View
214
Download
0
Category
Preview:
Citation preview
UNCLASSIFIED
Open Command and Control (OpenC2) Language Mapping for SDN Control
Version 0.9 21 April 2016
Randall Sharo <randall.sharo@navy.mil>
UNCLASSIFIED
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
UNCLASSIFIED
TABLE OF CONTENTS1 INTRODUCTION.......................................................................................................................................... 4
2 SDN LANGUAGE BINDING FOR OPENC2....................................................................................................... 8
2.1 OVERVIEW.....................................................................................................................................................82.2 ACTUATOR VOCABULARY EXTENSIONS.................................................................................................................82.3 ACTIONS........................................................................................................................................................9
2.3.1 SCAN.....................................................................................................................................................112.3.1.1 OpenC2 Definition........................................................................................................................................112.3.1.2 SDN Binding..................................................................................................................................................11
2.3.2 LOCATE.................................................................................................................................................132.3.2.1 OpenC2 Definition........................................................................................................................................132.3.2.2 SDN Binding..................................................................................................................................................13
2.3.3 QUERY..................................................................................................................................................152.3.3.1 OpenC2 Definition........................................................................................................................................152.3.3.2 SDN Binding..................................................................................................................................................15
2.3.4 GET.......................................................................................................................................................172.3.4.1 OpenC2 Definition........................................................................................................................................172.3.4.2 SDN Binding..................................................................................................................................................17
2.3.5 DENY.....................................................................................................................................................192.3.5.1 OpenC2 Definition........................................................................................................................................192.3.5.2 SDN Binding..................................................................................................................................................19
2.3.6 ALLOW..................................................................................................................................................212.3.6.1 OpenC2 Definition........................................................................................................................................212.3.6.2 SDN Binding..................................................................................................................................................21
2.3.7 STOP.....................................................................................................................................................232.3.7.1 OpenC2 Definition........................................................................................................................................232.3.7.2 SDN Binding..................................................................................................................................................23
2.3.8 SET........................................................................................................................................................252.3.8.1 OpenC2 Definition........................................................................................................................................252.3.8.2 SDN Binding..................................................................................................................................................25
2.3.9 MOVE...................................................................................................................................................262.3.9.1 OpenC2 Definition........................................................................................................................................262.3.9.2 SDN Binding..................................................................................................................................................26
2.3.10 REDIRECT..........................................................................................................................................282.3.10.1 OpenC2 Definition........................................................................................................................................282.3.10.2 SDN Binding..................................................................................................................................................28
2.3.11 THROTTLE.........................................................................................................................................302.3.11.1 OpenC2 Definition........................................................................................................................................302.3.11.2 SDN Binding..................................................................................................................................................30
2.3.12 SUBSTITUTE......................................................................................................................................312.3.12.1 OpenC2 Definition........................................................................................................................................312.3.12.2 SDN Binding..................................................................................................................................................31
2.3.13 COPY................................................................................................................................................332.3.13.1 OpenC2 Definition........................................................................................................................................332.3.13.2 SDN Binding..................................................................................................................................................33
i
UNCLASSIFIED
18
19
20
212223242526272829303132333435363738394041424344454647484950515253545556575859606162
UNCLASSIFIED
2.3.14 MITIGATE.........................................................................................................................................342.3.14.1 OpenC2 Definition........................................................................................................................................342.3.14.2 SDN Binding..................................................................................................................................................34
2.4 RESPONSE....................................................................................................................................................362.4.1 OpenC2 Definition................................................................................................................................362.4.2 SDN Binding..........................................................................................................................................36
2.5 SPECIFIER VOCABULARY EXTENSIONS.................................................................................................................37
3 EXAMPLE USE CASES................................................................................................................................. 39
3.1 STOP ABUSE OF MAC ADDRESS 00:DE:AD:BE:EF:00...........................................................................................393.2 PREVENT UNPRIVILEGED USER FROM ACCESSING ADMIN NETWORK..........................................................................39
4 WORKS CITED........................................................................................................................................... 41
5 APPENDIX A: OPENC2 SDN XML SCHEMA..................................................................................................42
ii
UNCLASSIFIED
63646566676869
70
7172
73
74
75
76
UNCLASSIFIED
List of Tables
TABLE 2-1. SDN ACTUATOR CLASSES..................................................................................................................................8TABLE 2-2. SUMMARY OF ACTION DEFINITIONS FOR SDN ACTUATOR........................................................................................9TABLE 2-3. SUPPORTED TARGETS: SCAN...........................................................................................................................11TABLE 2-4. EXAMPLE USAGE OF SCAN..............................................................................................................................12TABLE 2-5. SUPPORTED TARGETS: LOCATE........................................................................................................................13TABLE 2-6. EXAMPLE USAGE OF LOCATE..........................................................................................................................13TABLE 2-7. SUPPORTED TARGETS: QUERY.........................................................................................................................15TABLE 2-8. EXAMPLE USAGE OF QUERY............................................................................................................................15TABLE 2-9. SUPPORTED TARGETS: GET..............................................................................................................................17TABLE 2-10. EXAMPLE USAGE OF GET..............................................................................................................................17TABLE 2-11. SUPPORTED TARGETS: DENY.........................................................................................................................19TABLE 2-12. EXAMPLE USAGE OF DENY............................................................................................................................19TABLE 2-13. SUPPORTED TARGETS: ALLOW......................................................................................................................21TABLE 2-14. EXAMPLE USAGE OF ALLOW.........................................................................................................................21TABLE 2-15. SUPPORTED TARGETS: STOP..........................................................................................................................23TABLE 2-16. EXAMPLE USAGE OF STOP............................................................................................................................23TABLE 2-17. SUPPORTED TARGETS: SET............................................................................................................................25TABLE 2-18. EXAMPLE USAGE OF SET...............................................................................................................................25TABLE 2-19. SUPPORTED TARGETS: MOVE........................................................................................................................26TABLE 2-20. EXAMPLE USAGE OF MOVE...........................................................................................................................26TABLE 2-21. SUPPORTED TARGETS: REDIRECT...................................................................................................................28TABLE 2-22. EXAMPLE USAGE OF REDIRECT.....................................................................................................................28TABLE 2-23. SUPPORTED TARGETS: THROTTLE..................................................................................................................30TABLE 2-24. EXAMPLE USAGE OF THROTTLE....................................................................................................................30TABLE 2-25. SUPPORTED TARGETS: SUBSTITUTE...............................................................................................................31TABLE 2-26. EXAMPLE USAGE OF SUBSTITUTE.................................................................................................................31TABLE 2-27. SUPPORTED TARGETS: COPY.........................................................................................................................33TABLE 2-28. EXAMPLE USAGE OF COPY............................................................................................................................33TABLE 2-29. SUPPORTED TARGETS: MITIGATE..................................................................................................................34TABLE 2-30. EXAMPLE USAGE OF MITIGATE.....................................................................................................................34TABLE 2-31. EXAMPLE USAGE OF RESPONSE....................................................................................................................36TABLE 2-32. OPENC2 TARGETS SUPPORTED BY SDN ACTUATOR............................................................................................37
iii
UNCLASSIFIED
77
78798081828384858687888990919293949596979899
100101102103104105106107108109110111
112
UNCLASSIFIED
1 INTRODUCTIONSoftware-defined Networking (SDN) is a new approach to networking that has the potential to enable ongoing network innovation and enable the network as a programmable, pluggable component of the larger cloud infrastructure. Key aspects of SDN include separation of data and control planes; a uniform vendor-agnostic interface, such as OpenFlow, between control and data planes; a logically centralized control plane, realized using a network OS, that constructs and presents a logical map of the entire network to services or network control applications on top; and slicing and virtualization of the underlying network. With SDN, a researcher, network administrator, or third party can introduce a new capability by writing a software program that simply manipulates the logical map of a slice of the network. (Kobayashi, 2013)
But, with great power comes great responsibility. SDN applications have the ability to shape and control network traffic in ways unanticipated by existing network security architectures. Through microsegmentation, small subnetworks may be formed that violate the assumptions of existing network sensors and Intrusion Detection Systems. Implementing security in an SDN environment requires not only knowledge of what the SDN control plane is doing, but a means to orchestrate the control plane itself.
