OpenC2 Orchestration vs the Cyber Kill Chain

Erich Izdepski
The Startup
9 min readJul 28, 2020

--

What is cyber security orchestration and why do you need it? First of all, it pertains to operational cyber security. Applying cyber security during system and software development is another topic altogether (google DevSecOps for pointers). Data networks are growing every way you can imagine: size, power, value, capability, and hence, complexity. The growth is exponential, and it causes great challenges in securing a network. Major networks contain a huge number of network security elements, each with many features that must be configured properly at all times to ensure the system is working right. We know how hard this is because of the number of security breaches reported on in the media (did you get free credit monitoring from Target?), and that this has been going on for decades. It is not that the security equipment is bad, but it is impossible to use at the speed (how fast a person can change or update a security system) and accuracy (an error free configuration) needed to run in an orchestrated fashion across an entire network as required to support a strong cyber security defense. Advance cyber defense depends upon the ability to maneuver (yes, move the network in cyberspace) a network and orchestration lets you do that.

Software Engineering has addressed the problem of system deployment complexity by using Infrastructure as Code (IaC) practices. This creates repeatable processes, which are fundamental to all fields of engineering. These processes increase the speed and accuracy of deployments and manage all network elements in a system. IaC runs at machine speed and has enabled great technology like Continuous Integration/Continuous Development. How do you apply these concepts to cyber security? This is where orchestration and OpenC2 come in. (C2 means Command and Control)

Orchestration

the planning or coordination of the elements of a situation to produce a desired effect

All network elements must work together to create the most secure environment. Because these elements come from multiple vendors and use different communication protocols, an overarching and open standard is needed. OpenC2 (www.openc2.org) provides the open standard software developers need to create interfaces that transform OpenC2 messages into the proprietary formats needed by existing security systems. When making a new system, you can skip the adapter and just use an OpenC2 interface! I will not go into “why open standards?,” since you use the Internet and already know that open standards create value, speed innovation, and enable huge economies of scale.

Maneuvering

Can you: Update the IP addresses in a subnet in real-time? Deny a network flow by blocking a port? Redirect a flow elsewhere? Start a new network using a cluster of Docker containers? Restart your services to remove corruption? Restore a container to its original state? The terms in italics are just a few OpenC2 commands. They can be used to maneuver the network from one state to another, like maneuvering a military unit on a battlefield. Your security equipment must implement the commands with the meaning you expect. An OpenC2 interface to a Software Defined Network manager will support network maneuver. If there are components outside the control of the SDN, you can add additional OpenC2 interfaces for them. This requires flexibility, another place OpenC2 shines.

The Kill Chain

Regarding cyber threats, every part of the kill chain could have its own post. Below are some threats from the MITRE ATT&CK Matrix for Enterprise (https://attack.mitre.org/matrices/enterprise/) and OpenC2 proactive and reactive actions that could be taken to mitigate the threat, when combined with an underlying system to implement the actions.

  • Initial Access — Contain and Scan before putting new hardware online
  • External Remote Services — Update ports on the fly between sessions
  • Persistence — Restart or Restore containers to remove persistent threats
  • Exploitation for Defensive Evasion — Update your software and firmware
  • Service Discovery — Stop or Deny unneeded services
  • Lateral Tool Transfer — Redirect flows for inspection; don’t just trust

If you want to learn more about the cyber kill chain that you are defending against, the ATT&CK Matrix is the place to start. Then start reading Blackhat presentations for an extra dash of paranoia. The scope and depth of the cyber kill chain show very tangible reasons to orchestrate your defenses with OpenC2.

How OpenC2 Works

There is a very simple and familiar analogy for OpenC2 commands- English sentence structure. Commands are composed of a Subject, Verb, and Object, just like a sentence. In OpenC2 terms, it goes like this:

Actuator is the subject. It performs an Action, which is the verb. The Target is the object the action is performed on.

A single software orchestrator can be the producer for many commands and can (should!) talk to multiple different consumers (security units that can be appliances or software or anything in between). You select an action and the target, and then put them in a command message that is sent to the consumer. The consumer uses one of its actuators to perform the action on the target. An OpenC2 consumer will likely have multiple actuators, and each will have one or more profiles describing the action-target pairs (commands) that the actuator can perform. Got all that? Time for a picture.

OpenC2 terminology mapping to simplified orchestration architecture
Mapping between OpenC2 terminology and a simple high-level orchestration architecture

OpenC2 uses JSON for commands. The simplest one is the query command, which all consumers must support.

{
“action”: “query”,
“target”: {
“features”: [“versions”, “profiles”, “pairs”, “rate_limit”]
}
}

This command asks the consumer, “what can you do?” The consumer replies with JSON that describes the language versions it knows, the profiles it contains, the action-target pairs it can execute, and the commands per minute it can execute.

