Related Efforts

From enterprise
Jump to: navigation, search

CAPEC

Common Attack Pattern Enumeration and Classification (CAPEC™) is an effort to provide a publicly available catalog of common attack patterns classified in an intuitive manner, along with a comprehensive schema for describing related attacks and sharing information about those attacks. Understanding adversary behavior is increasingly important in cybersecurity. Two approaches exist for organizing knowledge about adversary behavior – CAPEC and ATT&CK, each focused on a specific set of use-cases. Please visit the CAPEC and ATT&CK Comparison page that explains the similarities, differences, and relationship between CAPEC and ATT&CK and the role of each in cybersecurity.

The ATT&CK and CAPEC efforts are collaborating to map related details between ATT&CK techniques and CAPEC attack patterns. CAPEC has incorporated an initial mapping of ATT&CK techniques in version 2.8[1] and related ATT&CK techniques have CAPEC ID references.

STIX

Structured Threat Information eXpression (STIX™) is a collaborative community-driven effort to define and develop a standardized language to represent cyber threat information. It does this in a structured fashion to support more effective cyber threat management processes and applications of automation.

STIX provides a common mechanism for addressing structured cyber threat information across and among a wide range of use cases improving consistency, efficiency, interoperability, and overall situational awareness. In addition, STIX provides a unifying architecture for tying together a diverse set of cyber threat information including:

  • Cyber Observables (e.g., a Registry key is created, network traffic occurs to specific IP addresses, email from a specific address is observed, etc.)
  • Indicators
  • Incidents
  • Adversary Tactics, Techniques, and Procedures (TTPs)(including attack patterns, malware, exploits, kill chains, tools, infrastructure, targeting, etc.)
  • Exploit Targets (e.g., vulnerabilities and weaknesses)
  • Courses of Action (e.g., incident response or vulnerability/weakness remedies)
  • Cyber Attack Campaigns
  • Cyber Threat Actors

ATT&CK Tactics and Techniques represent adversary TTPs at varying levels of abstraction. The STIX language TTP construct is designed to capture exactly this sort of information in a structured fashion that lets it be related to and integrated with a wide range of other relevant cyber threat information.

ATT&CK expressed in STIX 2.0 can be found on the MITRE Cyber Threat Intelligence GitHub repository: https://github.com/mitre/cti

MAEC

Malware Attribute Enumeration and Characterization (MAEC™) is a collaborative community-driven effort to define and develop a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns. The characterization of malware using abstract patterns offers a wide range of benefits over the usage of physical signatures. It allows for the accurate encoding of how malware operates and the specific actions that it performs. Such information can not only be used for malware detection but also for assessing the end-goal the malware is pursuing and the corresponding threat that it represents. Focusing on the attributes and behaviors of malware facilitates detection and analysis of emerging, sophisticated malware threats that circumvent the traditional signature-based and heuristic approaches. Characterizing malware in a standard way supports collaboration across organizations and the identification of common behavior, functionality, and code bases across instances of malware.

There exists alignment and overlap between some of the post-access techniques covered by ATT&CK and the capability and behavior abstractions that are part of MAEC’s standardized characterization of malware behavior. While ATT&CK takes a general approach, remaining agnostic to specific tools adversaries may use, there is still value in relating back to standardized methods of describing certain attributes of malware wherever applicable.

External Links

References