This paper outlines a command set that integrates SDN controller functionality with the Open Command and Control (OpenC2) language and command set (OpenC2 Consortium, 2016). Through this command set, cyber security orchestrators may gain visibility into the SDN’s decisions and gain control over security-related outcomes.
A Software Defined Network (SDN) primarily consists of three primary elements (Figure 1):
Datapaths - Physical or virtual forwarding elements that provide programmable bridging, tagging, and/or routing capabilities. Datapaths are controlled via a standardized interface, called the “Southbound API”.
Controllers - Software applications that control datapaths via the Southbound API. Controllers provide the building blocks for basic network functionality and in some cases comprise an autonomous network control infrastructure. Controllers that are able to receive command and control from external sources implement a “Northbound API”.
Applications - Higher-level applications or services that direct the actions of Controllers. Applications may exist to support new or custom protocols, to orchestrate the actions of multiple controllers, or to provide health and status monitoring capabilities.
4
UNCLASSIFIED
113
114115116117118119120121122
123124125126127128
129130131132
133
134135136
137138139140
141142143
Physical/VirtualSwitches (a.k.a. “datapaths”)
Controllers
Applications
Northbound API
Southbound API
UNCLASSIFIED
Figure 1. SDN APIs
This common architecture for SDNs lends well to orchestration. Figure 2 shows how an OpenC2 Agent can simultaneously function as an SDN Application, bridging between the Active Cyber Defense and Software Defined Networking domains.
5
UNCLASSIFIED
144145
146147148
(Other Actuators)(Other Actuators)
Controllers
Physical/VirtualSwitches
Northbound API
Southbound API
OpenC2 Message Fabric
Orchestration
OpenC2 SDN Agent (Other Actuators)
UNCLASSIFIED
Figure 2. SDN Integration via OpenC2
Since SDN controllers manage physical and virtual switches in the same manner, it is also possible to project security provisions into Virtualized Networks (VNs) when those VNs are implemented via SDN. In this paper we describe a set of extensions necessary for OpenC2-enabled systems to orchestrate Tenant Networks (TNs) – physical or virtual network segments administered via SDN technologies.
Unlike a VLAN or overlay network, there may not be any tag or label added to a packet to identify its association with a particular network; a controller is free to associate MAC addresses, port identifiers, or VLAN tags together to form a common network per its configuration commands. This property makes tenant networks more difficult to characterize without being able to access the internals of the SDN controller. It also makes it difficult to assign a specific name or number to a tenant. To overcome this problem, this paper allows the SDN controller to identify its own names for each tenant network. Orchestrators will repeat tenant network names back to controllers as part of their action messages, requiring only that each controller assign a unique identifier to each tenant network.
6
UNCLASSIFIED
149150
151
152153154155
156157158159160161162163
UNCLASSIFIED
Figure 3. Virtual Tenant Network (VTN) over SDN (NEC, 2013)
With this architecture, an OpenC2 SDN Agent is able to participate in OpenC2 workflow processing, transforming actions into a format suitable for a given controller implementation. The details of network management are not directly exposed to the orchestrator, but the agent does have the capacity to detect events within the SDN and report them across the fabric.
Where possible we try not to embrace any one specific SDN standard, for as of this writing there are many competing alternatives (OpenFlow, P4, SNMP-based schemes, NETCONF-based schemes, and OVSDB to name a few). Instead, we define a query-command structure where protocol-specific identifiers are first returned to the orchestrator via queries, then those same identifiers are repeated to the controllers as command targets.
7
UNCLASSIFIED
164
165
166167168169
170171172173174
175
UNCLASSIFIED
2 SDN LANGUAGE BINDING FOR OPENC2
2.1 OverviewThe OpenC2 Language Specification (OpenC2 Consortium, 2016) describes a vocabulary by which network elements may be commanded and controlled. While this language was originally specified with relatively static networks such as building infrastructure or datacenters in mind, the language itself is very extensible by design. In this section we describe a set of extensions that enable visibility and control of network behavior within an SDN.
2.2 Actuator Vocabulary ExtensionsDue to the unique nature of how an SDN may interpret actions, we recommend creation of new actuator classes, as shown in Table 2-1. An SDN controller is not precisely a sensor, firewall, router, or IDS, but it may have capabilities in common with any or all of those pre-defined actuators types. By defining unique actuator classes, we can ensure that SDN-specific behavior is unambiguously defined when compared to other actuator classes.
Table 2-1. SDN Actuator Classes
Name Specifier Type Descriptionnetwork.sdn cybox:URIObjectType Specifies that one or more Software Defined
Networking controllers should act on the message.A specifier may be provided to uniquely identify an SDN controller. An URI is sufficient when all controllers have unique REST Northbound APIs.Example: “https://mycontroller.mydomain.gov:8081/”
8
UNCLASSIFIED
176
177
178179180181182
183
184185186187188189190
191
UNCLASSIFIED
2.3 ActionsTable 2-2 summarizes the behavior of OpenC2 actions when applied to an SDN actuator. Subsequent sections provide further example usages for each action.
Table 2-2. Summary of Action Definitions for SDN Actuator
ACTIONS THAT GATHER AND CONVEY INFORMATIONSCAN Systematically search a network segment for devices and services reachable via a
specified address and protocol.
LOCATE The LOCATE action requests the network location (controller+dataport) of a network device or service.
QUERY Requests known information about a specified network device or service.
REPORT Reserved for future implementation.
GET Retrieves configuration information for the actuator, controller, or datapath.
NOTIFY Reserved for future implementation.
ACTIONS THAT CONTROL PERMISSIONSDENY Blocks a targeted flow of packets from traversing the network.
CONTAIN Reserved for future implementation.
ALLOW Allows a targeted flow of packets to traverse the network.
ACTIONS THAT CONTROL ACTIVITIES/DEVICES
START Reserved for future implementation.
STOP Removes the effect of a MOVE, REDIRECT, THROTTLE, SUBSTITUTE, COPY, or MITIGATE action.
RESTART Reserved for future implementation.
PAUSE Reserved for future implementation.
RESUME Reserved for future implementation.
SET Change configuration information for the actuator, targeted controller, or targeted datapath.
UPDATE Reserved for future implementation.
MOVE Relocates a network device or service to an alternate tenant network or VLAN. Affects all traffic to/from designated target.
REDIRECT Redirects network traffic to an alternate route, tenant network, VLAN, or Dataport. Affects traffic unidirectionally.
DELETE Removes targeted entries from a firewall rule list or Access Control List.
9
UNCLASSIFIED
192
193194
195
UNCLASSIFIED
SNAPSHOT Reserved for future implementation.
DETONATE Reserved for future implementation.
RESTORE Reserved for future implementation.
SAVE Reserved for future implementation.
MODIFY Reserved for future implementation.
THROTTLE The THROTTLE action limits the maximum allocated bandwidth for a class of network traffic.
DELAY Reserved for future implementation.
SUBSTITUTE Applies Address Translation to the targeted network traffic. Address translation can be applied upon SDN domain ingress, egress, or both.
COPY Clones targeted network traffic to a secondary tenant network, VLAN, or Dataport.
SYNC Reserved for future implementation.
SENSOR RELATED ACTION
DISTILL Reserved for future implementation.
AUGMENT Reserved for future implementation.
EFFECTS-BASED ACTION
INVESTIGATE Reserved for future implementation.
MITIGATE Activate controller-specific mitigations for the specified Threat Source and Threat Type.
REMEDIATE Reserved for future implementation.
10
UNCLASSIFIED
196
197
UNCLASSIFIED
2.3.1 SCAN2.3.1.1 OpenC2 DefinitionThe SCAN action is the systematic examination of some aspect of the entity or its environment in order to obtain information. This action can be used to command the characterization of an environment (e.g., perform network, port, or vulnerability scanning) or to look for a specific occurrence of an object (e.g., file, IP, process). SCAN commands are distinct from the QUERY in that SCAN implies an analytic while a QUERY implies a routine retrieval of data.
