Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
This page defines specific terms used throughout CAPEC. A shared understanding of these terms is important during discussions of attack patterns and their related weaknesses.
The terms are presented in an order such that each term builds off of the previous terms:
A cyber-enabled capability is any software enabled technology, irrespective of whether it be traditional information technology (IT), communications systems, industrial control systems, avionics, vehicle control systems, Internet of Things (IoT), or something that comes into existence next week. It also includes the interaction mechanisms such as Bluetooth, GPS, IR, Near Field Communication, USB, and other methods since these are all mechanisms for an attacker to influence the capability.
When considering attacks on cyber-enabled capabilities, we must address all aspects of those capabilities and how they are defined, designed, contracted for, produced, tested, acquired, delivered, maintained, serviced, and retired or disposed of. In addition, how they are used and interacted with, such as through physical buttons, switches, menu items, input fields, and keyboard/mouse input, must also be considered.
A weakness type is a specific type of mistake or condition that, if left unaddressed, could under the proper conditions contribute to a cyber-enabled capability being vulnerable to attack, allowing an adversary to make items function in unintended ways. This term applies throughout the development life cycle and includes types of mistakes that occur during implementation, design, coding, or other phases. Common Weakness Enumeration (CWE™) provides a formal list of known software-related weakness types.
A weakness is an actual instantiation of a given weakness type. A weakness exists in an application when there is a mistake in the architecture, design, coding, or deployment.
A negative technical impact is the specific effect of successfully violating a reasonable security policy for the cyber-enabled capability. Denial of service, execution of unauthorized code, and bypassing protection mechanisms are examples of negative technical impacts.
An exploit (noun) is an input or action designed to take advantage of a weakness (or multiple weaknesses) and achieve a negative technical impact. The existence (even if only theoretical) of an exploit is what makes a weakness a vulnerability.
A vulnerability is a weakness that can be directly used by an adversary (via an exploit) to get a cyber-enabled capability to function in an unintended manner. Typically this is the violation of a reasonable security policy for the cyber-enabled capability resulting in a negative technical impact. Although all vulnerabilities involve a weakness, not all weaknesses are vulnerabilities. Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names for publicly known software-related vulnerabilities.
An attack (noun) is the use of an exploit(s) by an adversary to take advantage of a weakness(s) with the intent of achieving a negative technical impact(s). An attack includes the entire "Cyber Attack Lifecycle" reconnaissance, weaponize, deliver, exploit, control, execute, and maintain.
An attack pattern is an abstraction mechanism for helping describe how an attack against vulnerable cyber-enabled capabilities is executed. Each pattern defines a challenge that an adversary may face, provides a description of the common technique(s) used to meet the challenge, and presents recommended methods for mitigating an actual attack. Attack patterns help categorize attacks in a meaningful way in an effort to provide a coherent way of teaching designers and developers how their cyber-enabled capabilities may be attacked and how they can effectively defend them. Common Attack Pattern Enumeration and Classification (CAPEC™) provides a formal list of known attack patterns.
A threat (noun) is a potentially successful attack involving an adversary utilizing specific techniques and resources to take advantage of weaknesses within a targeted cyber-enabled capability or organization in an effort to achieve a negative technical impact.
A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.
A graph in CAPEC is a hierarchical representation of attack patterns based on a specific vantage point that a user may take. The hierarchy often starts with a category, followed by a meta attack pattern/standard attack pattern, and ends with a detailed attack pattern.
An explicit slice in CAPEC is a subset of attack patterns that are related through some external factor. For example, a view may be used to represent mappings to external groupings like a Top-N list.
An implicit slice in CAPEC is a subset of attack patterns that are related through a specific attribute. For example, a slice may refer to all attack patterns in draft status, or all existing meta attack patterns.
A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.
A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.
A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.
A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.
More information is available — Please select a different filter.