Common Attack Pattern Enumeration and Classification

About CAPEC

Summary of Use Cases

There are twenty-six known use cases applicable to software organizations, supply chain markets, project teams, and security teams. These can be grouped into eight categories. The table below provides a summary, while the following list contains a more detailed description of each use case.

This page illustrates how most of these use cases are actively employed by the community. The variety of these use cases suggests CAPEC’s potential value across the entire Software Development Lifecycle (SDLC).

CAPEC Use Cases

Description of CAPEC Use Cases

The following sections describes the twenty-six use cases to illustrate the landscape of possibilities for leveraging CAPEC’s attack patterns.

Application Testing

[UC-1] Security Test Case Identification and Construction

Summary: CAPEC assists testers to construct systematic and real-world attack scenarios to evaluate the risks and resiliency of system to coordinated attacks.

Context: CAPEC can assist application testers to understand how attackers are likely to misuse and abuse an application so they can determine its resiliency to different types of attacks. So, the CAPEC's are design patterns for someone to use to write test cases and could be used by QA professionals as well as penetration testers.

[UC-2] Red Teaming Template Creation

Summary: Attack Patterns, with their intrinsic CAPEC mapping to specific threat capabilities and motivations, provide an excellent resource for defining penetration testing templates for red teams seeking to emulate specific threats.

Analysis

[UC-3] Incident Response and Threat Analysis

Summary: The process of analyzing current threats and responding to ongoing incidents requires a wealth of information to understand how best to mitigate the issues and stop the adversary. Two pieces of information that can be useful are the underlying types of code weaknesses that are being exploited and the pattern of attack that is being leveraged. By knowing the weaknesses, responders can search for similar potential issues in other applications that the adversary may also be targeting. Knowledge of the attack patterns enables responders to better align mitigation strategies to better stop the specific type of threat.

Context: For example, US-CERT would like to include a CWE and CAPEC identifier within every incident report to enables each incident to be linked back to a richer information source.

[UC-4] Compliance Analysis

Summary: CAPEC offers a useful resource to support measuring compliance with industry standards and guidelines.

Context: CAPEC could be mapped to existing security regulations in the same way that companies have mapped CWE to standards and regulations. CAPEC may facilitate a more streamlined understanding to achieving regulatory compliance as well as compliance testing.

[UC-5] Malware Behavior Analysis

Summary: CAPEC can be useful in describing the behavior of malicious code by tagging specific attacks the code engages in to CAPEC entries to obtain a behavioral profile.

Context: CAPEC is thought to provide a means for analyzing malware by providing an attack-level conceptual framework that could be used to describe the behavioral characteristics of the malware.

[UC-6] Threat Characterization and Attribution

Summary: Attack Patterns, through their CAPEC mapping to specific threat capabilities, motivations and behaviors, can provide assistance in characterizing and eventually supporting attribution of threats from observed attack instances.

[UC-7] Software Security Trend Analysis

Summary: Trend analysis is performed to determine which software weaknesses and attacks occur most often. Performing trend analysis relies on having common terms for the weaknesses and attack patterns to be tracked. CWE and CAPEC provide these terms.

Context: For example, multiple major software vendors (e.g., Red Hat) annotate their own bug reports with CWE identifiers, so they can identify their own frequently-occurring mistakes and adjust their development or testing processes accordingly. NIST’s NVD classifies each CVE entry based on its related CWE identifier, which enables ecosystem-wide trend analysis.

[UC-8] Attack Risk Mitigation/Remediation Guidance

Summary: CAPEC attack patterns, through their defined Solutions and Mitigations, provide an excellent resource to support identification of relevant mitigations and remediations for weaknesses uncovered through successful relevant attacks.

[UC-9] Correlating Findings between Attack Simulation and Real-World Operational Monitoring

Summary: CAPEC offers a unique bridge for correlating the findings from White-Box and Black-Box Web Application scanning solutions which simulate attacks and the findings of operational monitoring tools such as web application firewalls which capture real-world actual attack instances for purpose of correlating results across different defensive technologies.

