Home > News  

News & Events

Right-click and copy a URL to share an article. Send feedback about this page to capec@mitre.org.

CAPEC List Version 2.11 Now Available

August 4, 2017 | Share this article

CAPEC Version 2.11 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.10 and Version 2.11.

Major changes for Version 2.11 include adding three new attack patterns: CAPEC-630: TypoSquatting, CAPEC-631: SoundSquatting, and CAPEC-632: Homograph Attack via Homoglyphs. Also, the social engineering part of the tree was enhanced to improve relationships, patterns were updated to bring consistency to fields like Required Resources, and missing information was added throughout. In all, 138 patterns and categories were modified, and 5 patterns were deprecated. There were no schema updates.

There are now 512 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
3
  • Existing Attack Patterns Updated:
138
  • Attack Patterns Deprecated:
5
  • Existing Categories Updated:
25
  • CAPEC-to-CWE Mapping Added:
3
  • CAPEC-to-CWE Mapping Removed:
7

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v2.10_v2.11.html.

Comments are welcome on the CAPEC Research Email Discussion List. Future updates will be noted here and on the CAPEC Research list.

CAPEC List Version 2.10 Now Available

May 1, 2017 | Share this article

CAPEC Version 2.10 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.9 and Version 2.10.

Major changes for Version 2.10 include adding fourteen new attack patterns: CAPEC-559: Orbital Jamming, CAPEC-582: Route Disabling, CAPEC-583: Disabling Network Hardware, CAPEC-584: BGP Route Disabling, CAPEC-585: DNS Domain Seizure, CAPEC-586: Object Injection, CAPEC-587: Cross Frame Scripting (XFS), CAPEC-588: DOM-Based XSS, CAPEC-589: DNS Blocking, CAPEC-590: IP Address Blocking, CAPEC-591: Reflected XSS, CAPEC-592: Stored XSS, CAPEC-593: Session Hijacking, and CAPEC-599: Terrestrial Jamming. Also, the cross-site scripting and obstruction areas were cleaned-up, and missing information was added throughout. In all, 90 patterns and categories were modified, and 7 patterns were deprecated. Other major changes include the addition of a CSV version of the CAPEC List, and an enhancement for navigating the list on the CAPEC website so that your chosen presentation filter is now saved in a cookie so the filter does not have to be continuously updated while you navigate the CAPEC List. There were no schema updates.

There are now 510 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
14
  • Existing Attack Patterns Updated:
88
  • Attack Patterns Deprecated:
7
  • Existing Categories Updated:
3
  • CAPEC-to-CWE Mapping Added:
27
  • CAPEC-to-CWE Mapping Removed:
118

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v2.9_v2.10.html.

Comments are welcome on the CAPEC Research Email Discussion List. Future updates will be noted here and on the CAPEC Research list.

CAPEC Privacy Policy Updated

April 28, 2017 | Share this article

The CAPEC Privacy Policy was updated to notify users that cookies are now being used on the CAPEC website for the sole purpose of saving presentation filter selections so users do not have to continuously update the filter to navigate the CAPEC List.

CAPEC Is Main Topic of Article on IBM’s Security Intelligence Blog

March 27, 2017 | Share this article

CAPEC is the main topic of a March 27, 2017 article by Scott Craig entitled “CAPEC: Making Heads or Tails of Attack Patterns” on IBM’s Security Intelligence blog.

In the article, the author first explains what CAPEC is and the problem it solves, then states: “For the 2017 IBM X-Force Threat Intelligence Index, the X-Force team grouped methods of attack observed in 2016 according to the CAPEC standard. IBM X-Force Threat Research adopted the CAPEC standard for attack categorization because it was developed using methodologies similar to those used in other well-established naming conventions for security terms, such as Common Vulnerabilities and Exposure (CVE). Many IT security professionals are already aware of the CVE dictionary of common names for publicly known cybersecurity vulnerabilities.”

