents on how to interoperate to execute a course of action. Figure 1 illustrates an abstract preventative playbook.

Fig. 1: Preventative security playbook (IoC handling).

A CACAO (Collaborative Automated Course of Action Operations) playbook is a workflow for security orchestration and automation represented in JavaScript Object Notation (JSON) that contains a set of steps to perform based on a logical process, similar to how Business Process Model and Notation (BPMN) defines a playbook for business processes. CACAO leveraged the design patterns of BPMN to introduce a cybersecurity-specific JSON schema.

The execution of a CACAO playbook may be triggered by an automated or manual event or observation or based on temporal aspects (e.g., on a regular basis or periodically).

At a high level, a CACAO playbook (Figure 2) comprises metadata and workflow steps that integrate logic to control the commands to be performed, a set of commands to perform, targets that receive, process and execute the commands, data markings that specify the playbook’s handling and sharing requirements, and extensions that allow to granularly introduce additional functionality. Furthermore, for integrity and authenticity, CACAO playbooks can be digitally signed. The signature design supports both including the signature in the playbook itself and storing or releasing it separately as a detached signature.

CACAO playbooks can support multiple functions of cyberspace defense, such as threat hunting, detection, investigation, prevention, mitigation, remediation, or attack emulation.

CACAO playbooks, among other command types, can encapsulate OpenC2 [9, 10], Sigma [11], and Kestrel [12] commands to support interoperability at the actuator level, making the playbooks require minimal modifications to map to an organization’s own environment.

Fig. 2: Architecture and components of a CACAO security playbook.

Iii A Common Metadata Template for Integrating Course of Action Playbooks into Shareable Cyber Threat Intelligence

To integrate security playbooks into structured and shareable cyber threat intelligence, create managed security playbook knowledge bases, and manage security playbooks programmatically based on a set of meaningful attributes, we proposed a metadata template (Table I) that provides different technological solutions with a uniform approach. Producers and consumers of security playbooks can utilize the metadata template to contextually enrich their playbooks with additional machine-processable information as they make them available into their knowledge representation frameworks and knowledge management systems. An up-to-date version of the metadata template is available online111https://github.com/Vasileios-Mavroeidis/coa-playbook-metadata.

The metadata available in CACAO playbooks have greatly influenced the development of the metadata template presented in this paper. Consequently, the metadata of a CACAO playbook can map directly to the metadata of the proposed template.

The proposed metadata template is not restricted to encapsulating only machine-readable and automated courses of action. Similarly, it can provide other playbook representation types with metadata, making them programmatically available and manageable, such as a document describing a robust non-automated course of action or a playbook graph (model), like the one provided in Figure 1.

Element Description

A value that uniquely identifies the playbook.

The time at which the playbook was originally created.

The time that this particular version of the playbook was last modified.

A boolean that identifies if the playbook creator deems that this playbook is no longer valid.

The entity that created this playbook. It can be, for example, a natural person or an organization. It may be represented using an id that identifies the creator.

The time from which the playbook is considered valid and the steps that it contains can be executed.

The time at which this playbook should no longer be considered a valid playbook to be executed.

An explanation, details, and more context about what this playbook does and tries to accomplish.

An optional set of terms, labels, or tags associated with this playbook (e.g., aliases of adversary groups or malware family/variant/name that this playbook is related to).

From 0 to 100, an integer representing the impact the playbook has on the organization. A value of 0 means specifically undefined. Values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive would have a low impact value of 1. In contrast, a playbook that performs changes such as adding rules into a firewall would have a higher impact value.

From 0 to 100, an integer representing the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Values range from 1, the lowest severity, to a value of 100, the highest.

From 0 to 100, an integer representing the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Values range from 1, the highest priority, to a value of 100, the lowest.

The type of organization that the playbook is intended for. This can be an industry sector.

The security-related functions the playbook addresses. A playbook may account for multiple types (e.g., detection and investigation). [’Notification’, ’Detection’, ’Investigation’, ’Prevention’, ’Mitigation’, ’Remediation’, ’Attack’]

The standard the playbook conforms to (e.g., CACAO).

The playbook’s level of abstraction. [’Template’, ’Executable’]

The whole playbook in its native format (e.g., CACAO JSON). Security playbook producers and consumers use this property to share and retrieve playbooks.

The whole playbook encoded in base64. Security playbook producers and consumers of playbooks use this property to share and retrieve playbooks.
TABLE I: Metadata Template for Security Playbook Management

Iv Use Case: Introducing Security Playbooks in MISP Threat Intelligence Platform

Allowing one organization’s detection to become another’s prevention via intelligence sharing is a powerful paradigm that can advance the overall security of organizations [13]. Emerging cybersecurity-focused knowledge management systems, otherwise known as Threat Intelligence Platforms (TIPs), equip defenders with the ability to collect, store, process, analyze, and share actionable information and intelligence in meaningful times.

