Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
CAPEC User Summit Transcript - “Community Discussion: Future Vision for the CAPEC Program”
Alec J. Summers, CAPEC/CWE Program
Session 6 - Community Discussion: Future Vision for the CAPEC Program | View all Summit transcripts
(0:00) Speaker: Rich Piazza (Summit Host)
OK, this is our last session and it's a basically a community discussion as we advertised. We want opinions on what a future version of the CAPEC programs should be. We've discussed a lot of different things in these past 5 sessions about what's in CAPEC. What we're looking to improve upon? What we're looking to expand, and Alec is going to talk about that and hopefully we'll have a good discussion after he presents his slide. Alec, take it away.
(0:40) Speaker: Alec J. Summers (Session Moderator)
As we start, I do want to say that it's been a long day of wonderful things that we have heard so far and I do hope that we can get some more feedback as we go through these things 'cause at the end of the day, this is sort of a wrap up. That's my intent with this, talking a little bit about where the program was, some of our intent around what we're doing now, perhaps reflect on some of the things that we heard as well.
As we wrap for the day, just to capture your final thoughts and feedback if you haven't been able to share I do encourage everybody to reach out. We have a lot of people online that haven't spoken yet so if you're able to put in something in the chat or just raise your hand and otherwise, I look forward to it. It's really serendipitous to have Bob lead into to my session, because I wanted to start talking about the origin of CAPEC which is actually very similar to CWE timeline. They were offshoots of the CVE program, which predated both of them by a certain number of years, but in looking back at its purpose – and funny enough, I should say I have a little note in my calendar that we're coming up on the 15th anniversary of CAPEC to the month… I think coming up next week or so… – but in terms of the idea behind it, just as with CVE and CWE, the idea of formalizing attack patterns in a way that provides a common language to contribute to the development and maintenance of cyber enabled capabilities. With CWE, if we have a common understanding of how we can define weaknesses – or the mistakes that are made at the time at least – by a software developer or architect and now, we are enumerating weaknesses that are made in the hardware design stage. Similarly, we can have an established common language for the attack patterns that can help the industry as a whole. We're all trying to make sure we're all speaking the same language as we try and address the challenging problems that we face
If you look back at the history of the program that's still up on the website with regards to where it started, I put a list here that came directly from that, which is talking about the use cases. As I mentioned before or there's been something in the chat about the user experience working group, we're really looking at the different use cases where CAPEC is being used by the community. We have heard from many in that working group that aligned to some of these things that we had at the origin of the program. But just looking at the list, from training and defining requirements and design and threat modeling verification, etc. is really where we started.
I think we can go to the next slide 2.
(3:53) Speaker: Alec J. Summers
And from there what we're seeing is since 2007 we went from CAPEC version one to the upcoming version 3.7, which carried over a number of changes not only growing the corpus of information related to various attacks, but expanding the schema so we had new some elements – as Steve Christey Coley gave earlier today about the different elements and values within CAPEC entries – and we talked about the prioritization of how important those are for different user personas and their user scenarios.
In addition, we also expanded into new domains of attack patterns. The rise of mobile came pretty soon after the launch of CAPEC and that was something we covered and things like physical security and supply chain and social engineering, were new topics for CAPEC that we started to enumerate in a common language of attack patterns.
And since then, we've also seen broadening support across other information corpuses. We've made great strides on the CWE mapping front as well as other information corpus that you may be familiar with like ATT&CK, and we continue to update them fairly frequently. There's new information all the time and the team is working to do that to provide value for our various users such that they could connect to the other information they need in actionable manner.
(5:31) Speaker: Alec J. Summers
Today we heard a tremendous amount of great stories and use cases and also tremendous benefit from hearing from some great thought leaders behind a number of domains. In the area of education, I thought it was fascinating to hear from our esteemed colleagues over in academia talking about how CAPEC can be used to teach about secure software development, we heard about the challenges in penetration testing community and how information within CAPEC can be leveraged to keep track, not only about different ways of doing penetration testing, but also capturing data and performing those processes in a formalized way depending on the context of what you're looking at. We also heard from some thought leaders behind hardware security and how CAPEC provides value there and how there's more to come and then, most recently, we heard from Bob about Supply chain.