Context: To allow web application scanners (WAS) technologies to map their findings to web application firewall (WAF) technologies. Due to the benefits of interoperability between WAS and WAF technologies, some vendors are partnering with complementary technologies. CAPEC can facilitate interoperability via attack-to-weakness mappings that enhance cross-product reporting. Web application scanners can show which CWE weaknesses their technology detects and helps remediate, and WAF technologies can show which CAPEC entries were detected and which weaknesses that the attack typically exploits. This linkage can assist in better correlating the results from the two technologies in operation.

[UC-10] Correlating Findings between Static Analysis and Penetration Testing

Summary: CAPEC attack patterns, through their mapping to targeted and relevant weaknesses, provide a useful mechanism to assist in correlating the findings of static analysis which typically report observed weaknesses and penetration testing which typically reports successful vectors of attack.

[UC-11] Event Auditing

Summary: Audit Trail linkage between Firewall, IDS, Web Logging Software, and Host IPS technologies to facilitate a common Attack Dictionary against which to map and correlate events.

Context: Tie patterns into the observable behaviors that firewalls, network IDS/IPS, and host IDS see. Adorning the different CAPEC patterns and their respective exploratory, experimentation, and exploitation portions with how those steps would show up in the various sensors will provide a way for SIM type capabilities to use CAPECs as templates that they can compare what they "see" with in order to identify attacks quicker and with more confidence.

Threat Modeling

[UC-12] Threat Modeling

Summary: CAPEC attack patterns, through their mapping to both threat characteristics and targeted weakness contexts, provide an excellent resource for mapping relevant threats and their likely actions against the specific attack surface of the software as part of a threat modeling activity. This helps to place threat information in an objective and actionable context.

Requirements

[UC-13] Security Control Selection

Summary: CAPEC attack patterns, through their defined Solutions and Mitigations, provide an excellent resource to support security control selection during the proactive security engineering activities of the requirements and architecture phases of the lifecycle.

Context: CAPEC allows an analyst/designer/architect to think about how their system or application will be attacked and thus possibly how they could change the design/architecture to limit or eliminate some of the weaknesses the attack patterns would leverage to carry out their attack. This use also applies to early phase SDLC planning where security controls are being designed into product requirements.

[UC-14] Analyze and Capture Security Requirements (Abuse Cases)

Summary: Attack Patterns, with their CAPEC descriptions and characterizing context elements, offer excellent abuse case templates for conducting security requirements analysis.

Evaluations

[UC-15] Evaluating Static and Dynamic Analysis Tools

Summary: Static and dynamic analysis tools are often selected based on their coverage of software weaknesses and attack patterns. CWE and CAPEC provide a basis for understanding tool coverage and how tools compare to each other because they provide a comprehensive list of standardized software weaknesses and attack patterns that tools might identify, as well as providing standard IDs so that different tools can be compared more effectively and efficiently. CWE lists the weaknesses that a static analysis tool might cover, while CAPEC provides the list of attack patterns that a dynamic analysis tool might test for.

Context: For example, CWE is currently used in the National Institute of Standards and Technology’s (NIST) Software Assurance Metrics And Tool Evaluation (SAMATE) project for understanding tool capabilities. Each individual “test case” is labeled with its associated CWE identifier.

[UC-16] Tool/Service Characterization and Selection

Summary: CAPEC offers an objective referential resource to allow security analysis tool/service vendors to characterize their coverage and capabilities in order to support effective selection by the user.

Context: CAPEC compatibility mapping for Black-Box, White-Box, Fuzzers, and other assessment tools/services to provide a mapping of which CAPEC Patterns present within testing libraries, and the potential types of CAPEC attack patterns that could originate from discovered vulnerabilities.

[UC-17] Determination of Assessment Techniques

Summary: Different software assessment techniques (e.g., fuzz-testing, attack surface analysis, code reviews, pen testing teams, design review) are effective at detecting different issues. By enabling a shared understanding of the types of issues that each technique is able to identify, CWE and CAPEC support the selection of various assessment techniques that best serve assessment goals.