2.3.1.2 SDN BindingSystematically search a network segment for devices and services reachable via a specified address and protocol. Network segments will be searched for devices responding to packets with a specified address, protocol, and (optional) port number. The SCAN action does not immediately return the location of the target: a subsequent LOCATE or QUERY action may be sent to retrieve the results of the scan.
The SCAN action applies to the following TARGET types and specifiers.
Table 2-3. Supported Targets: SCAN
Target Type Description Target Specifier
cybox:Address The Address object describes a VLAN or tenant network to be scanned.
cybox:AddressObjectType:
VLAN_Name, VLAN_Number
The SCAN action accepts the following modifiers.
Modifier Type Description
method enumeration: arp, ping, tcpsyn, udpprobe
Optional. Describes the scanning technique to use.
search cybox:SocketAddressObjectType Required. Describes the network address and/or port number to find.
on-device sdn:DataportType Optional. Narrows a scan to a specific datapath or dataport.
report-to cybox:URIObjectType Optional. Where to report scan completion or errors (if any).
The following table lists potential applications of the SCAN command to identify network devices reachable from an SDN actuator.
11
UNCLASSIFIED
198
199
200201202203204205
206
207208209210211
212
213
214
215
216
217
218219
UNCLASSIFIED
Table 2-4. Example Usage of SCAN
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 Scan the network for IP address 1.1.1.1
SCAN cybox:Address network.sdn search = 1.1.1.1
(none) (none)
2 Scan an SDN island for web servers (TCP port 80)
SCAN cybox:Address network.sdn search = tcp destination port: 80
(none) https://my.controller.gov/
3 Scan a datapath for IP address 2.2.2.2 using ARP
SCAN cybox:Address network.sdn search = 2.2.2.2,
on-device = dpid:10:20:30:40:50:60:70:80
method = arp
(none)
4 Scan VLAN 7 for IP address 3.3.3.3 using ICMP Echo requests
SCAN cybox:Address network.sdn search = 3.3.3.3,
method = pingVLAN_Number: 7 (optional)
5 Scan Tenant Network ‘devteam’ for devices that react to packet delivery on UDP port 1000
SCAN cybox:Address network.sdn search = tcp destination port 1000,
method = udpprobe
VLAN_Name: ‘devteam’ (optional)
12
UNCLASSIFIED
220
221
UNCLASSIFIED
2.3.2 LOCATE2.3.2.1 OpenC2 DefinitionThe LOCATE action is used to find an object either physically, logically, functionally, or by organization. This action enables one to tell where in the system an event or trigger occurred.This action is used for example to enable one to tell where in the system an event or trigger occurred, confirm that an asset is appropriately deployed, or ascertain details regarding a rogue device.
2.3.2.2 SDN BindingThe LOCATE action requests the SDN actuator to report the topological location of a device within the SDN. The actuator will not actively query the targeted device, but rather will report any information passively collected to date. Reported location will include identity of master controller, datapath identifier, and dataport identifier.
Table 2-5. Supported Targets: LOCATE
Target Type Description Target Specifier
cybox:Address The Address object is intended to specify a cyber address.
cybox:AddressObjectType:
Address Value, VLAN Name, VLAN Number
The LOCATE action accepts the following modifiers.
Modifier Type Description
report-to cybox:URIObjectType Required. Identifies where to send the target’s location
on-device sdn:DataportType Optional. Only locate address usage on the specified datapath or dataport.
The following examples describe how a LOCATE action may be used to find devices within an SDN.
Table 2-6. Example Usage of LOCATE
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 LOCATE cybox:Address network.sdn
13
UNCLASSIFIED
222
223
224225226227
228
229230231232
233
234
235
236
237
238
239
240
241
UNCLASSIFIED
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
Get network location of an IP address
report-to = requestor-address
12.34.56.78 (optional)
2 Find if a mac address has been seen on a particular datapath
LOCATE cybox:Address network.sdn report-to = requestor-address,
on-device = dpid:11:22:33:44:55:66:77:88
mac 04:00:00:00:00:01 (optional)
3 Find if a mac address has been seen on VLAN 12
LOCATE cybox:Address network.sdn report-to = requestor-address
mac 06:08:0a:0c:10:20, vlan_number 12
(optional)
14
UNCLASSIFIED
242
UNCLASSIFIED
2.3.3 QUERY2.3.3.1 OpenC2 DefinitionThe QUERY action initiates a single request for information.QUERY, like SCAN, is used to find out more information about the system or its environment. In the case of QUERY, however, it is an isolated or specific information request, rather than a broadly scoped scan or on-going check. QUERY tends to be a simple retrieval of a value for a specific parameter, while SCAN implies a more thorough examination and identification of anomalies (relative to a known good state). The response to a query is typically (but not necessarily) conveyed within the command and control channel.
2.3.3.2 SDN BindingA QUERY action requests known information about a specified network device or service.
Table 2-7. Supported Targets: QUERY
Target Type Description Target Specifier
openc2:Data The actuator will report the targeted (custom) data field.
openc2:DataObjectType
The QUERY action accepts the following modifiers.
Modifier Type Description
on-device sdn:DatapathType Optional. Narrows the query to return results for a specific datapath.
report-to cybox:URIObjectType Required. Identifies where to send the target’s location
The following examples describe how a QUERY action may be used within an SDN.
Table 2-8. Example Usage of QUERY
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 List all active layer-2 links within the SDN
QUERY openc2:Data network.sdn report-to = requestor-address
‘links’ (optional)
15
UNCLASSIFIED
243
244
245246247248249250251
252
253
254
255
256
257
258
259
260
261
UNCLASSIFIED
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
2 Get controller master/slave status
QUERY openc2:Data network.sdn report-to = requestor-address
‘role’ (optional)
3 Get all known information about a device
QUERY Openc2:Data network.sdn report-to = requestor-address
‘device’: mac: 04:04:04:04:04:04
(optional)
4 Get flow table from a single datapath
QUERY openc2:Data network.sdn report-to = requestor-address, on-device = dpid:10:20:30:40:50:60:70:80
‘flows’ (optional)
5 Get a list of all previously-scheduled activities
QUERY openc2:Data network.sdn report-to = requestor-address
‘ActivityList’
6 Get a list of all devices attached to datapath 1
QUERY Openc2:Data Network.sdn report-to = requestor-address, on-device = dpid:00:00:00:00:00:01
‘devices’
16
UNCLASSIFIED
262
263
UNCLASSIFIED
2.3.4 GET2.3.4.1 OpenC2 DefinitionThe GET action tasks an entity to retrieve a specific object. The location of the object can be designated in the specifier of the TARGET. The entity typically (but not necessarily) retrieves the object outside of the command and control channel.
2.3.4.2 SDN BindingRetrieves configuration information for the actuator, controller, or datapath. Unlike QUERY, which retrieves runtime information about the network under control, GET is used to retrieve parameters used to configure the actuator’s software implementation.
Table 2-9. Supported Targets: GET
Target Type Description Target Specifier
openc2:Data The actuator will report the targeted (custom) data field.
openc2:DataObjectType
The GET action accepts the following modifiers.
Modifier Type Description
report-to cybox:URIObjectType Required. Identifies where to send the targeted data or error status
The following examples describe how a GET action may be used within an SDN.