In this talk as I wrap up our reflection is just that while there has been a tremendous amount of growth over time looking back at where we started and some of the things that have been going on over the last few years and also what we're hearing going on right now today, there is so much to do in terms of ensuring that what we are doing as a program is a value to the community. We heard many conversations about how certain things are valuable in terms of these different domains.
Specifically, as to the state that they are in now, we've also heard how can we better delineate between software and firmware and hardware and things like these that are capabilities, not only to changing the content that we have or adding some sort of value there into how it's presented but we also heard comments about different areas, looking at the values that are presented in the polling that we did that say… this area is really important to us.
That helps us think about how we want to make sure that we focus some of our team's efforts and focus our community engagements. I've been trying to answer as many as I can in the chat as they come, but there's also been many emails that have been coming in throughout the day we are always looking for more voices from the community to engage with us and help us modernize these programs such that they can bring value to the community. I encourage all of you on this call if you haven't had a chance and you have interest to please reach out in that way. I did want to just recap that.
We can go to the next slide.
(8:27) Speaker: Alec J. Summers
And as we reflect, I did want to just open this up if there's a little bit of energy left. I know it's been a long day, but we have many people on the call. We have the chat if you're unwilling or unable to speak, to provide some comments.
I have a series of questions here that I just wanted to pose and really open up the conversation for all. I do realize it's been a long day for this, but as we look forward and we reflect on what we've heard about where the program was, we heard a lot about what people are doing now in various domains. In your opinion and there's probably a lot of opinions here, but I'll just say this question is very open-ended: What should the CAPEC program prioritize as it aims to modernize?
The program for its community user base. This is something that I think there is no wrong answer for because everybody here has an interest and has something in the game to provide value because the community members that use CAPEC are those who we are serving and so on that front I will open it up to the community. I know there's chats, so hopefully someone on my team can jump in and point things out to me, I've got a lot of screens open. We shall we start with Joe.
(09:55) Speaker: Joe Jarzombek - Synopsys (Guest)
I was just saying it was a great session today and we notice that some of the priorities were talking about mitigations, and you also talked about the mapping between CAPEC and CWE. Certainly CWE represents the attack vectors. That's how the attacks take place and so one of the first things we talked about mitigating attacks. It's like how about hardening the attack surface? So one of the priorities when we talked about Mitigations should be “Fix that CWE.” Mitigate it. That should be part of the going-in answer for every one of the CAPEC mitigations. Just keeping that in mind.
(11:07) Speaker: Rich Piazza
There is a comment in the chat by Murthi to provide more training material, especially bridging across hardware, firmware, and software, with security as a focused topic.
(11:20) Speaker: Alec J. Summers
That's fantastic, so yeah, thank you for that comment. I mean, it is something that I think we've heard before too. And this is a great point on which to reflect as we look forward.
We have done a little bit of guidance material and sort of looking at - if I correlate the similar terms guidance and training and education, I think we have a lot of users, especially today… Susanna and Akond, who were able to join us… I think there's really an opportunity for our community to help us do this better. We've done a little bit. Just one anecdote, we have done some training material or guidance material over the last year. We released back, I think, in February of last year, guidance material around mapping vulnerabilities to CVEs to CWEs and how to help people identify the root cause weaknesses associated with a CVE more directly. That effort I thought was really valuable and we were already seeing evidence of that being really valuable, and the great thing about it was that it was done in collaboration with many organizations across the industry… and so I think that's an opportunity for us to also do here too. It starts to make me connect things in my mind to with regards to some of the conversations. We have in the existing groups that I mentioned … you've maybe heard about throughout the day, the hardware CWE special interest group is especially interested in some way of signifying between weaknesses within CWE and CAPEC with respect to firmware hardware, software, and how we can delineate them… and of course in the user experience working group that's a concern as well. So I love the comment. I think that's something we could certainly take with us from today and certainly reach out to you. Whoever submitted it, and also to everybody else on the call to help us with that, especially I might point to our experts in the academic field, perhaps to have something to offer there, too, so thank you. Rich, anything else?
