Developing the Context Discovery Actuator Profile for OpenC2 language

The OpenC2 language standard provides a unified syntax and structure to send instructions to various security tools developed by different vendors that are not able to talk to each other using a common language. In this way, OpenC2 reduces the dependency on custom integrations and allows the organizations to build flexible, scalable, and vendor-agnostic security frameworks. The openc2lib library implements the standard language described in the OpenC2 normative specifications and it can be extended by new encoders and transfers protocols. In this way, the library is suitable to create custom openC2 stacks by a minimal effort, allowing the Producer to efficiently send commands to a Consumer and receive responses. Also, the library can be extended by new Actuator Profiles, which define the semantic constraints and language extensions for specific cyber-defence functions. The main contribution of this work is the development of a new Actuator Profile for the OpenC2 language, called Context Discovery (CTXD). Now, if the Consumers implement the CTXD Actuator Profile, the Producer can identify security functions and interactions among different services within a network. To achieve this, the architecture of the CTXD was defined, and a data model was introduced to represent the information gathered by this profile. New data types, absent from the original OpenC2 specifications, were created and implemented within the library to support the profile’s functions. Additionally, conformance clauses were added to regulate the profile’s behaviour and to standardize its usage. Then, a use case was implemented where a Producer asks each Consumer for the security functions it provides and its connections to other Consumers. This approach generated a complete map of the network, providing the Producer with full visibility into the entire system. The key achievement is that the Producer only needs to know how to connect to the first Consumer and, starting from the data collected, can obtain the information about connecting to other Consumers linked with the first one. The discovery process results in a directed graph where nodes represent services and edges indicate the connections between them. In the final part of the thesis, tests were conducted to verify the correct behaviour of the new Actuator Profile. Also, it was evaluated the ability of the CTXD to detect changes when failures happen in the system. Semantic tests were implemented to ensure the correctness of the newly introduced data types.