Table 2-10. Example Usage of GET
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 Get the SDN Actuator’s master configuration data
GET Openc2:Data network.sdn report-to = requestor-address
(none) (optional)
2 Get the master configuration file for a specific controller
GET Openc2:Data network.sdn report-to = requestor-address
(none) https://192.168.1.1:8080/
17
UNCLASSIFIED
264
265
266267268
269
270271272
273
274
275
276
277
278
279
280
UNCLASSIFIED
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
3 Get SDN configuration information for a single datapath
GET openc2:Data network.sdn report-to = requestor-address
‘dpid:11:22:33:44:55:66:77:88’
(optional)
4 Get a list of software modules installed in
GET openc2:Data network.sdn report-to = requestor-address
‘modules_installed’ https://192.168.1.1:8080/
18
UNCLASSIFIED
281
282
UNCLASSIFIED
2.3.5 DENY2.3.5.1 OpenC2 DefinitionThe DENY action is used to prevent a certain event or action from completion, such as preventing a flow from reaching a destination (e.g., block) or preventing access. The DENY action can be used to prevent a flow from reaching a destination (e.g., block) or prevent access. DENY is a superset of current terms such as BLOCK (network perimeter devices) and DENY (user, access to system, access to files).
2.3.5.2 SDN BindingBlocks a targeted flow of packets from traversing the network.
Table 2-11. Supported Targets: DENY
Target Type Description Target Specifier
sdn:Flow Identifies protocol fields of traffic to deny. Flow can specify source addresses, destination addresses, or both.
sdn:FlowType
The DENY action accepts the following modifiers.
Modifier Type Description
on-device sdn:DataportType Optional. Identifies a datapath and optional port where targeted traffic will be denied.
priority integer Optional. Assigns a relative priority to this rule compared to other ALLOW or DENY rules.
report-to cybox:URIObjectType Optional. Where to report errors (if any).
The following examples describe how a DENY action may be used within an SDN.
19
UNCLASSIFIED
283
284
285286287288289
290
291
292
293
294
295
296
297
298
UNCLASSIFIED
Table 2-12. Example Usage of DENY
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 Deny access to IP Address 12.34.56.78
DENY sdn:Flow network.sdn
Destination IP: 12.34.56.78
(Optional)
2 Deny access to VLAN 12 from (trunked) Ethernet dataport 2
DENY sdn:Flow network.sdn on-device = dpid: 11:22:33:44:55:66:77:88, dataport=2Destination Vlan_Number
= 12(optional)
3 Deny access to 12.34.56.78 port 80
DENY sdn:Flow network.sdn
Destination IP: 12.34.56.78, port: 80
(optional)
4 Deny access to 10.10.10.10 from tenant network ‘localcloud’
DENY sdn:Flow network.sdn
Source VLAN_Name: ‘localcloud’
Destination IP: 10.10.10.10
(optional)
5 Deny access to 10.10.10.10 from vlan 12
DENY sdn:Flow network.sdn
Source VLAN_Number: 12
Destination IP: 10.10.10.10
(optional)
20
UNCLASSIFIED
299
300
301
UNCLASSIFIED
2.3.6 ALLOW2.3.6.1 OpenC2 DefinitionThe ALLOW action permits the access to or execution of something.An ALLOW action is typically associated with something that was previously denied (e.g., block, quarantine).
2.3.6.2 SDN BindingAllows a targeted flow of packets to traverse the network.
Table 2-13. Supported Targets: ALLOW
Target Type Description Target Specifier
sdn:Flow Identifies protocol fields of traffic to allow. Can include source addresses, destination addresses, or both.
sdn:FlowType
The ALLOW action accepts no modifiers.
Modifier Type Description
on-device sdn:DataportType Optional. Identifies a datapath and optional dataport where targeted traffic was denied.
priority integer Optional. Assigns a relative priority to this rule compared to other ALLOW or DENY rules.
report-to cybox:URIObjectType Optional. Where to report errors (if any).
The following examples describe how a ALLOW action may be used within an SDN.
Table 2-14. Example Usage of ALLOW
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 ALLOW sdn:Flow network.sdn
21
UNCLASSIFIED
302
303
304305306
307
308
309
310
311
312
313
314
315
316
UNCLASSIFIED
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
Remove restrictions on traffic destined to IP Address 12.34.56.78
Destination: 12.34.56.78 (Optional)
2 Remove restrictions on sessions from 11.0.0.0/24 to 12.34.56.78:80
ALLOW sdn:Flow network.sdn
Source: 11.0.0.0/24
Destination: 12.34.56.78:80, tcp
(optional)
3 Remove restrictions on packets sourced from MAC 00:00:00:00:00:01
ALLOW sdn:Flow network.sdn
Source Mac: 00:00:00:00:00:01
(optional)
22
UNCLASSIFIED
317
318
UNCLASSIFIED
2.3.7 STOP2.3.7.1 OpenC2 DefinitionThe STOP action halts a system or ends an activity. The STOP OpenC2 action is used to convey commonly used actions such as shutdown, kill, and terminate. The STOP action has nuances and options associated with it that are ACTUATOR specific. In the case where more than one type of STOP action is applicable for a particular target and actuator, the default implementation of STOP will be a graceful shutdown. Action modifiers are used to indicate immediate or atypical STOP actions.
2.3.7.2 SDN BindingRemoves the effect of a MOVE, REDIRECT, THROTTLE, SUBSTITUTE, COPY, or MITIGATE action.
Table 2-15. Supported Targets: STOP
Target Type Description Target Specifier
ActivityId An activity identifier specifying a previous MOVE, REDIRECT, THROTTLE, SUBSTITUTE, COPY, or MITIGATE action. The identifier may be known from a previous action’s RESPONSE message or from a QUERY of running activities.
xs:QName
The STOP action accepts no modifiers.
Modifier Type Description
delay time Optional. Time to wait before performing the action.
report-to cybox:URIObjectType Optional. Where to report success or failure.
The following examples describe how a STOP action may be used within an SDN.
23
UNCLASSIFIED
319
320
321322323324325326
327
328
329
330
331
332
333
334
335
UNCLASSIFIED
Table 2-16. Example Usage of STOP
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 Stop a previously-scheduled MITIGATE activity
STOP openc2:ActivityId network.sdn
SDN:MITIGATE-1212-3434-5656
(Optional)
24
UNCLASSIFIED
336
337
338
UNCLASSIFIED
2.3.8 SET2.3.8.1 OpenC2 DefinitionThe SET action changes a value, configuration, or state of a managed entity within an IT system. Typically this action is specified by a configuration item such as a sensor setting or privilege level and the command will have specifiers. SET commands are intended for specific individual changes to the entity and the parameters are communicated in the C2 channel.
2.3.8.2 SDN BindingChange configuration information for the actuator, targeted controller, or targeted datapath.
Table 2-17. Supported Targets: SET
Target Type Description Target Specifier
openc2:Data The actuator will change the targeted (custom) data field.
openc2:DataObjectType
The SET action accepts the following modifiers.
Modifier Type Description
value openc2:Data Required. The value to assign to the targeted data field.
report-to cybox:URIObjectType Optional. Identifies where to send any error message caused by the SET action.
The following examples describe how a SET action may be used within an SDN.
Table 2-18. Example Usage of SET
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 Reload the SDN Actuator’s master configuration
SET openc2:Data network.sdn value = List of Key-value pairs
report-to = requestor-address
(none) (optional)
2 SET openc2:Data network.sdn
25
UNCLASSIFIED
339
340
341342343344
345
346
347
348
349
350
351
352
353
354
UNCLASSIFIED
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
Reload the configuration for a specific controller
value = List of Key-value pairs
report-to = requestor-address
(none) https://192.168.1.1:8080/
3 Set a specific configuration parameter
SET Openc2:Data network.sdn value = property_value
‘property_name’ https://192.168.1.1:8080/
26
UNCLASSIFIED
355
UNCLASSIFIED
2.3.9 MOVE2.3.9.1 OpenC2 DefinitionThe MOVE action changes the location of a file, subnet, network, or, process. MOVE is distinct from CONTAIN in that CONTAIN implies a desired effect of isolation and MOVE supports the more general case.
2.3.9.2 SDN BindingRelocates a network device or service to an alternate tenant network or VLAN. Affects all traffic to/from designated target.
Table 2-19. Supported Targets: MOVE
Target Type Description Target Specifier
sdn:dataport A Layer 2 port to be relocated to an alternate VLAN or tenant network.
sdn:DataportType
The MOVE action accepts the following modifiers.