(13:22) Speaker: Rich Piazza
Yeah, Alec I was just gonna mention that one of the things that we've been looking into which is where we had the context with academia is trying to develop something that we could give to universities as for training and using CAPEC and CWE etc.
That's something that, we'd love if people, several people who were who attended the summit who are associated with the University, we'd love to contact you and discuss with you. Putting something together, sort of a joint thing that could be used all over in many universities.
(14:10) Speaker: Alec J. Summers
Yeah, absolutely I think there's certainly an opportunity for that.
One of the things that we also are looking at, and we would be remiss not to mention, is a request for feedback here at this session on user experience. As I mentioned, we have a user experience working group that meets regularly we'd love to have anybody join. It's very open forum and an opportunity to talk about various things related to these programs, but as far as those on the call today, what do you think are some of the most important things to improve or change or even to add to the CAPEC user experience? ... This is intended to be very open ended so there is no wrong answer to any of these questions as I said. I'm curious specifically, though, to everybody on the call, potentially they use ... This CAPEC or perhaps has been exploring it throughout the day and hearing different things. What are some possibilities as far as we modernize these programs, to really focus on improving or changing or adding to the user experience? Any thoughts there?
(16:05) Speaker: Rich Piazza
OK, one of the things that came up in the chat was maybe a discussion about the ‘consumability’ of the data in CWE, CAPEC, in all of these things that we're doing, and if you wanted to discuss that.
(16:21) Speaker: Alec J. Summers
Yeah, absolutely yes, so the format. I remember it might have been you Rich I answered that question with regards to the sort of back end structure or things and one thing that within the CWE/CAPEC Board as far as one of its responsibilities is to adjudicate and elect the opening of various working groups with respect to the program topic areas …and one of the things that we've been hearing about from the community is the potential value that could be made if we were to develop a REST API.
And how that information could be much easier to engage with in some regards, especially to certain users. This is something that is actively being discussed right now in terms of setting up a group to work with us to do that. So I do encourage any of you that might be interested in participating at least on that type of project with relation to the CAPEC user experience and how a REST API might be of particular interest to you. You can certainly reach out to us on that. But I can say at this time that yes that is in our plans in the near future, and hopefully that work will be starting in the near future.
(17:52) Speaker: Rich Piazza
Yeah, there's a comment by Jim in the chat, which I think you'd like to expand upon, suggest tools and interfaces that map to users and uses how cyber security work workforce framework roles use CAPEC CWE and ATT&CK and the way I read that is, you want sort of a joint interface to address all of these things at the same time, which is something that we've talked about.
(18:29) Speaker: Alec J. Summers
Ah, what one information corpus to rule them all, is that the idea? Yeah, absolutely. I think one thing that we've certainly heard that question that in terms of the different projects and how they relate - the low hanging fruit, although it does take a considerable amount of resources to do. It is a mapping effort right across these different things. And that's sort of the first case usability value. Add to those that are perhaps really familiar with say a CWE but not necessarily its related CAPEC attack pattern or vice versa, or CAPEC and ATT&CK and how they relate didn’t apply in the early days of the program. I think people like Joe and Bob might be remembering the site, and I think the site still exists, the idea of incorporating all of these information corpuses into something called “Making Security Measurable” and having a site that you could go to have these things connected in that way.
I think looking forward the opportunity to perhaps better align these things visually and interactively. Perhaps information could be presented away from the certain sort of current format of the sites themselves in a more fluid, engaging way, and perhaps that's one way, at least if I can remember what was asked in the question, to Jim 's point with regards to the cyber workforce and how to use these different things – training, guidance on how to use these to their best efforts is something that we could work with the community. From something we've heard today as well, just in terms of some of these domains and how CAPEC is being used already accordingly right there. There's always more here, I hope I answered that question.
