Common Attack Pattern Enumeration and Classification

Differences between Schema 1.0 and 2.0

Listing every individual small change to the schema would take far too long so the following outlines the major changes to the schema that are included in this version.

• Universal changes across the all areas of the CAPEC schema.
• String fields that were meant to capture complex textual data have been converted from simple strings to a new Structured_Text_Type that will enable structured text data including titles, paragraphing, code snippets, and image references.
• All elements that can have multiple entries are now encapsulated in plural container elements for consistency.
• The schema root element has been changed from Common_Attack_Pattern_Enumeration to a more encompassing Attack_Pattern_Catalog with attributes to capture Name, Version and Date. This will help us to better manage the ongoing growth and maturation of CAPEC.
• Two completely new concepts were added to the schema to support enhanced description of the attack patterns targeted at additional use cases for the CAPEC content: Attack_Surfaces and Observables.
• Attack_Surfaces – The Target_Attack_Surface element was added as an introductory attempt to capture and communicate the nature of the target attack surface that a given attack pattern focuses on. This can enable better granularity within patterns by allowing different pattern sub-elements to reference the areas of the attack surface that are relevant to them. It can also enable better modularity and reuse of attack patterns during architectural risk analysis. It is very well understood that this first cut at an attack surface structure is limited and in need of expansion/enhancement. It is expected that this structure will gain more breadth and refinement over time. This first cut is aimed primarily at supporting the addition of network attack patterns to the CAPEC content.

• Observables – The Observable element was added as a first step toward integrating CAPEC's top-down view of patterns of attack with the bottom-up view of the security operations and incident response community. The objective is to enable tagging of certain CAPEC sub-elements (e.g., Attack_Step, Attack_Step_Technique, Outcome, Security_Control) with objective data signatures that would be observable through various operational sensors when that event occurs or that property is present. The integration of these two domains along their common axis of focus ("Attack") has great potential to benefit both communities.

• Several new high-level object types were added to the CAPEC catalog in addition to Attack_Patterns.
• Views – The View object has been created to allow the capture and presentation of multiple different perspectives on the CAPEC content and its inter-relationships. These View objects are very similar to those in the Common Weakness Enumeration (CWE™).
• Categories – The Category object has been created to act as a collection of attack patterns sharing a common attribute, such as CAPEC-172 Time and State Attacks or CAPEC-212 Functionality Misuse. These Category objects are very similar to those in CWE.
• Compound Elements – The Compound_Element object has been created to capture and reference patterns of attack that are known by a given name in the industry but, in actuality, consist of a combination of multiple attack patterns executed in a sequential or non-sequential manner. Sequentially executed attack patterns are captured as Chains while non-sequentially executed patterns are captured as Composites. The Compound_Element object and it Chains and Composites flavors are very similar to the Compound_Element object in CWE.
• Two new global abstraction object types were added to the CAPEC catalog to enable more effective and efficient reuse of common content across patterns: Common_Attack_Steps and Common_Attack_Surfaces.
• Common Attack Steps were added to capture the content of attack steps that are shared in their basic form across numerous attack patterns. By abstracting them out, we can simplify the management of that content in one location as well as reduce redundancy and the overall size of the CAPEC content files.
• Common Attack Surfaces were added to abstract out and capture specific common attack surfaces that are likely to be targeted by multiple attack patterns. Like Common Attack Steps, by abstracting them out, we can simplify the management of that content in one location as well as reduce redundancy and the overall size of the CAPEC content files.

• A wide range of improvements and additions were made to the Attack_Patterns portions of the CAPEC schema. These changes include:
• New Pattern_Completeness attribute value (Hook) to capture named attack patterns that do not yet have basic description information to make them stubs. All top-level Attack_Pattern sub-elements are now optional to support pattern Hooks.
• New Status attribute (values = Deprecated, Incomplete, Draft, Usable, or Stable) to communicate the level of maturity that the creation/authoring of a particular pattern or other high-level object is at.
• All major elements in Attack Execution Flows and Target_Attack_Surfaces now have IDs assigned (in a much simpler integer format than the previous alphanumeric ones). These consistent IDs yield the ability to reference various individual execution threads through a given attack pattern or to reference individual items along those threads. This is a key capability for improving the usefulness of CAPEC as a test case enumeration tool and as a capability reference in attack tool comparison and evaluation.
• Attack_Step was broken into a choice between Common_Attack_Step or Custom_Attack_Step to enable the efficiencies yielded by Common_Attack_Steps described above. Common_Attack_Step allows reference to the ID of a globally defined Common_Attack_Step and then provides pattern-specific overrides for the field values in the common attack step definition for specializing it for local flavor.
• Attack_Step now allows specifying Observables (described above) for that Attack_Step
• Attack_Step_Technique now allow referencing of leveraged attack patterns and relevant attack surface elements (can reference various elements of the attack surface defined within the pattern), as well as specifying Observables (described above) for that technique
• Indicator now allows referencing relevant attack surface elements.
• Outcome now allows referencing relevant attack surface elements as well as specifying Observables (described above) for that Outcome.
• Security_Control now allows referencing relevant attack surface elements as well as specifying Observables (described above) for that Security_Control.
• New element Alternate_Terms added to capture other names this attack pattern may be known as.
• Example-Instance now has a References sub-element to enable capturing of references for that Example-Instance.
• Attack_Skill_or_Knowledge_Required is now structured into two sub-elements, Skill_or_Knowledge_Level (Low, Medium or High) and Skill_or_Knowledge_Type (Structured_Text_Type) rather than one simple text string in order to enable more structured content manipulation.
• Related_Attack_Pattern is now of the universal Relationship_Type (shared with Views, Categories and Compound_Elements) that captures CAPEC inter-object relationships in a consistent manner.

• The redundant Context_Description field has been removed and all content integrated into the Technical_Context element.
• The Reference element has been restructured into a much more comprehensive and descriptive structure.

• A new Other_Notes element was added to provide any additional notes or comments that cannot be captured using other elements. New elements might be defined in the future to contain this information.
• A new Maintenance_Notes element was added to contain significant maintenance tasks within this entry that still need to be addressed, such as clarifying the concepts involved or improving relationships. It should be filled out in any entry that is still undergoing significant review by the CAPEC Team.
• The Source element was converted into a much more comprehensive Content_History element to better track the change history of this entry.