Home > News > News & Events - 2015 Archive  

News & Events

2015 Archive

Right-click and copy a URL to share an article. Send feedback about this page to capec@mitre.org.

CAPEC List Version 2.8 Now Available

December 7, 2015 | Share this article

CAPEC Version 2.8 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.7 and Version 2.8.

Major changes for Version 2.8 include adding the CAPEC-157: Sniffing Attacks, CAPEC-233: Privilege Escalation, and CAPEC-554: Functionality Bypass attack patterns; updating 53 attack patterns with enhanced information; updating two categories with enhanced information; removing four attack patterns; and removing three CAPEC-to-Common Weakness Enumeration (CWE™) mappings. There were no schema updates.

There are now 504 total attack patterns listed.

  • New Attack Patterns Added:
3
  • Existing Attack Patterns Updated:
53
  • Attack Patterns Deprecated:
4
  • Existing Categories Updated:
2
  • CAPEC-to-CWE Mapping Removed:
3

 

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v2.7_v2.8.html.

Comments are welcome on the CAPEC Research Email Discussion List. Future updates will be noted here and on the CAPEC Research list.

CAPEC/CWE/CWSS Mentioned in ITU's "Security in Telecommunications and Information Technology 2015"

December 7, 2015 | Share this article

Common Attack Pattern Enumeration and Classification (CAPEC™), Common Weakness Enumeration (CWE™), and Common Weakness Scoring System (CWSS™) are included in a September 2015 technical report entitled "Security in Telecommunications and Information Technology 2015" on the International Telecommunication Union (ITU) website. The main topic of the report is an "overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunications."

CAPEC, CWE, and CWSS—as well as Common Vulnerabilities and Exposures (CVE) and Malware Attribute Enumeration and Characterization (MAEC™)—are mentioned in "Chapter 11 - Cybersecurity and incident response," as follows: Common Vulnerabilities and Exposures (CVE) is the main topic of section "11.1.2 Exchange of vulnerability information," CWE is the main topic of section "11.1.4 Exchange of weakness information," CWSS is the main topic of section "11.1.5 Weakness scoring," CAPEC is the main topic of section "11.1.5 Exchange of attack pattern information," and Malware Attribute Enumeration and Characterization (MAEC) is the main topic of section "11.1.7 Exchange of malware characteristics information".

The report is available for free at: http://www.itu.int/dms_pub/itu-t/opb/tut/T-TUT-SEC-2015-PDF-E.pdf.

Discussion Panel at "Industrial Internet West Coast Forum" Meeting on December 10

December 7, 2015 | Share this article

CAPEC/CWE Program Manager Robert A. Martin will participate on a discussion panel entitled "Beyond the Hype: Deploying the Industrial IoT in the Real World" at the Industrial Internet West Coast Forum in San Diego, California, USA on December 10, 2015.

"The Industrial Internet Consortium is a global not-for-profit, open membership organization formed to accelerate the development, adoption, and wide-spread use of interconnected machines and devices, intelligent analytics, and people at work. Founded by AT&T, Cisco, General Electric, IBM, and Intel in March 2014, the Industrial Internet Consortium catalyzes and coordinates the priorities and enabling technologies of the Industrial Internet."

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CWE/CWSS Are Discussion Topics in Briefing at "Software and Supply Chain Assurance Working Group" Meeting on December 3

November 24, 2015 | Share this article

CAPEC/CWE Program Manager Robert A. Martin will present a briefing that discusses Common Attack Pattern Enumeration and Classification (CAPEC™), Common Weakness Enumeration (CWE™), Common Weakness Scoring System (CWSS™) and entitled "How Can We Better Use Scoring Systems (CVSS, CWSS, CWE 3.0)" at the Software and Supply Chain Assurance Winter Working Group 2015 meeting hosted at MITRE Corporation in McLean, Virginia, USA on December 3, 2015. The event itself runs December 1-3.

"Co-sponsored by organizations within the Department of Homeland Security (DHS), Department of Defense (DoD), National Institute of Standards and Technology (NIST), and the General Services Administration (GSA), SSCA events meet quarterly with the SSCA Forums meeting on a semi-annual basis in spring and fall and the SSCA Working Groups (meeting in between Forums) in the summer and winter. These events bring together stakeholders responsible for protecting the Nation's key information technologies—most of which are enabled and controlled by software and influenced by the supply chain."

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CWE Are Discussion Topics at 2 Recent Industry Events

November 24, 2015 | Share this article

Common Attack Pattern Enumeration and Classification (CAPEC™) and Common Weakness Enumeration (CWE™) were discussion topics at two cyber security industry events in October:

On October 27, 2015, CAPEC/CWE Program Manager Robert A. Martin presented two briefings that discussed CAPEC and CWE entitled "Prioritizing Security Vulnerabilities and Focused Testing" and "Capturing and Communicating Assurance" at the MISRA & Security Best Practices – PRQA Fall Seminar in Dearborn, Michigan, USA.

On October 19, 2015, CAPEC/CWE Program Manager Robert A. Martin presented a briefing that discussed CAPEC and CWE entitled "Prioritizing Security Vulnerabilities and Gaining Assurance" at the Open Group Enabling Boundaryless Information Flow conference in Edinburgh, UK on October 19, 2015.

Visit the CAPEC Calendar for information on this and other events.

CAPEC List Version 2.7 Now Available

November 10, 2015 | Share this article

CAPEC Version 2.7 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.6 and Version 2.7.