The author then provides an in-depth discussion of CAPEC including a section on the CAPEC hierarchy, explaining in detail what it is and how it benefits analysts: “Using CAPEC instead of other naming conventions should help analysts better recognize which attack patterns they most often see and then prioritize improvements to their security. Just knowing there have been a lot of distributed denial-of-service (DDoS) attacks, for example, doesn’t indicate how to best defend against them because this type of incident can occur as a consequence of different attack patterns.” The author also provides an overview of how CAPEC can help provide clarity in differentiating between consequences, device types, and attack vectors, and provides a real-world example of how this is utilized in the 2017 IBM X-Force Threat Intelligence Index.

The author concludes the article with a call for continued adoption of CAPEC, stating: “I expect to see more and more cybersecurity professionals adopting CAPEC for classifying and communicating about attacks in the near future.”

Read the complete article at https://securityintelligence.com/capec-making-heads-or-tails-of-attack-patterns/.

CAPEC List Version 2.9 Now Available

January 10, 2017 | Share this article

CAPEC Version 2.9 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.8 and Version 2.9.

Major changes for Version 2.9 include adding five new attack patterns: CAPEC-594: Traffic Injection, CAPEC-595: Connection Reset, CAPEC-596: TCP RST Injection, CAPEC-597: Absolute Path Traversal, and CAPEC-598: DNS Spoofing. Also, the Mechanisms of Attack view was cleaned-up by removing categories that were not mechanisms (but rather more like goals), removing circular relationships, and verifying consistency in the meta->standard->detailed relationship structure. In all, 78 patterns and categories were modified, and 13 patterns and categories were deprecated. There were no schema updates.

There are now 503 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
5
  • Existing Attack Patterns Updated:
67
  • Attack Patterns Deprecated:
6
  • Existing Categories Updated:
15
  • Categories Deprecated:
7
  • CAPEC-to-CWE Mapping Added:
3
  • CAPEC-to-CWE Mapping Removed:
3

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v2.8_v2.9.html.

Comments are welcome on the CAPEC Research Email Discussion List. Future updates will be noted here and on the CAPEC Research list.

CAPEC Refreshes Website with Easier-to-Use Navigation Menus & Streamlined CAPEC List Page

January 09, 2017 | Share this article

We have updated the CAPEC website to streamline site navigation for an improved user experience. The main navigation menu is now located in an easy-to-access menu bar at the top of every page, with Section Contents menus for each section of the website just below the new main menu.

The main CAPEC List page has also been streamlined for ease-of-use into four main sections:

Navigate CAPEC – Offers two hierarchical representations, Mechanisms of Attack and Domains of Attack, to help you navigate the entire list according to your specific point of view.
External Mappings – Offers views used to represent mappings to external groupings such as a Top-N list, as well as to express subsets of entries that are related by some external factor.
Helpful Views – Offers additional helpful views based on a specific criteria and hope to provide insight for a certain domain or use case, such as a Comprehensive CAPEC Dictionary, Mobile Device Patterns, etc.
Release Downloads – Provides an archive of previous release versions of the core content downloads, schemas, schema documentation, and difference reports.

Please send any comments or concerns to capec@mitre.org.

CAPEC is part of the OWASP Cornucopia gamification

June 3, 2016 | Share this article

CAPEC is part of the Open Web Application Security Project (OWASP) Cornucopia gamification card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic and through the CAPEC mappings to the Cornucopia "attack suits" the Cornucopia card game links the attacks with requirements and verification techniques. With each card mapped to CAPEC software attack pattern IDs, which themselves are mapped to CWEs, the game also covers the CWE weakness IDs targeted. Each card is also mapped to the 36 primary security stories in the SAFECode "Security Stories and Security Tasks for Agile Development Environments", as well as to the OWASP SCP v2, ASVS v2 2014 and AppSensor (application attack detection and response) to help teams create their own security-related stories for use in Agile processes. The first card deck is an "Ecommerce Website Edition" with other decks, like mobile apps in the works.

CAPEC part of ISACA's Cybersecurity Fundamentals Glossary

January 2016 | Share this article

CAPEC is part of Information Systems Audit and Control Association's (ISACA's) Cybersecurity Fundamentals Glossary, provided as part of their Cybersecurity Nexus (CSX) offerings for cybersecurity professionals. CSX provides knowledge, tools, training and credentials for cybersecurity professionals. Additional information on CSX is available at https://cybersecurity.isaca.org.


More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017