Wilford  Pagac

Wilford Pagac


OpenC2 Orchestration vs the Cyber Kill Chain

What is cyber security orchestration and why do you need it? First of all, it pertains to operational cyber security. Applying cyber security during system and software development is another topic altogether (google DevSecOps for pointers). Data networks are growing every way you can imagine: size, power, value, capability, and hence, complexity. The growth is exponential, and it causes great challenges in securing a network. Major networks contain a huge number of network security elements, each with many features that must be configured properly at all times to ensure the system is working right. We know how hard this is because of the number of security breaches reported on in the media (did you get free credit monitoring from Target?), and that this has been going on for decades. It is not that the security equipment is bad, but it is impossible to use at the speed (how fast a person can change or update a security system) and accuracy (an error free configuration) needed to run in an orchestrated fashion across an entire network as required to support a strong cyber security defense. Advance cyber defense depends upon the ability to maneuver (yes, move the network in cyberspace) a network and orchestration lets you do that.

Software Engineering has addressed the problem of system deployment complexity by using Infrastructure as Code (IaC) practices. This creates repeatable processes, which are fundamental to all fields of engineering. These processes increase the speed and accuracy of deployments and manage all network elements in a system. IaC runs at machine speed and has enabled great technology like Continuous Integration/Continuous Development. How do you apply these concepts to cyber security? **This is where orchestration and OpenC2 come in. (**C2 means Command and Control)


the planning or coordination of the elements of a situation to produce a desired effect

All network elements must work together to create the most secure environment. Because these elements come from multiple vendors and use different communication protocols, an overarching and open standard is needed. OpenC2 (www.openc2.org) provides the open standard software developers need to create interfaces that transform OpenC2 messages into the proprietary formats needed by existing security systems. When making a new system, you can skip the adapter and just use an OpenC2 interface! I will not go into “why open standards?,” since you use the Internet and already know that open standards create value, speed innovation, and enable huge economies of scale.


Can you: Update the IP addresses in a subnet in real-time? Deny a network flow by blocking a port? _Redirect _a flow elsewhere? Start a new network using a cluster of Docker containers? Restart your services to remove corruption? Restore a container to its original state? The terms in italics are just a few OpenC2 commands. They can be used to maneuver the network from one state to another, like maneuvering a military unit on a battlefield. Your security equipment must implement the commands with the meaning you expect. An OpenC2 interface to a Software Defined Network manager will support network maneuver. If there are components outside the control of the SDN, you can add additional OpenC2 interfaces for them. This requires flexibility, another place OpenC2 shines.

The Kill Chain

Regarding cyber threats, every part of the kill chain could have its own post. Below are some threats from the MITRE ATT&CK Matrix for Enterprise (https://attack.mitre.org/matrices/enterprise/) and OpenC2 proactive and reactive actions that could be taken to mitigate the threat, when combined with an underlying system to implement the actions.

  • Initial Access — Contain and Scan before putting new hardware online
  • External Remote Services — Update ports on the fly between sessions
  • Persistence — Restart or Restore containers to remove persistent threats
  • Exploitation for Defensive Evasion —_ Update_ your software and firmware
  • Service Discovery — Stop or Deny unneeded services
  • Lateral Tool Transfer — _Redirec_t flows for inspection; don’t just trust

If you want to learn more about the cyber kill chain that you are defending against, the ATT&CK Matrix is the place to start. Then start reading Blackhat presentations for an extra dash of paranoia. The scope and depth of the cyber kill chain show very tangible reasons to orchestrate your defenses with OpenC2.

How OpenC2 Works

There is a very simple and familiar analogy for OpenC2 commands- English sentence structure. Commands are composed of a **Subject, Verb, and Object, **just like a sentence. In OpenC2 terms, it goes like this:

Actuator is the subject. It performs an Action, which is the verb. The Target is the object the action is performed on.

A single software orchestrator can be the producer for many commands and can (should!) talk to multiple different consumers (security units that can be appliances or software or anything in between). You select an action and the target, and then put them in a command message that is sent to the consumer. The consumer uses one of its actuators to perform the action on the target. An OpenC2 consumer will likely have multiple actuators, and each will have one or more profiles describing the action-target pairs (commands) that the actuator can perform. Got all that? Time for a picture.

OpenC2 terminology mapping to simplified orchestration architecture

#enterprise #cybersecurity #cyber #security #openc2

OpenC2 Orchestration vs the Cyber Kill Chain