Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
New to CAPEC?
Common Attack Pattern Enumerations and Classifications (CAPEC™) can be overwhelming to someone new to cyber-attack patterns. This document offers some tips on how to familiarize yourself with what CAPEC has to offer, before more fully exploring this extensive knowledge base.
While learning about CAPEC, some terms may be new or misunderstood if you are unfamiliar with the corpus. As you are reading, consider referencing the glossary of terms used in CAPEC.
What is a CAPEC attack pattern?
First, we should describe what an attack pattern is. A good summary can be found here. CAPEC entries are related to Common Weakness Enumeration (CWE™) and Common Vulnerabilities and Exposures (CVE®). The differences between Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™), another related corpus, and CAPEC are discussed here.
Attack patterns are based on software design patterns (see Design Patterns: Elements of Reusable Object-Oriented Software> by Gamma, Helm, Johnson, Vlissides), which are common paradigms for solving common software design issues. In this context, attack patterns are design patterns for attackers.
As seen in the above figure, a CAPEC attack pattern is typically a method of leveraging a CWE to execute an attack. For this reason, most CAPEC entries contain an “execution flow” — step-by-step instructions for an adversary to explore for potential targets, experiment with their assets and defensive mechanisms, if any, and then to carry out the exploit. An example of an execution flow is below.
Example Attack Pattern
Let’s look at a CAPEC entry for the well-known attack pattern — “Using Unpublished Interfaces” — and see how the various properties are useful for understanding attack patterns in general.
First, look here to see the entry in full. In the upper left corner, under the Attack Pattern ID, select the “Complete” option from the Presentation Filter menu. Now, let’s look at the entry in detail.
Each CAPEC is associated with a numerical ID. The actual number does not encode any special information, except to indicate when it was added to the corpus. All entries also have a title and a description. A description is a summary of what the attack pattern is about.
The weakness(es) that the attack pattern is exploiting are listed in the “Related Weaknesses” section.
Notice that the mapping between CAPEC entries and CWE weaknesses is not necessarily a one-to-one relationship. The attack pattern could need to exploit all the listed weaknesses, a subset, or just one. Often there are various weaknesses, each of which alone could be used to enable the exploit.
Next, the “Execution Flow” gives full instructions on how to perform the attack.
Execution flows generally have three phases:
Notice that the execution flow is not just how to perform the attack, but how to determine if the target is vulnerable.
The consequences of a successful attack using this pattern are listed in the “Consequences” section.
An important thing to note is that CAPEC entries are not based on the consequences of an attack, but on how to exploit a weakness to cause the consequence. For instance, there is no CAPEC entry for Denial of Service (DoS). There are many attack patterns that can be used to cause a DoS, but it is a consequence of the attack, not a pattern to use to cause the consequence.
Real world examples (actual or theoretical) are often helpful to understand how an attack pattern can be used. Here is an example of “Example Instances” from this CAPEC.
CAPEC entries are presented using views, which are pre-defined arrangements of all the CAPEC entries.
Two such views are important:
The “Mechanisms of Attack” view, which can be used to focus on CAPEC entries that can be used to attack different realms of cyber security.
The “Domains of Attack” view, which groups together similar attack methods.
Note that both views as pictured are only the highest level of a hierarchy of CAPEC entries. On the website, clicking on the “+” will open up the next level in that subtree.
There are 4 levels of abstraction in the hierarchies.
Definitions of these levels can be found in the glossary of terms.
The hierarchy is four levels deep. Standard level entries are children of Meta level entries, etc. The principle behind the hierarchy in CAPEC is less formal and more just a way to organize similar attack patterns. The general idea is for a child to be a refinement of a parent, but this is not always possible. Since all CAPECs must appear within the hierarchy, it is often the case that we have to do a “best fit” when determining where it belongs.
Additionally, the children of a parent CAPEC should not be thought of as being the only possible attack patterns related to the parent. New techniques for cyber-attacks are constantly being developed by attackers, so CAPEC will always be evolving.
Navigating the CAPEC Website
Now that you have an appreciation of the key fields contained within a CAPEC entry, we will cover how to peruse the site to find the CAPECs you are interested in exploring. There are two main ways to find in what you are interested.
Keyword Search Method
CAPEC has a search feature available on the homepage of the CAPEC website, as shown below.
You can search for any keywords, or known IDs, or even a general term. The in-site search form will find all matching pages to that term on the CAPEC website.
Let’s say you are interested in learning more about SQL Injection. Here is the process you could follow to get to that information using the search feature.
Searching for “sql injection” returns the following:
Searches are not always this successful. Let's say you were interested in different kind of attack patterns related to REST APIs.
Searching for “REST” returns the following:
Notice that some of the results were not related to REST APIs. Adding other keywords to the query (e.g., API) could streamline the results.
The search query facility will sometimes return more than one page of results. It is often worthwhile to view at least the second page. For instance, the above query also returned the following on the second page, which might also be of interest.
Above we mentioned that the different organization of CAPEC entries is provided using views. The area of your interest can be focused on by traversing one of these views.
Let’s say you are interested in Social Engineering attack patterns. Use the “Domains of Attack” view to list the CAPECs related to this domain.
Often as part of a social engineering attack, the URL used in the attack looks similar to the actual URL that one might feel comfortable clicking on. The Meta-level CAPEC “Resource Location Spoofing” contains the sub-hierarchy of attack patterns related to this type of attack.
Another way to use the view is to see related attack patterns to the one you have been exploring. This is done by navigating the tree one level at a time. For instance, CAPEC-66 (SQL Injection) is related via its parent to many different types of injection attacks in which you may be interested.
Clicking on “Command Injection” will show you the Meta-level attack pattern, which has relationships to other injection attack patterns.
Still Have Questions?
Please don’t hesitate to contact us with any additional questions or comments.
More information is available — Please select a different filter.