The most significant change for Version 2.7 is the addition of a View that covers standard attack patterns that target direct exploitation of mobile devices, "CAPEC-553: Mobile Device Patterns." Nearly half of the 51 new attack patterns added in this release are for the new mobile view, with more under development and coming soon. Finally, the majority of the 76 updated attack patterns and 12 updated categories noted below were to add information for the mobile view. The CAPEC Schema was also updated to Version 2.7.1 for the addition of the mobile view.

There are now 505 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
51
  • Existing Attack Patterns Updated:
76
  • Attack Patterns Deprecated:
7
  • Existing Categories Updated:
12
  • Categories Deprecated:
1
  • New "Mobile" View Added:
1
  • Existing Views Updated:
2
  • CAPEC-to-CWE Mapping Added:
12
  • CAPEC-to-CWE Mapping Removed:
8
  • Schema Updates:
Updated to v2.7.1

See the complete list of changes at http://capec.mitre.org/data/reports/diff_reports/v2.6_v2.7.html.

Comments are welcome on the CAPEC Research Email Discussion List. Future updates will be noted here and on the CAPEC Research list.

CAPEC part of Attack Graph presentation at GraphConnect San Francisco

October 2015 | Share this article

MITRE's Steven Noel presented "Building a Big Data Architecture for Attack Graphs" at GraphConnect San Francisco, describing how graph technology can help prevent and simulate cyber attacks. CAPEC and other attack knowledge sources were described and how these and situational information about vulnerabilities, logs, and intrusions can be used to help organizations relate these information streams into understanding and action.

CAPEC/CWE Are Discussion Topics in Briefing at "Open Group Enabling Boundaryless Information Flow" Conference on October 19

October 16, 2015 | Share this article

CAPEC/CWE Program Manager Robert A. Martin will present a briefing that discusses Common Attack Pattern Enumeration and Classification (CAPEC™) and Common Weakness Enumeration (CWE™) entitled "Prioritizing Security Vulnerabilities and Gaining Assurance" at the Open Group Enabling Boundaryless Information Flow conference in Edinburgh, UK on October 19, 2015.

According to the conference website: "In this presentation we will describe how risk calculations that include the business impact of the various failures possible from exploiting different types of vulnerabilities in the common weakness enumeration (CWE) collection can be used to focus remediation and mitigation efforts for critical software in an organization. While security tools play a role in these activities, other architecture, design, and development activities and reviews can also provide valuable insights into the security posture of the organization's software capabilities. Having assurance that the mission will not be circumvented, undermined, or unnecessarily put at risk through attacks on any software that provides critical mission capabilities requires a shift in focus and integration of many types of assessment activities across the acquisition life cycle."

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CWE Are Discussion Topics in Two Briefings at "MISRA Security Best Practices Seminar" on October 27

October 16, 2015 | Share this article

CAPEC/CWE Program Manager Robert A. Martin will present two briefings that discuss Common Attack Pattern Enumeration and Classification (CAPEC™) and Common Weakness Enumeration (CWE™) entitled "Prioritizing Security Vulnerabilities and Focused Testing" and "Capturing and Communicating Assurance" at the MISRA & Security Best Practices – PRQA Fall Seminar in Dearborn, Michigan, USA on October 27, 2015.

According to the conference website: "This session will disclose more about how the absence of a common measure for software weaknesses has limited the software industry's ability to access and remediate exploitable software flaws. Consequently, organizations such as CWE, CAPEC, [CWSS], [CWRAF] have provided consistent and structured mechanisms for prioritizing assurance efforts to deal with the most dangerous weaknesses to the system’s intended functions and capabilities first."

Visit the CAPEC Calendar for information on this and other events.

CAPEC Mentioned in Article about Cyber Threat Intelligence on LinkedIn Pulse

September 2, 2015 | Share this article

CAPEC is mentioned in a February 2, 2015 article entitled "Insights to Modern Cyber Threat Intelligence" on LinkedIn Pulse.

CAPEC is mentioned in a section entitled "What is a TTP?" — that is, tactics, techniques and procedures — as follows: "Defenders who map their vulnerability assessment results to [Common Vulnerabilities and Exposures (CVE)], [Common Weakness Enumeration (CWE)], and [Common Configurations Enumeration (CCE)]will have discovered that many of the CWE entries are already mapped to the Common Attack Pattern Enumeration and Classification (CAPEC) identification number. CAPEC is a dictionary of common attack patterns that have basic mappings back to specific common weaknesses. Leveraging these community efforts has helped many defending organizations mature in their understanding of TTPs at an accelerated rate."

The author continues: "It might help to think of CAPEC as a dictionary of Tactical Actions being taken by the Threat Actor. Phishing, Social Engineering, Dumpster Diving, SQL Injection, Website Defacement, etc. In my LinkedIn article, [Cyber Terrain: A model for increased understanding of cyber activity], I aligned common CAPEC attack patterns at different levels of cyber terrain to help provide greater understanding on leveraging CAPEC as TTPs."

Read the entire article at https://www.linkedin.com/pulse/insights-modern-cyber-threat-intelligence-shawn-riley.

MITRE Hosts "Software and Supply Chain Assurance Fall Forum 2015"

September 2, 2015 | Share this article

MITRE hosted the "Software and Supply Chain Assurance Fall Forum 2015" on August 31 – September 2, 2015 at MITRE Corporation in McLean, Virginia, USA. The event focused on mitigating hardware and software risks in the supply chain.

In addition, Common Attack Pattern Enumeration and Classification (CAPEC™) and Common Weakness Enumeration (CWE™) were the main topics of two briefings during the event: "CWE/CAPEC - Integrated Analysis/Reporting of Multiple Tools," and "CWE/CAPEC - Clarity & Conciseness in Due Diligence Relevant Communications."

Visit the CAPEC Calendar for information on this and other events.


More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 01, 2017