MISP (Malware Information Sharing Platform) [4]

is an open-source threat intelligence platform that has undergone considerable development and increased functionality since 2011. Organizations use MISP to exchange cyber threat intelligence among trusted groups so that they can stay threat-informed and support their decision-making processes.

The fundamental building block of MISP is a structured core format for representing threat information and ensuring interoperability between MISP instances and other threat intelligence platforms that utilize it [14]. One component of the core format is the ability to create objects that serve as a contextual bond between a list of attributes. The main purpose of an object is to represent complex structures that could not be described by single attributes. Each object is created using an object template and carries the metadata of the template used for its creation within.

The existing MISP course of action object (Table II) is used to describe in a textual form a measure taken to prevent or respond to an attack.

Object attribute Description

The estimated cost of applying the course of action. [’High’, ’Medium’, ’Low’, ’None’, ’Unknown’]

description A description of the course of action.
efficacy The estimated efficacy of applying the course of action. [’High’, ’Medium’, ’Low’, ’None’, ’Unknown’]
impact The estimated impact of applying the course of action. [’High’, ’Medium’, ’Low’, ’None’, ’Unknown’]
name The name used to identify the course of action.
objective The objective of the course of action.
stage The stage of the threat management lifecycle that the course of action is applicable to. [’Remedy’, ’Response’, ’Further Analysis Required’]
type The type of the course of action. [’Perimeter Blocking’, ’Internal Blocking’, ’Redirection’, ’Redirection (Honey Pot)’, ’Hardening’, ’Patching’, ’Eradication’, ’Rebuilding’, ’Training’, ’Monitoring’, ’Physical Access Restrictions’, ’Logical Access Restrictions’, ’Public Disclosure’, ’Diplomatic Actions’, ’Policy Actions’, ’Other’]
TABLE II: MISP Course of Action Object Template

Based on the common metadata template presented in Table I (Section III) in support of programmatically managing and sharing course of action playbooks, this research work introduced a conforming MISP security playbook object template that is the basis for creating shareable MISP security playbook objects. The security playbook object is a wrapper that encapsulates and makes available and shareable among MISP instances course of action orchestration workflows, such as CACAO security playbooks. A MISP security playbook object can make use of semantic relationships and link to other objects to improve the context around a playbook, such as the attack pattern a playbook mitigates. An example is illustrated in Figure 3. The MISP security playbook object template is available at the official MISP GitHub repository222https://github.com/MISP/misp-objects/blob/main/objects/security-playbook/definition.json.

Fig. 3: Example illustration of MISP security playbook object.

V Use Case: Introducing Security Playbooks in Threat Actor Context Ontology

Developed by the OASIS Threat Actor Context Technical Committee (TAC TC), the TAC ontology is an open-source modular knowledge representation framework that captures the rich context around adversaries into a structured machine-readable format.

The core outline of the TAC ontology that defines the primary concepts, their relationships, and other semantics around the context of adversaries (in Web Ontology Language - OWL) is based on the STIX 2.1 standard, a model and a language to represent and exchange cyber threat intelligence (in JSON). The TAC ontology can operate as a knowledge management system that, based on its underlying representation schema, can be used to conduct intelligence analysis, fuse, store and share information, and perform logic-based information inference using a reasoner.

The framework’s flexibility permits introducing and extending the existing core ontology with additional concepts and relationships, providing defenders with more extensive and integrated machine-readable cyber threat intelligence coverage and capability based on their organizations’ needs. This also enhances the usability of STIX 2.1 by providing a bridge to other representations which can altogether harmonize with the TAC ontology. For example, in [2], the authors utilized a threat actor typology to characterize adversaries and, based on the adversaries defining characteristics, automatically infer their type (e.g., government cyberwarrior, cybercriminal). The ontology introduced in [2] demonstrates how their representation schema for threat actors could supplement or replace the threat actor concept/representation of the core TAC ontology as it is represented by the STIX 2.1 standard.

The TAC ontology is fundamentally based on the STIX 2.1 standard and thus includes the concept of course of action. According to the STIX 2.1 specification, the object supports basic use cases, like sharing prose courses of action, and does not support the ability to represent automated courses of action or contain properties to represent metadata about courses of action (Table III). As annotated in the specification, future STIX 2 releases will introduce these capabilities.

Property Name

The value of this property MUST be course-of-action.

A name used to identify the Course of Action.