Context: For example, in 2014, the Institute for Defense Analyses used CWE identifiers in a detailed report to National Security Agency’s (NSA) Center for Assured Software (CAS) that linked a large number of software vulnerability mitigation techniques with the CWE identifiers associated with those techniques. These findings can be used by software development project managers to identify and prioritize mitigation efforts to ensure that they mitigate the broadest range of weaknesses and attacks possible.

[UC-18] Manual and Automated Software Assessments

Summary: CWE and CAPEC provide a standardized way to identify and remediate software weaknesses prior to the deployment of software, thereby preventing the materialization of exploitable vulnerabilities in operational environments. Once assessment techniques are selected, CWE and CAPEC provide the foundation for constructing test cases, assessing software against the test cases, discovering weaknesses, and identifying remediation steps.

Context: For example, a team assessing a new software product uses CWE and CAPEC to know what specific issues to look for, and how to correlate that knowledge with the results of any tools being used to assist the assessment

Reporting

[UC-19] Enhanced Reporting

Summary: CAPEC offers an objective referential resource to allow operational security tool vendors to map which attacks their various security mechanisms prevent and improve the quality of descriptive information provided to the user.

Context: CAPEC could be used by security technologies as a repository of information that can be used to enhance report data and analysis.

Many security tool vendors feel that it is desirable to have a link from a CVE to a CAPEC, a bridge if you will. This eases creation of summary diagrams about attack types, distributions, and other supporting material that add immense value to their existing reporting schemes.

[UC-20] Advisories & Alerts

Summary: CAPEC attack patterns offer a wealth of attack-centric contextual information that can add depth and enhanced detail to corporate advisories and security alerts.

[UC-21] Communication of Results/Research to Support Action

Summary: The results of software assessments must be communicated to development teams and risk managers so that appropriate changes can be made to the code base and residual risk can be effectively managed. CWE and CAPEC facilitate this communication by providing standardized lists of software weaknesses and the methods to exploit those weaknesses such that two or more people know they are talking about the same thing and also have an ID number to reference. Without standardization, individuals are forced to engage in non-standard descriptive terms that generate rework and misunderstanding.

Context: For example, NIST and other members of the Forum of Incident Response and Security Teams (FIRST) Vulnerability Reporting and Data eXchange (VRDX) Special Interest Group (SIG) are investigating ways to share vulnerability information across different global regions and teams, who speak different languages. Standard identification schemes such as CWE and CAPEC provide this language-independent way to reference such issues

Training/Education

[UC-22] Security Awareness Training

Summary: CAPEC offers an excellent resource for communicating the attacker’s perspective and attack concepts for use within security training across a wide range of topics and a wide range of potential audiences, both internal and external.

[UC-23] Training Software Developers, Testers, Buyers, and Managers

Summary: Software is a key functional element of almost every aspect of IT systems, businesses, and the economy. Software developers at any level of experience require resources that provide a basis for understanding exploitable weaknesses and the methods to exploit them. CWE and CAPEC provide a standardized knowledge base for this understanding, enabling the development of courses, certification criteria, and validating the scope and range of knowledge present in the software security workforce.

Context: For example, organizations getting started in software assurance will use the CWE/SANS Top 25 list, the related CWE entries, and their links to associated CAPECs to establish a curriculum and educate new staff about the weaknesses they are trying to avoid in their developed code.

Prioritization

[UC-24] Prioritize Weakness Analysis by Attack Relevance

Summary: Attack Patterns, through their mapping to targeted and relevant weaknesses, provide a useful mechanism to assist in prioritizing weakness analysis activities based on which types of attacks have been determined to be most relevant for the security context of the software under analysis.

[UC-25] Plan and Prioritize Secure Code Review

Summary: Attack Patterns, when prioritized against the context of a given software application, can provide assistance, through their CAPEC mapping to targeted and relevant weaknesses, in planning and prioritizing secure code review efforts against that application.

[UC-26] Prioritize Penetration Testing by Weakness Relevance

Summary: Attack Patterns, through their mapping to targeted and relevant weaknesses, provide a useful mechanism to assist in prioritizing penetration testing activities based on which weaknesses have been determined to be most relevant for the desired security properties of the software under analysis.