Modifier Type Description
move-to cybox:AddressObjectType Required. Device or service will be moved to this VLAN or tenant network. Moving a dataport to VLAN_Number zero makes it a trunk port.
report-to cybox:URIObjectType Optional. Identifies where to send any error message caused by the action.
The following examples describe how a MOVE action may be used within an SDN.
Table 2-20. Example Usage of MOVE
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 Move dataport 10 to tenant network ‘quarantine’
MOVE sdn:dataport network.sdn move-to = vlan_name: ‘quarantine’Dpid=22:33:44:55:22:33:4
4:55,dataport=10(optional)
27
UNCLASSIFIED
356
357
358359360
361
362363
364
365
366
367
368
369
370
371
UNCLASSIFIED
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
2 Make dataports 32-34 access ports for vlan 11
MOVE sdn:dataport network.sdn move-to = vlan_number: 11
Dpid=22:33:44:55:22:33:44:55,dataport=32,33,34
(optional)
3 Make dataport 35 a trunk port (i.e. vlan 0)
MOVE Sdn:dataport network.sdn move-to = vlan_number: 0
Dpid=22:33:44:55:22:33:44:55, dataport=35
(optional)
28
UNCLASSIFIED
372
373
UNCLASSIFIED
2.3.10 REDIRECT2.3.10.1 OpenC2 DefinitionThe REDIRECT action changes the flow of traffic to a particular destination other than its original intended destination. The REDIRECT action includes the case of bypassing an intermediate point. REDIRECT is distinct from MOVE in that it encompasses the entire flow rather than a single instance, item or object. MOVE supports the more atomic case.
2.3.10.2 SDN BindingRedirects network traffic to an alternate route, tenant network, VLAN, or Dataport. Affects traffic unidirectionally.
Table 2-21. Supported Targets: REDIRECT
Target Type Description Target Specifier
sdn:Flow Describes the set of packets that will be redirected.
sdn:FlowType
The REDIRECT action accepts the following modifiers.
Modifier Type Description
to-device Sdn:DataportType Required. Targeted traffic will be redirected to the specified dataport. Redirection to “null” cancels any pre-existing redirection.
report-to cybox:URIObjectType Optional. Identifies where to send any error message caused by the action.
The following examples describe how a REDIRECT action may be used within an SDN.
Table 2-22. Example Usage of REDIRECT
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 REDIRECT sdn:Flow network.sdn
29
UNCLASSIFIED
374
375
376377378379380
381
382383
384
385
386
387
388
389
390
391
UNCLASSIFIED
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
Redirect all 10.0.0.0/8 traffic to a designated dataport.
to-device = dpid: 22:22:22:22:22:22:22:22:22:22,dataport: 7
Destination: 10.0.0.0/8 (optional)
2 Cancel redirection on MAC address 00:de:ad:be:ef
REDIRECT sdn:Flow network.sdn to-device = null
Source mac: 00:de:ad:be:ef
(optional)
30
UNCLASSIFIED
392
UNCLASSIFIED
2.3.11 DELETE2.3.11.1 OpenC2 DefinitionThe DELETE action removes data and files.
2.3.11.2 SDN BindingDeletes specified firewall rules or Access Control List (ACL) entries from the SDN controller’s tables. The action identifies the entry to be deleted via an actuator-specific ActivityId, obtainable as part of the RESPONSE to an ALLOW, DENY, or QUERY action.
Table 2-23. Supported Targets: REDIRECT
Target Type Description Target Specifier
ActivityId Identifies a firewall rule or ACL entry to be deleted. May take the form of any (actuator-specific) qualified name.
xs:QName
The DELETE action accepts the following modifiers.
Modifier Type Description
report-to cybox:URIObjectType Optional. Identifies where to send any error message caused by the action.
The following examples describe how a DELETE action may be used within an SDN.
Table 2-24. Example Usage of REDIRECT
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 Attempt to delete a firewall rule and report the success/failure via HTTPS
DELETE ActivityId network.sdn report-to = https://12.34.56.78:8081/result?xid=12
firewall_rule:deca1234 (optional)
2 Attempt to delete an ACL entry, where
DELETE ActivityId network.sdn
31
UNCLASSIFIED
393
394
395
396
397398399
400
401
402
403
404
405
406
407
UNCLASSIFIED
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
controller supports descriptive ActivityId’s.
acl:10.0.0.0/8 (optional)
32
UNCLASSIFIED
408
UNCLASSIFIED
2.3.12 THROTTLE2.3.12.1 OpenC2 DefinitionThe THROTTLE action adjusts the throughput of entire data flow to a different rate.
2.3.12.2 SDN BindingThe THROTTLE action limits the maximum allocated bandwidth for a class of network traffic.
Table 2-25. Supported Targets: THROTTLE
Target Type Description Target Specifier
sdn:Flow The packet flow to be throttled sdn:FlowType
The THROTTLE action accepts the following modifiers.
Modifier Type Description
max-pps integer Required. Max allowed packets-per-second
report-to cybox:URIObjectType Optional. Identifies where to send any error message caused by the action.
The following examples describe how a THROTTLE action may be used within an SDN.
Table 2-26. Example Usage of THROTTLE
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 Throttle HTTP traffic to 11.11.11.11
THROTTLE sdn:FlowType network.sdn max-pps=100000
Tcp, destination = 11.11.11.11:80
(optional)
2 Throttle all traffic to MAC address 00:00:00:00:00:01
THROTTLE sdn:FlowType network.sdn max-pps = 1000000
Destination MAC = 00:00:00:00:00:01
(optional)
33
UNCLASSIFIED
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
UNCLASSIFIED
2.3.13 SUBSTITUTE2.3.13.1 OpenC2 DefinitionThe SUBSTITUTE action replaces all or part of the data, content or payload in the least detectable manner. SUBSTITUTE is used in cases where an attack is to be impeded or thwarted in an undetectable manner.
2.3.13.2 SDN BindingApplies Address Translation to the targeted network traffic. Address translation can be applied upon SDN domain ingress or egress. Traffic will be routed through the SDN based on replacement address(es).
Table 2-27. Supported Targets: SUBSTITUTE
Target Type Description Target Specifier
sdn:Flow Describes the packets that will be remapped.
sdn:FlowType
The SUBSTITUTE action accepts the following modifiers.
Modifier Type Description
replacement sdn:FlowType Required. The field(s) that will be substituted in packets.
when Enumeration: ingress, egress Optional. Specifies whether translation is applied when the packet enters the SDN domain (prior to routing), or upon leaving the SDN (after routing). If unspecified, then ingress is the default.
report-to cybox:URIObjectType Optional. Identifies where to send any error message caused by the action.
The following examples describe how a SUBSTITUTE action may be used within an SDN.
34
UNCLASSIFIED
424
425
426427428
429
430431432
433
434
435
436
437
438
439
UNCLASSIFIED
Table 2-28. Example Usage of SUBSTITUTE
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 Replace destination address 11.1.1.1 with 12.2.2.2
SUBSTITUTE sdn:Flow network.sdn replacement = 12.2.2.2
Destination = 11.1.1.1 (optional)
2 Replace TCP endpoint 11.1.1.1:80 with 12.2.2.2:8080
SUBSTITUTE sdn:Flow network.sdn replacement = tcp, destination = 12.2.2.2, port=8080
Tcp, destination = 11.1.1.1, port = 80
(optional)
3 Replace destination MAC 00:11:11:11:11:11 with 00:22:22:22:22:22
SUBSTITUTE sdn:Flow network.sdn replacement = mac: 00:22:22:22:22:22MAC = 00:11:11:11:11:11 (optional)
35
UNCLASSIFIED
440
441
UNCLASSIFIED
2.3.14 COPY2.3.14.1 OpenC2 DefinitionThe COPY action duplicates a file or data flow.
2.3.14.2 SDN BindingClones targeted network traffic to a secondary tenant network, VLAN, or Dataport.
Table 2-29. Supported Targets: COPY
Target Type Description Target Specifier
sdn:Flow Describes the flow of packets to be cloned.
sdn:FlowType
The COPY action accepts the following modifiers.
