Home > About CAPEC  

About CAPEC

Objective

The objective of the Common Attack Pattern Enumeration and Classification (CAPEC™) effort is to provide a publicly available catalog of common attack patterns classified in an intuitive manner, along with a comprehensive schema for describing related attacks and sharing information about them.

Challenge

Building cyber-enabled capabilities with an adequate level of security assurance becomes more and more challenging every day as the size, complexity, and tempo of missions increase and the number and the skill level of adversaries continues to grow. These factors exacerbate the challenge to building secure cyber-enabled capabilities, as engineers must ensure that they are protected against every potential vulnerability. Yet, to attack a cyber-enabled capability, adversaries often have to find and exploit only a single exposed vulnerability. To identify and mitigate relevant vulnerabilities, the community needs more than just good engineering and analytical practices, a solid grasp of security features, and a powerful set of tools. All of these things are necessary but not sufficient.

To be effective, the community needs to think outside of the box and to have a firm grasp of the adversary's perspective and the approaches used to exploit cyber-enabled capabilities. An appropriate defense can only be established once you know how it will be attacked.

Solution

"Attack Patterns" are descriptions of the common elements and techniques used in attacks against vulnerable cyber-enabled capabilities. Attack patterns define the challenges that an adversary may face and how they go about solving it. They derive from the concept of design patterns applied in a destructive rather than constructive context and are generated from in-depth analysis of specific real-world exploit examples.

Each attack pattern captures knowledge about how specific parts of an attack are designed and executed, providing the adversary's perspective on the problem and the solution, and gives guidance on ways to mitigate the attack's effectiveness. Attack patterns help those trying to defend against attacks better understand the specific elements of an attack and how to stop them from succeeding.

The attack patterns within CAPEC focus on common individually contained challenges and the solutions to those challenges. They define general elements of an attack that are seen over and over in the attacks on today's cyber-enabled capabilities.


Some Well-Known Attack Patterns:


CAPEC was established by the U.S. Department of Homeland Security as part of the Software Assurance (SwA) strategic initiative of the Office of Cybersecurity and Communications (CS&C). Initially released in 2007, the CAPEC List continues to evolve with public participation and contributions to form a standard mechanism for identifying, collecting, refining, and sharing attack patterns among the cybersecurity community.

Benefits

For an experienced security engineer, the value of an attack pattern is not that it presents a new idea, but that it helps communicate a common idea with others. If you and a colleague all know what clickjacking is, then you can communicate a lot by saying: "This attack leverages clickjacking."

This information when captured in such a formalized way can bring considerable value to security considerations for cyber-enabled capabilities through all phases of the development lifecycle and other security-related activities, including:

  • Requirements Gathering – Identification of relevant security requirements, misuse and abuse cases.
  • Architecture and Design – Provide context for architectural risk analysis and guidance for security architecture.
  • Implementation and Development – Prioritize and guide review activities.
  • Testing and Quality Assurance – Provide context for appropriate risk-based and penetration testing.
  • System Operation – Leverage lessons learned from security incidents into preventative guidance
  • Policy and Standard Generation – Guide the identification of appropriate prescriptive organizational policies and standards.

Of course, attack patterns are not the only useful tool for building secure cyber-enabled capabilities. Many other tools, such as misuse/abuse cases, security requirements, threat models, knowledge of common weaknesses and vulnerabilities, and attack trees, can help. Attack patterns play a unique role amid this larger architecture of security knowledge and techniques.

Community

The Use & Citations of CAPEC page lists numerous documents and resources that currently use or cite CAPEC in the areas of academia, government, industry, policy, reference, and standards.

Members of the information security community including developers, testers, educators, and others are invited to participate in this growing community effort by joining our CAPEC Community Email Discussion List.

Feedback Requested

To discuss the CAPEC effort in general or the impacts and opportunities noted above, please send a message to the CAPEC Community Discussion List, or email us directly at capec@mitre.org.


More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 01, 2017