Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
This page describes how organizations are using CAPEC in their products and processes. Please email firstname.lastname@example.org to have your product information included on this page.
NOTE: This page is for informational purposes only. Inclusion on this page does not constitute an endorsement of these organizations or products by DHS, HSSEDI, or MITRE.
CAIRIS – an open-source design platform for putting attack patterns in context
CAIRIS (Computer Aided Integration of Requirements and Information Security) is a free, open source platform for building security and usability into your software. Maintained by researchers at Bournemouth University, CAIRIS is designed to facilitate collaboration between usability, security, and software engineers. As design data is added, CAIRIS can automatically generate different visual models of an emerging design that make sense of the security and usability implications of an emerging system.
CAIRIS supports the import of threat and vulnerability directories and comes with pre-packaged directories based on CAPEC and CWE. Because CAIRIS supports the chaining of risks to new threats and vulnerabilities afforded by these risks, it is possible to model kill-chains that contextualize knowledge from knowledge bases like CAPEC and ATT&CK.
For more information see https://cairis.org.
CybOnt uses CAPEC to inform its T-Box ontology
Cyber Ontology (CybOnt) performs ontology-based fusion for cyber threat behavior estimation to contribute to an operator's cyber Situational Awareness (SA) and Situational Understanding (SU). CybOnt uses CAPEC’s Attack Patterns and Steps to build a before-after and temporal-whole-part ontology that, when linked to Sensor Events and Observations and Features, is the basis for formulation of hypotheses and associated likelihood ratios. Computed inference links are visualized in a graph database tool. CAPEC’s Confidentiality, Integrity, and Availability (CIA) as well as Severity and Attack Phase (Explore, Experiment, and Exploit) are shown as alerts for high likelihood ratio hypotheses. Other CAPEC amplifying data for the selected Attack Pattern node can be shown in the side window.
For more information see http://www.silverbulletinc.com/demos2.htm.
IBM SecurityAssociating CAPEC attack patterns with real cyber-security incidents
For the 2018 IBM X-Force Threat Intelligence Index, the X-Force team grouped methods of attack observed in 2017 according to the CAPEC standard.
Using CAPEC helps analysts better recognize which attack patterns they most often see and then prioritize improvements to their security. Just knowing there have been a lot of distributed denial-of-service (DDoS) attacks, for example, doesn’t indicate how to best defend against them because this type of incident can occur as a consequence of different attack patterns. CAPEC associates consequences of an attack with many different known patterns of adversary behavior, providing more complete information to enhance defense coverage.
For more information see CAPEC: Making Heads or Tails of Attack Patterns.
IriusRisk uses CAPEC to generate a dynamic threat model
IriusRisk is a threat modeling and risk management platform which leverages the CAPEC attack pattern classification system. As the architecture and components are selected, the rules engine calculates which threats from the CAPEC library are applicable and generates a dynamic threat model from them.
The sheer comprehensiveness of the CAPEC library within IriusRisk also allows users to search for the most pertinent, relevant and current threats and take the remediation action suggested by the platform, with full flow diagramming and integration with other DevSecOps tools.
For more information see http://iriusrisk.com/.
Goal-based product security testing using CAPEC
Praetorian offers a product security testing methodology centered around the CAPEC framework.
"We use the consequences property associated with each attack pattern to identify and test the patterns that are most important to our clients. We have associated "features" to each attack pattern that highlight functionality or characteristics of a product that may indicate an increased likelihood for a particular attack pattern. These "features" are our proprietary value-added extension to the CAPEC data model. We can then tailor our security testing to prioritize the highest likelihood attack patterns and the attack patterns that contribute to a high-risk goal, while still getting coverage across the entire product. The CAPEC framework gives us a way to show our clients the most likely attack patterns based on their threat model and the features of their application, which we see as a significant improvement over most checklist-based methodologies for product security testing."
For more information see https://www.praetorian.com/product-security.
Synopsys Seeker identifies vulnerability trends against CAPEC and other compliance standards
Synopsys Seeker interactive application security testing (IAST) provides unparalleled visibility into web app security posture and identifies vulnerability trends against compliance standards (e.g., OWASP Top 10, PCI DSS, GDPR, CAPEC, and CWE Top 25). It enables security teams to identify and track sensitive data to ensure that it is handled securely and not stored in log files or databases with weak or no encryption. Detected vulnerabilities are automatically verified and validated in real time by its unique, patented engine. This helps eliminate security noises and enable both development and security teams to focus on critical vulnerabilities that matter most.
With Seeker’s support of CAPEC, it provides teams with view into the attack pattern and mechanism that took place with a specific type of attack. This allows more accurate and consistent reporting and prioritization of security work.
ThreatModeler leverages CAPEC within its Centralized Threat Library (CTL)
ThreatModeler utilizes CAPEC’s detailed knowledge base of threats and attack patterns in its Centralized Threat Library (CTL). Our platform gathers data from each threat available in the library and applies various security requirements so organizations can focus on the proper mitigation strategy. This organized, indexed, centralized repository of information keeps key stakeholders informed and updated on emerging threats and the status of security efforts throughout the organization.
For more information see https://www.threatmodeler.com.
Including CAPEC into a vulnerability intelligence database & feeds
vFeed, Inc's engine transforms big data into a correlated vulnerability and threat intelligence database and multi-format feeds. We are using CAPEC to enumerate the mitigations and workarounds in order to help our customers to prioritize their patching process according to the attack patterns and methods. CAPEC helps us as well to align indirectly with the ATT&CK initiative and other categorization to provide our customers a full open standards coverage.
For more information see https://vfeed.io/.
More information is available — Please select a different filter.