Modifier Type Description
to-device sdn:DataportType Required. The dataport where cloned traffic should be sent.
report-to cybox:URIObjectType Optional. Identifies where to send any error message caused by the action.
The following examples describe how a COPY action may be used within an SDN.
Table 2-30. Example Usage of COPY
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 Clone all traffic sourced from 00:0b:ad:00:0b:ad to dataport 12
COPY sdn:Flow network.sdn to-device = dpid:12:34:56:78:9a:bc:de:f0,dataport:12
Source MAC = 00:0b:ad:00:0b:ad
(optional)
2 Clone all web traffic to dataport 11
COPY sdn:Flow network.sdn to-device = dpid:22:22:22:22:22:22:22:22, dataport:11
LIST[(tcp destination port 80), (tcp source port 80)]
(optional)
36
UNCLASSIFIED
442
443
444
445
446
447
448
449
450
451
452
453
454
455
UNCLASSIFIED
2.3.15 MITIGATE2.3.15.1 OpenC2 DefinitionThe MITIGATE action tasks the recipient enclave to circumvent the problem without necessarily eliminating the vulnerability or attack point. Mitigate implies that the impacts to the enclave’s operations should be minimized while addressing the issue. Examples of actions resulting from a received MITIGATE OpenC2 command could include deny a URL or process, scan, redirect traffic to honeypot, or move.
2.3.15.2 SDN BindingActivate controller-specific mitigations for the specified Threat Source and Threat Type. Each SDN actuator may have its own technology (or suite of technologies that mitigate a given threat type.
Table 2-31. Supported Targets: MITIGATE
Target Type Description Target Specifier
cybox:Address Describes the traffic source that has unwanted behavior.
cybox:AddressObjectType
The MITIGATE action accepts the following modifiers.
Modifier Type Description
threat-type Enumeration: passive-capture, active-scan, spoof, mitm, dos, all
Optional. Describes the unwanted activity taking place at the specified device/address. If unspecified, defaults to ‘all’
on-device Sdn:DataportType Optional. Identifies the dataport where unwanted network behavior is entering the domain.
report-to cybox:URIObjectType Optional. Identifies where to send any error message caused by the action.
The following examples describe how a MITIGATE action may be used within an SDN.
37
UNCLASSIFIED
456
457
458459460461462
463
464465
466
467
468
469
470
471
472
UNCLASSIFIED
Table 2-32. Example Usage of MITIGATE
DESCRIPTION ACTION TARGET ACTUATOR MODIFIER
TARGET-SPECIFIER ACTUATOR-SPECIFIER
1 Mitigate a router that may be exfiltrating data.
MITIGATE cybox:Address network.sdn threat-type = passive-capture
12.34.56.78 (optional)
2 Mitigate ARP spoofing coming from dataport 10, (match all MAC addresses)
MITIGATE Cybox:Address network.sdn threat-type = spoof, on-device = dpid:11:11:11:11:11:11:11:11,dataport:10
MAC
value: 00:00:00:00:00:00
mask: 00:00:00:00:00:00
(optional)
3 Mitigate man-in-the-middle attacks involving a device with MAC address 00:00:00:00:00:01
MITIGATE cybox:Address network.sdn threat-type = mitm
Mac: 00:00:00:00:00:01 (optional)
4 Mitigate denial of service attacks entering the network at dataport 20
MITIGATE Cybox:Address network.sdn threat-type = dos, on-device = dpid:11:11:11:11:11:11:11:11,dataport:10
12.34.56.0/24 (optional)
5 Mitigate port scans coming from IP address 11.11.11.11
MITIGATE cybox:Address network.sdn threat-type = active-scan
11.11.11.11 (optional)
38
UNCLASSIFIED
473
474
475
UNCLASSIFIED
2.4 Response2.4.1 OpenC2 DefinitionRESPONSE is used to provide any data requested as a result of an action. RESPONSE can be used to signal the acknowledgement of an action, provide the status of an action along with additional information related to the requested action, or signal the completion of the action. The recipient of the RESPONSE can be the original requester of the action or to another recipient(s) designated in the modifier of the action.
2.4.2 SDN BindingSDN actuators require no changes to the Response message structure as specified. Acknowledgements will generally include a command reference ID or “ActivityId” in the form of a qname, however. These ActivityId values can be passed back to the SDN actuator in a STOP action to undo previous actions.
Table 2-33. Example Usage of RESPONSE
Description ACTION TYPE
VALUE
Acknowledge the receipt of an action Response data.status
status = received action,
OpenC2 command, or command reference ID
Signal Completion of an action Response data.status
status = completed action,
OpenC2 command, or command reference ID
Provide the status of an action Response data.status
status = current status,
OpenC2 command, or command reference ID
39
UNCLASSIFIED
476
477
478479480481482
483
484485486
487
488
UNCLASSIFIED
2.5 Specifier Vocabulary ExtensionsThis section describes specifier types as used by an SDN actuator.
Table 2-34. OpenC2 Targets Supported by SDN Actuator
Target Type Description JSON Example
cybox:Address The Address object is intended to specify a network address or regular expression. The Address type may be used to specify addresses in Layer 2 or Layer 3, possibly including a VLAN or tenant network identifier.
{ “Address_Value” : “10.0.1.0/24”, “category”: “ipv4-net” }
cybox:SocketAddress The SocketAddress object is used when a Layer 4 port number and protocol identifier may (optionally) be provided along with a cybox:Address object.
{ “IP_Address” : {…}, “Port” : {…} }
cybox:Network_Connection The Network_Connection object is intended to represent a single network connection. An SDN Actuator may expect a Network_Connection when working with both source and destination SocketAddress elements simultaneously.
{ “Source_Socket_Address” : {…}, “Destination_Socket_Address” : {…} }
sdn:DatapathType A unique control-plane identifier for a single SDN datapath. For OpenFlow SDNs, the unique identifier may be an 8-octet datapath identifier qualified by the namespace “dpid”.
“dpid:00-01-02-03-04-05-06-07”
sdn:DataportIdentifierType Identifies a physical or logical port on an SDN-capable datapath. Will typically be an integer or descriptive name (e.g. “1”, “28”, “LOCAL”, “CONTROLLER”, “TABLE”)
“CONTROLLER”
sdn:DataportType One or more dataports on a specific datapath. Consists of a DatapathType element paired with an optional list of DataportIdentifierType. If the DataportIdentifierType list is omitted, it is interpreted as “all” ports on the datapath.
{ “datapath”: “dpid:00-01-02-03-04-05-06-07”, “port” : 12 }
40
UNCLASSIFIED
489
490
491
UNCLASSIFIED
Target Type Description JSON Example
sdn:Flow A cybox:NetworkConnectionObjectType that includes (optional) Layer 2 address and protocol fields. An SDN Actuator may expect an sdn:Flow when operating on combinations of Layer 2, Layer 3, and Layer 4 protocol fields simultaneously.
{ “Layer2_Protocol” : “Ethernet”, “Source_Layer2_Address” : {…}, “Destination_Layer2_Address”: : {…}, “Source_Socket_Address” : {…}, “Destination_Socket_Address” : {…} }
ActivityId Uniquely identifies an activity currently being executed by the actuator. May be an actuator implementation-specific qualified name of the form [namespace]:[identifier]
“firewall_rule:12”
ActivityList A list of ActivityId objects. May be used in cases where several ActivityId objects match a QUERY, for example.
[ “firewall_rule:12”, “firewall_rule:13” ]
41
UNCLASSIFIED
492
UNCLASSIFIED
3 EXAMPLE USE CASES
3.1 Stop Abuse of MAC Address 00:de:ad:be:ef:00In this scenario, an upper-tier enclave has detected suspicious traffic using source MAC address 00:de:ad:be:ef:00. This traffic may represent lateral movement of a malware package or may be an attempt at beaconing. The upper tier seeks to notify lower tiers of the potential threat. Lower tiers seek to analyze and contain the unwanted traffic until they know how to remediate the source.
