Understanding how the adversary operates is essential to effective cyber security.
Common Attack Pattern Enumeration and Classification (CAPEC) helps by providing a comprehensive dictionary of known patterns of attack employed by adversaries to exploit known weaknesses in cyber-enabled capabilities.
It can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.
The Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.
"This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended..."
"An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution."
Many security analysts report attack types using the consequence of the incident, the attack pattern, the name of the device being targeted or a name that was derived at the time and may be used again in the future. Given this inconsistency, a standardization for describing attack type patterns might help analysts report cybersecurity threats more accurately and consistently.
An existing standard that has recently been revised sets forth a common set of names for cyberattack patterns.
The Common Attack Pattern Enumeration and Classification (CAPEC) is maintained by the MITRE Corporation, a not-for-profit organization that operates research and development centers sponsored by the federal government.
CAPEC is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers and educators to advance community understanding and enhance defenses.
The objective of the CAPEC effort is to create a publicly available catalog of common attack patterns classified in an intuitive manner, along with a comprehensive schema for describing related attacks and sharing information about them.
CAPEC uses graph views, which are basically hierarchical representations of attack patterns.
The top of the hierarchy is a set of categories (see Figure 1), under which there are meta-level patterns. These meta-level patterns are parents to standard patterns, which may then be parents to detailed patterns.
CAPEC version 2.9 currently provides two views on the CAPEC site: Mechanisms of Attack and Domains of Attack.
In the Mechanisms of Attack view, nine categories are shown at the top level, with a total of 503 attack patterns within the entire hierarchy.
Figure 1: Mechanisms of Attack Categories (Source: CAPEC)
Shown in Figure 2 is a partial listing of a few expanded branches of the Mechanism of Attack view hierarchy.
Note how the hierarchy follows this format: View -> Category -> Meta -> Standard -> Detailed.
Figure 2: CAPEC hierarchy example (Source: CAPEC)
Below are some examples of names analysts commonly use when reporting attack types that are not attack patterns:
Point-of-sale (POS) — targeted device type;
Internet of Things (IoT) — targeted device type;
Backdoor — Consequence or indicator, depending on how it’s detected;
Malicious documents (attachments) and links — attack vector;
Shellshock — specific malware or campaign;
Web — assuming anything using HTTP for an attack;
Remote code execution — consequence; and
Wi-Fi — attack vector.
Many in the security community, including the IBM X-Force team, have lumped some of these examples together in the past under the category of “attack type or pattern.” However, as shown above, these examples are not representative of an attack pattern. Some are consequences, such as DoS, while others describe the type of device that’s being targeted, such as an IoT device.
When looking up IDs on the CAPEC website, you will notice there’s a presentation filter option on the left side. It defaults to “Basic” and has an option labeled “Complete.” What is shown from either view is based on the data available and applies to the given entry. The headings noted below are from CAPEC-17.
Basic will show you:
Solutions and Mitigations, and
Related Attack Patterns.
Complete will show you everything that Basic has, plus:
Typical Likelihood of Exploit, Methods of Attack,
Attack Skills or Knowledge Required,
Solutions and Migrations,
Payload Activation Impact,
Related Attack Patterns,
References and Content History.