Orchestration Hierarchy

Protecting a large enterprise network, made up of many separate networks (autonomous systems- AS) distributed around the country or the globe, requires more than a single orchestrator. One approach to this scenario is to have an orchestrator in each AS. These systems still need to communicate with each other and be able to receive commands from a Security Operations Center (SOC). Keep in mind that they are still able to operate on their own and that being decentralized has advantages in case a cyber attack affects the ability of the SOC to send commands. The lower level orchestrators can collaborate as discussed below using OpenC2. For SOC commands, I see great advantages to using a pub/sub model. OpenC2 is working on the use of Message Queuing Telemetry Transport (MQTT; https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html) as a transport mechanism for OpenC2 messages. The orchestrator in a given AS would subscribe to channels matching the profiles of the security components in the AS it serves, effectively making the profile a filter on commands from the SOC. Think of a profile like a software interface, with its list of commands (functions). The details of how the commands are implemented are encapsulated in the security components in the AS. Overall, you can think of this like Object Oriented Security.

OpenC2 Security

You cannot just have anybody sending OpenC2 commands to your security infrastructure. HTTPS is the transport of the moment, with work on other transports (such as MQTT) in progress. Not only is HTTPS (TLS) used for encrypting commands and responses, but OpenC2 requires mutual authentication of producers and consumers through PKI (digital certificates).

  • Every producer needs a client digital certificate
  • Every consumer needs a server digital certificate

You can create and self-sign these for test and development, but as soon as you go to a plugfest or beyond, you will need to use a real Root Certificate Authority for obtaining the certificates, or your system will NOT talk to other ecosystem members, unless you provisioned your certificates into them (not recommended).

Benefits

Data Collection

You really need to create, own and extract value from all the data you can. OpenC2 can help. Do you know the security status of your network? All the software versions? Where certain equipment is physically? Know your current firewall rules on every firewall? Knowing what is going on in your network is very valuable. OpenC2 gives you the means to directly collect data with commands like scan, query, and locate. The other commands also provide data about what they did and if it succeeded or not. If you know the command you issued and save the response, you can get a complete picture (but the commands do need to return complete information, not just the minimum for compliance). This leads to being able to model your network with a “digital twin”. This lets you do many things; calculate the cost and time of an upgrade or overhaul, audit firewall rules against what they should be, or audit a router. These last two are great for finding simple mistakes or unauthorized changes to your security posture.

Macros

OpenC2 standardizes communications between a Security Operations Center and the multitude of security elements in the enterprise, but that is NOT enough. Note the C2 Macro Storage and Search blocks in my simple architecture. Creating macros allows you to create automated and repeatable processes, which gives you speed and accuracy. To get real value from OpenC2, your orchestrator must be able to perform a series of operations (think of it like a macro), involving multiple consumers (the instruments in your orchestra) and targets. At the very least, you should be able to make a macro consisting of multiple actions available in the profiles supported by a single consumer.

Collaboration

Another important aspect of cyber defense is the ability to collaborate, especially in a large enterprise. Passing information about attacks and successful defenses can help others. OpenC2 has an investigate action defined as: “Task the recipient to aggregate and report information as it pertains to a security event or incident.” This creates the opportunity to create a collaboration function, and to close the loop on security problems others have seen. Use the information in this report to target other OpenC2 actions such as contain, deny, scan, or update, and you can see how a valuable system starts to emerge. For example, a report may indicate a threat from a certain malware. Your system can scan for the malware and then contain it. Another case would be a threat from a given IP address. The deny command can update firewall protection. A new threat on a given OS can be found and shared. The update command could be issued to perform security patching.

Best Value

OpenC2 allows you to secure your enterprise with a best of breed collection of security elements. For example, if you have a choice of two firewalls that both “speak” OpenC2, you can choose the one that has the best features for you, knowing your orchestrator will still be able to control it. This helps with price negotiations, too!

Running a Honeynet

This might be a little exotic, but fun all the same! OpenC2 has create, restore, start, stop, allow, and detonate commands. These commands could manage a Docker system (or Kubernetes), enabling a safe environment for accessing bad web sites or running malware tests.

Call To Action

If you have a security product, study the OpenC2 language specification, the HTTPS use requirements, and the profile for how to control a firewall.

Publish a profile for your product and write the OpenC2 actuator software that implements the functionality of the profile.

Go to a plugfest to test your product against others and make sure it is compliant to the specification.

Create OpenC2 interfaces to existing products (they don’t even have to be your own) that have open API’s. Publish the code and get famous!

Create an orchestrator product that interacts through OpenC2 to aid in cyber defense. It does not have to do the defending, per se, it just uses Open C2 to delegate to the components handling defense.

Summary

I hope this has at least inspired you to take a look at OpenC2. There are many things I touched upon in this article, some very lightly, but the seeds are planted. I think an OpenC2-enabled security ecosystem is on its way, and that it will be full of opportunities. As for me, I am already writing software that uses OpenC2 to control a signals intelligence system and putting the technology into other proposals where it fits.

Further Reading

If you really want to dig in, have a look at the intersection of the OODA Loop, Army Theory of Maneuver (yes, the concepts map to offensive and defensive cyber), and cyber security. Just search google for “ooda cyber maneuver.” It is not a simple topic with a single reference to read so a search is the best route.

Featured Image

Anon. (Italian), Fortification study, after 1600. Pen and ink and coloured washes on paper with some fanciful additions by yours truly.

--

--

Erich Izdepski
The Startup

Software engineer and architect who’s built web, mobile and desktop apps in multiple industries over a span of more than 25 years. CTO @ BTS Software Solutions.