A description that provides more details and context about the Course of Action, potentially including its purpose and its key characteristics.

action (reserved)
RESERVED – To capture structured/automated courses of action.

TABLE III: STIX 2.1 Course of Action Object Template (Specific Properties)

Based on the common metadata template presented in Table I (Section III) in support of programmatically managing and sharing course of action playbooks, this research work introduced a conforming ontological representation in OWL. The proposed ontology can be integrated with other ontologies such as the TAC ontology to improve the context around adversaries with relevant security playbooks or can be utilized standalone to create a searchable (based on the properties defined in Table I) knowledge base of security playbooks. The security playbook concept/ontology within the TAC ontology ”inherits” the semantic relationships of the course of action object as defined in STIX 2.1 (Figure 4). The ontology is maintained by the TAC TC333https://github.com/oasis-open/tac-ontology/blob/main/stix-semex/security-playbook/.

Fig. 4: Example illustration of TAC security playbook individual and its semantic relationships as specified on the STIX 2.1 standard.

Vi Conclusion

While cyberspace defense continuously becomes more automated and adaptive, the need for sharing automated courses of action across organizational boundaries becomes apparent. CACAO is the first open-source non-proprietary effort that standardizes the way we document executable course of action playbooks. This paper presented a common metadata template that supports the integration of course of action playbooks, such as CACAO or other more abstract or proprietary, into knowledge management systems like threat intelligence platforms and threat-intelligence-focused knowledge representation approaches.


The authors would like to thank Professor Audun Jøsang (University of Oslo), Jane Ginn (Cyber Threat Intelligence Network), and Allan Thomson (Chief Architect Threat Defense Avast) for providing feedback on the paper.


  • [1] OASIS, “Collaborative Automated Course of Action Operations (CACAO) Technical Committee,” Accessed: Oct. 2021. [Online]. Available: https://www.oasis-open.org/committees/cacao.
  • [2] B. Jordan and A. Thomson eds., “CACAO Security Playbooks Version 1.0,” OASIS, Committee Specification 02, June 2021.
  • [3] V. Mavroeidis and S. Bromander, “Cyber threat intelligence model: an evaluation of taxonomies, sharing standards, and ontologies within cyber threat intelligence,” in 2017 European Intelligence and Security Informatics Conference (EISIC).   IEEE, 2017, pp. 91–98.
  • [4] C. Wagner, A. Dulaunoy, G. Wagener, and A. Iklody, “Misp: The design and implementation of a collaborative threat intelligence sharing platform,” in Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, ser. WISCS ’16.   New York, NY, USA: Association for Computing Machinery, 2016, p. 49–56. [Online]. Available: https://doi.org/10.1145/2994539.2994542
  • [5] “MISP - Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing,” accessed: Oct. 2021. [Online]. Available: https://www.misp-project.org.
  • [6] OASIS, “Threat Actor Context (TAC) Technical Committee,” Accessed: Oct. 2021. [Online]. Available: https://www.oasis-open.org/committees/tac.
  • [7] OASIS Threat Actor Context Technical Committee, “Threat Actor Context Ontology,” Accessed: Oct. 2021. [Online]. Available: https://github.com/oasis-open/tac-ontology, 2021.
  • [8] B. K. Done, K. D. Willett, D. W. Viel, G. W. Tally, D. F. Sterne, and B. Benjamin, “Towards a Capability-Based Architecture for Cyberspace Defense,” 2016, Concept Paper Approved for Public Release, US Department of Homeland Security, US National Security Agency Information Assurance Directorate, and the Johns Hopkins University Applied Physics Laboratory, AOS-16-0099.
  • [9] V. Mavroeidis and J. Brule, “A nonproprietary language for the command and control of cyber defenses – openc2,” Computers & Security, vol. 97, 2020.
  • [10] OASIS, “Open Command and Control (OpenC2) Technical Committee,” accessed: Oct. 2021. [Online]. Available: https://www.oasis-open.org/committees/openc2.
  • [11] “SIGMA - Generic Signature Format for SIEM Systems,” Accessed: Oct. 2021. [Online]. Available: https://github.com/SigmaHQ/sigma.
  • [12] “Kestrel Threat Hunting Language,” Accessed: Oct. 2021. [Online]. Available: https://github.com/opencybersecurityalliance/kestrel-lang.
  • [13] C. Johnson, L. Badger, D. Waltermire, J. Snyder, C. Skorupka et al., “Guide to cyber threat information sharing,” NIST Special Publication 800-150, 2016.
  • [14] A. Dulaunoy and A. I. eds., “MISP Core Format,” draft-00, Sep. 2021, Accessed: Oct. 2021. [Online]. Available: https://www.misp-standard.org/rfc/misp-standard-core.html.