Upper tier sense-making is unable to identify a legitimate source for traffic being observed with source MAC address 00:de:ad:be:ef:00. Upper tier wants lower tiers (enclaves) to mitigate this unexplained traffic source:
o MITIGATE(type = cybox:Address, target-specifier = Source MAC: 00:de:ad:be:ef:00, ThreatType = spoof)
Lower tier(s) receive action and select a workflow. Selected workflow proceeds as follows:o Block the unwanted traffic:
DENY(type = cybox:Address, target-specifier = Source MAC: 00:de:ad:be:ef:00, where = vlan_name: ‘primary_network’)
o Look for locations where the packets have recently entered the network: LOCATE(type = cybox:Address, target-specifier = Source MAC:
00:de:ad:be:ef:00, report-to = <orchestrator>) Orchestrator receives network locations (list of datapaths, network ports) where
the source is active.o Divert subsequent unwanted activity to an analysis network
SUBSTITUTE(type=sdn:Flow, target-specifier = Source MAC: 00:de:ad:be:ef:00, vlan_name:’primary_network’, replacement = vlan_name: ‘offline_analysis’)
Analysis takes place using traffic collections on offline tenant network or vlano Information collected from previous LOCATE action identifies unwanted activity on
datapath XXXX dataport 4. Find all devices connected to datapath XXXX that may be the source.
QUERY(type=openc2:Data, target-specifier = ‘devices’, on-device =dpid: XXXX, report-to = <orchestrator>)
Orchestrator receives list of devices that have communicated via datapath XXXXo Command Hawkeye-G or other actuator to SCAN and/or REMEDIATE potentially-
infected devices connected to dataport 4
3.2 Prevent unprivileged user from accessing admin networkIn this scenario, traffic with an unauthorized IP address has been seen on a privileged (admin) network. The enclave must locate the device being exploited and prevent further intrusion.
Sense-making identifies traffic within the ‘admin’ network segment that appears to have been routed from the ‘user’ network domain. Traffic should not be routeable from ‘user’ to ‘admin’. User IP space is 10.0.0.0/8, while admin IP space is 11.0.0.0/8
Block the unwanted traffic:
42
UNCLASSIFIED
493
494
495496497498
499500501502503504505506507508509510511512513514515516517518519520521522523524525
526
527528
529530531532
UNCLASSIFIED
o DENY(type = cybox:NetworkConnection, target-specifier = Source IP: 10.0.0.0/8, vlan_name: ‘admin’)
Look for locations where the packets have recently entered the ‘admin’ network:o LOCATE(type = cybox:Address, target-specifier = Source IP: 10.0.0.0/8, where =
vlan_name: ‘admin’, report-to = <orchestrator>)o Orchestrator receives network locations (list of datapaths, network ports) where the
source entered the ‘admin’ segment. Found point of ingress. User system 10.0.0.4 appears to be to blame. Divert abusive traffic to a
honeypot without taking host system offline:o REDIRECT(type=cybox:Network_Connection, target-specifier = Source IP: 10.0.0.4,
Destination IP = 11.0.0.2, to-device = dpid:01-02-03-04-05-06-07-08,dataport:11)
43
UNCLASSIFIED
533534535536537538539540541542543
UNCLASSIFIED
4 WORKS CITED[1] Kobayashi, M. (2013). Maturing of OpenFlow and Software-defined Networking. Retrieved
March 7, 2016, from Stanford University Department of Computer Science: http://yuba.stanford.edu/~nickm/papers/OF-Deployments-comnet2013.pdf
[2] NEC. (2013, June). NEC Contribution to OpenDaylight: Virtual Tenant Network (VTN). Retrieved March 11, 2016, from https://wiki.opendaylight.org/images/0/0e/NEC_VTN_Model_0606.pdf
[3] OpenC2 Consortium. (2016). Open Command and Control (OpenC2) Language Description Document, v0.6f.
[4]
44
UNCLASSIFIED
544
545546547
548549
550551
552
UNCLASSIFIED
5 APPENDIX A: OPENC2 SDN XML SCHEMA<?xml version="1.0" encoding="UTF-8"?><schema targetNamespace="http://www.openc2.org/sdn-action"
elementFormDefault="qualified" xmlns="http://www.w3.org/2001/XMLSchema"xmlns:tns="http://www.openc2.org/sdn-action" xmlns:cybox_custom="http://cybox.mitre.org/objects#CustomObject-1"xmlns:cybox_core="http://cybox.mitre.org/cybox-2" xmlns:Q1="http://cybox.mitre.org/objects#AddressObject-2"xmlns:Q2="http://cybox.mitre.org/objects#URIObject-2" xmlns:Q3="http://cybox.mitre.org/objects#NetworkConnectionObject-2"xmlns:Q4="http://cybox.mitre.org/common-2" xmlns:Q5="http://www.openc2.org/sdn-action"xmlns:Q6="http://cybox.mitre.org/objects#SocketAddressObject-1" xmlns:Q7="http://cybox.mitre.org/objects#NetworkConnectionObject-2">
<import schemaLocation="http://cybox.mitre.org/XMLSchema/objects/Socket_Address/1.1/Socket_Address_Object.xsd"namespace="http://cybox.mitre.org/objects#SocketAddressObject-1" />
<import schemaLocation="http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd"namespace="http://cybox.mitre.org/common-2" />
<import schemaLocation="http://cybox.mitre.org/XMLSchema/objects/Network_Connection/2.1/Network_Connection_Object.xsd"namespace="http://cybox.mitre.org/objects#NetworkConnectionObject-2" />
<import schemaLocation="http://cybox.mitre.org/XMLSchema/objects/URI/2.1/URI_Object.xsd"namespace="http://cybox.mitre.org/objects#URIObject-2" />
<import schemaLocation="http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd"namespace="http://cybox.mitre.org/objects#AddressObject-2" />
<import schemaLocation="http://cybox.mitre.org/XMLSchema/objects/Custom/1.1/Custom_Object.xsd"namespace="http://cybox.mitre.org/objects#CustomObject-1" />
<import schemaLocation="http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd" namespace="http://cybox.mitre.org/cybox-2" />
<element name="SCAN" type="tns:ScanActionType" /><element name="LOCATE" type="tns:LocateActionType" /><element name="QUERY" type="tns:QueryActionType" /><element name="GET" type="tns:GetActionType" /><element name="DENY" type="tns:DenyActionType" /><element name="CONTAIN" type="tns:ContainActionType" /><element name="ALLOW" type="tns:AllowActionType" /><element name="STOP" type="tns:StopActionType" /><element name="SET" type="tns:SetActionType" /><element name="MOVE" type="tns:MoveActionType" /><element name="REDIRECT" type="tns:RedirectActionType" /><element name="THROTTLE" type="tns:ThrottleActionType" /><element name="SUBSTITUTE" type="tns:SubstituteActionType" /><element name="COPY" type="tns:CopyActionType" /><element name="MITIGATE" type="tns:MitigateActionType" />
<complexType name="OpenC2ActionType" abstract="true"><sequence>
<element name="target" type="tns:TargetType" maxOccurs="1"minOccurs="1" />
<element name="actuator" type="tns:SDNActuatorType"maxOccurs="1" minOccurs="0" />
</sequence></complexType>
<complexType name="SDNActuatorType"><sequence>
<element name="specifier" type="Q2:URIObjectType" maxOccurs="unbounded"minOccurs="0" />
45
UNCLASSIFIED
553
UNCLASSIFIED
</sequence><attribute name="type">
<simpleType><restriction base="string">
<enumeration value="network.sdn" /></restriction>
</simpleType></attribute>
</complexType>
<complexType name="TargetType"><sequence>
<element name="specifier" type="Q4:ObjectPropertiesType"maxOccurs="unbounded" minOccurs="0" />
</sequence><attribute name="type" type="string" />
</complexType>
<complexType name="ScanActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="method" maxOccurs="1" minOccurs="0"><simpleType>
<restriction base="string"><enumeration value="arp" /><enumeration value="ping" /><enumeration value="tcpsyn" /><enumeration value="udpprobe" />
</restriction></simpleType>
