On the Integration of Course of Action Playbooks into Shareable Cyber Threat Intelligence

Motivated by the introduction of CACAO, the first open standard that harmonizes the way we document course of action playbooks in a machine-readable format for interoperability, and the benefits for cybersecurity operations derived from utilizing, and coupling and sharing security playbooks as part of cyber threat intelligence, we introduce a uniform metadata template that supports the management and integration of security playbooks into knowledge representation and knowledge management systems. To demonstrate the applicability of our approach, we provide two use-case implementations where our uniform non-proprietary metadata template is used to introduce security playbooks like CACAO into the MISP threat intelligence platform and the Threat Actor Context ontology.