Common Attack Pattern Enumeration and Classification (CAPEC™) is an effort to provide a publicly available catalog of common attack patterns classified in an intuitive manner, along with a comprehensive schema for describing related attacks and sharing information about those attacks. An attack pattern is an abstraction mechanism for helping describe how an attack against vulnerable cyber-enabled capabilities is executed. Derived from the concept of design patterns applied in a destructive rather than constructive context, each pattern defines a challenge that an adversary may face, provides a description of the common technique(s) used to meet the challenge, and presents recommended methods for mitigating an actual attack. Attack patterns provide meaningful categorization to cyber attacks as a way of informing designers, developers and operators how their cyber-enabled capabilities may be attacked and how to effectively defend against those attacks.
The techniques identified in ATT&CK entries represent attack patterns for adversary behaviors that are post-compromise (post exploit and adversary access). As such, there is a clear synergy between ATT&CK with its specialized post-compromise focus and CAPEC with its broad focus. The ATT&CK and CAPEC efforts are collaborating to capture the details of ATT&CK entries into CAPEC Registry attack patterns in order to codify ATT&CK content in a normalized fashion and to fill current CAPEC gaps in post-compromise behaviors. CAPEC has incorporated an initial mapping of ATT&CK techniques in version 2.8 and related ATT&CK techniques have CAPEC ID references.
Structured Threat Information eXpression (STIX™) is a collaborative community-driven effort to define and develop a standardized language to represent cyber threat information. It does this in a structured fashion to support more effective cyber threat management processes and applications of automation.
STIX provides a common mechanism for addressing structured cyber threat information across and among a wide range of use cases improving consistency, efficiency, interoperability, and overall situational awareness. In addition, STIX provides a unifying architecture for tying together a diverse set of cyber threat information including:
- Cyber Observables (e.g., a Registry key is created, network traffic occurs to specific IP addresses, email from a specific address is observed, etc.)
- Adversary Tactics, Techniques, and Procedures (TTPs)(including attack patterns, malware, exploits, kill chains, tools, infrastructure, targeting, etc.)
- Exploit Targets (e.g., vulnerabilities and weaknesses)
- Courses of Action (e.g., incident response or vulnerability/weakness remedies)
- Cyber Attack Campaigns
- Cyber Threat Actors
ATT&CK Tactics and Techniques represent adversary TTPs at varying levels of abstraction. The STIX language TTP construct is designed to capture exactly this sort of information in a structured fashion that lets it be related to and integrated with a wide range of other relevant cyber threat information. As such, ATT&CK is currently in the process of being translated into STIX format for easier use within the increasing number of products and technologies that utilize STIX.
Malware Attribute Enumeration and Characterization (MAEC™) is a collaborative community-driven effort to define and develop a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns. The characterization of malware using abstract patterns offers a wide range of benefits over the usage of physical signatures. It allows for the accurate encoding of how malware operates and the specific actions that it performs. Such information can not only be used for malware detection but also for assessing the end-goal the malware is pursuing and the corresponding threat that it represents. Focusing on the attributes and behaviors of malware facilitates detection and analysis of emerging, sophisticated malware threats that circumvent the traditional signature-based and heuristic approaches. Characterizing malware in a standard way supports collaboration across organizations and the identification of common behavior, functionality, and code bases across instances of malware.
There exists alignment and overlap between some of the post-access techniques covered by ATT&CK and the capability and behavior abstractions that are part of MAEC’s standardized characterization of malware behavior. While ATT&CK takes a general approach, remaining agnostic to specific tools adversaries may use, there is still value in relating back to standardized methods of describing certain attributes of malware wherever applicable.
- Common Attack Pattern Enumeration and Classification
- Structured Threat Information eXpression
- Malware Attribute Enumeration and Characterization