</element><element name="search" type="Q6:SocketAddressObjectType"
maxOccurs="1" minOccurs="1" />
<element name="on-device" type="tns:DataportType"maxOccurs="1" minOccurs="0" />
<element name="report-to" type="Q2:URIObjectType"maxOccurs="1" minOccurs="0" />
</sequence></extension>
</complexContent></complexType>
<complexType name="LocateActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="report-to" type="Q2:URIObjectType"maxOccurs="1" minOccurs="1" />
46
UNCLASSIFIED
UNCLASSIFIED
<element name="on-device" type="tns:DataportType"maxOccurs="1" minOccurs="0" />
</sequence></extension>
</complexContent></complexType>
<complexType name="QueryActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="on-device" type="tns:DatapathType"maxOccurs="1" minOccurs="0" />
<element name="report-to" type="Q2:URIObjectType"maxOccurs="1" minOccurs="1" />
</sequence></extension>
</complexContent></complexType>
<complexType name="GetActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="report-to" type="Q2:URIObjectType"maxOccurs="1" minOccurs="1" />
</sequence></extension>
</complexContent></complexType>
<complexType name="DenyActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="on-device" type="tns:DataportType"maxOccurs="1" minOccurs="0" />
<element name="priority" type="unsignedInt" maxOccurs="1" minOccurs="0"></element><element name="report-to" type="Q2:URIObjectType"
maxOccurs="1" minOccurs="0" />
</sequence></extension>
</complexContent></complexType>
<complexType name="ContainActionType"><complexContent>
47
UNCLASSIFIED
UNCLASSIFIED
<extension base="tns:OpenC2ActionType"><sequence>
<element name="where" type="Q1:AddressObjectType"maxOccurs="1" minOccurs="1" />
<element name="report-to" type="Q2:URIObjectType"maxOccurs="1" minOccurs="0" />
</sequence></extension>
</complexContent></complexType>
<complexType name="AllowActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="report-to" type="Q2:URIObjectType"maxOccurs="1" minOccurs="0" />
<element name="on-device" type="tns:DataportType"maxOccurs="1" minOccurs="0" />
<element name="priority" type="unsignedInt" maxOccurs="1" minOccurs="0"></element></sequence>
</extension></complexContent>
</complexType>
<complexType name="StopActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="report-to" type="Q2:URIObjectType"maxOccurs="1" minOccurs="0" />
<element name="delay" type="time" maxOccurs="1" minOccurs="0" /></sequence>
</extension></complexContent>
</complexType>
<complexType name="SetActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="value"type="Q4:ObjectPropertiesType">
</element><element name="report-to" type="Q2:URIObjectType"
maxOccurs="1" minOccurs="0" />
48
UNCLASSIFIED
UNCLASSIFIED
</sequence></extension>
</complexContent></complexType>
<complexType name="MoveActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="move-to" type="Q1:AddressObjectType"maxOccurs="1" minOccurs="1" />
<element name="report-to" type="Q2:URIObjectType"maxOccurs="1" minOccurs="0" />
</sequence></extension>
</complexContent></complexType>
<complexType name="RedirectActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="to-device" type="tns:DataportType"maxOccurs="1" minOccurs="1" />
<element name="report-to" type="Q2:URIObjectType"maxOccurs="1" minOccurs="0" />
</sequence></extension>
</complexContent></complexType>
<complexType name="ThrottleActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="max-pps" maxOccurs="1" minOccurs="1"><simpleType>
<restriction base="int"><minInclusive value="1" />
</restriction></simpleType>
</element><element name="report-to" type="Q2:URIObjectType"
maxOccurs="1" minOccurs="0" />
</sequence></extension>
</complexContent></complexType>
<complexType name="SubstituteActionType">
49
UNCLASSIFIED
UNCLASSIFIED
<complexContent><extension base="tns:OpenC2ActionType">
<sequence><element name="replacement" maxOccurs="1"
minOccurs="1" type="tns:FlowType" />
<element name="when" maxOccurs="1" minOccurs="0"><simpleType>
<restriction base="string"><enumeration value="ingress"></enumeration><enumeration value="egress"></enumeration>
</restriction></simpleType>
</element><element name="report-to" type="Q2:URIObjectType"
maxOccurs="1" minOccurs="0" />
</sequence></extension>
</complexContent></complexType>
<complexType name="CopyActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="to-device" type="tns:DataportType"maxOccurs="1" minOccurs="1" />
<element name="report-to" type="Q2:URIObjectType"maxOccurs="1" minOccurs="0" />
</sequence></extension>
</complexContent></complexType>
<complexType name="MitigateActionType"><complexContent>
<extension base="tns:OpenC2ActionType"><sequence>
<element name="threat-type" maxOccurs="1"minOccurs="1"><simpleType>
<restriction base="string"><enumeration value="passive-capture" /><enumeration value="active-scan" /><enumeration value="spoof" /><enumeration value="mitm" /><enumeration value="dos" /><enumeration value="all" />
</restriction></simpleType>
</element>
50
UNCLASSIFIED
UNCLASSIFIED
<element name="report-to" type="Q2:URIObjectType"maxOccurs="1" minOccurs="0" />
<element name="on-device" type="tns:DataportType"maxOccurs="1" minOccurs="0">
</element></sequence>
</extension></complexContent>
</complexType>
<complexType name="DataportType"><complexContent>
<extension base="Q4:ObjectPropertiesType"><sequence>
<element name="datapath" type="tns:DatapathType" maxOccurs="1"minOccurs="1" />
<element name="port" type="tns:DataportIdentifierType"maxOccurs="1" minOccurs="0" />
</sequence></extension>
</complexContent></complexType>
<simpleType name="DatapathType"><restriction base="string">
<patternvalue="dpid:[0-9a-fA-F]{2}-[0-9a-fA-F]{2}-[0-9a-fA-F]{2}-[0-9a-fA-F]{2}-[0-9a-fA-F]{2}-[0-9a-fA-F]{2}-[0-9a-fA-F]{2}-[0-
9a-fA-F]{2}|dpid:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}" />
</restriction></simpleType>
<simpleType name="DataportIdentifierType"><union
memberTypes="tns:NamedDataportIdentifierType tns:NumericDataportIdentifierType" /></simpleType>
<simpleType name="NamedDataportIdentifierType"><restriction base="string">
<enumeration value="ALL" /><enumeration value="CONTROLLER" /><enumeration value="TABLE" /><enumeration value="IN_PORT" /><enumeration value="ANY" /><enumeration value="UNSET" /><enumeration value="LOCAL" /><enumeration value="NORMAL" /><enumeration value="FLOOD" /><enumeration value="all" /><enumeration value="controller" />
51
UNCLASSIFIED
UNCLASSIFIED
<enumeration value="table" /><enumeration value="in_port" /><enumeration value="any" /><enumeration value="unset" /><enumeration value="local" /><enumeration value="normal" /><enumeration value="flood" />
</restriction></simpleType>
<simpleType name="NumericDataportIdentifierType"><restriction base="unsignedInt">
<minInclusive value="1" /><maxInclusive value="4294967040" />
</restriction></simpleType>
<complexType name="FlowType"><complexContent>
<extension base="Q3:NetworkConnectionObjectType"><sequence>
<element name="Layer2_Protocol" maxOccurs="1"minOccurs="0"><simpleType>
<restriction base="string"><enumeration value="Ethernet"></enumeration>
</restriction></simpleType>
</element><element name="Source_Layer2_Address"
type="Q1:AddressObjectType" maxOccurs="1" minOccurs="0"></element><element name="Destination_Layer2_Address"
type="Q1:AddressObjectType" maxOccurs="1" minOccurs="0"></element>
</sequence></extension>
</complexContent></complexType>
</schema>
52
UNCLASSIFIED
Recommended