(20:17) Speaker: Steve Christey Coley - CAPEC/CWE Program
Can I add on to that? I think 'cause for those of you who aren't aware of this cyber security workforce framework, it’s something that came out of NIST that does try to do a bunch of different things. But part of it is that it tries to identify and standardize on the kinds of roles and jobs that people would have within the cyber security industry - things like forensic analyst with certain kinds of skills, things like reverse engineering and so on.
So one of the ways that I interpret some of that question is, and I think it's an interesting question, it's an interesting proposal. There are certain roles and certain tasks within the NICE framework for people who are looking at those particular roles or need to build those skills. They should probably be knowledgeable about CAPEC and other of these kinds of efforts. If not, but also potentially to really use them as part of their own education. One thing that this does is, this ties in pretty heavily to how the US government is trying to hire or trying to think about what kinds of roles and what kinds of careers they need to build for new cyber security people. So my take on that is that sounds like a really interesting idea to be able to tie in more closely to raise awareness of these efforts, but then also to help those kinds of people who are trying to go up their cyber security careers and match with what US government organizations needs are.
(22:07) Speaker: Alec J. Summers
You hit the nail on that.
Thank you Steve I appreciate that, a great answer.
(22:09) Speaker: Rich Piazza
Yeah, we're getting a lot of comments and a lot of thumbs up for the API and as you said, a working group is something we hope to set up soon and we will send out information about that, so you can join in and have your opinion shared with people, and try to have your ideas be part of the solution.
(22:37) Speaker: Alec J. Summers
Yeah, and I would like to call out one comment. … This is an interesting topic because I know that within the CAPEC team and I'm curious what maybe others on the call might think is an opportunity. While we mentioned we do have some supply chain coverage within CAPEC as it is going back a long time and it's starting to be modernized as we go forward and there's certainly more to do.
Just as Bob so eloquently put in the last session by one thing that might be interesting is to look at where CAPEC can be defined within that supply chain lifecycle at different stages.
It's similar, but different in terms of the product development lifecycle, - the software development life cycle. There's certain elements in supply chain that are unique and looking at how perhaps CAPECs that exist and those that are being written and sort of planned out and those that we are going to get to where they all land in that way. And perhaps presented in such a way would be valuable. I'm curious what some might think about that.
(23:50) Speaker: Robert A. Martin - MITRE (Guest)
Well, what I think of when you say those words is attack surface analysis? What is the supply chain? What are the flows both physically and temporarily and then articulate where there could be weaknesses that could be attacked.
And that's where you focus the attack patterns.
(24:17) Speaker: Rich Piazza
Which I think Bob you did during some of your slides you pointed out where some of the work…
(24:22) Speaker: Robert A. Martin
Yeah, now that was my hint.
(24:27) Speaker: Alec J. Summers
Yeah, we can go to the next slide.
We have another topic here so maybe looking outside of the Usability and user interface. We did ask what other content domains that are most important to you and which is sort of similar here and I might ask or frame it differently. What is most important in terms of improving or expanding or adding? Is there a gap in an entire domain that we think we don't we don't cover that we should? We talked about some that we potentially have an opportunity to grow and expand – of course supply chain being one – but also those that perhaps alternatively we shouldn't necessarily focus on. I'm recalling the data that I looked at maybe a couple hours ago with regards to what was important. I did notice that social engineering was pretty low on the list. So that's an interesting topic in and of itself.
Namely, because in the past, we've talked about the relationship between CAPEC is such that CAPEC is exploiting an existing weakness and then in CWE we don't enumerate - and we don't really have any plans to enumerate - the weaknesses associated with social engineering, such that they start to get into neuroscience, perhaps, and psychology. That is sort of outside of the scope of CWE as you can imagine. I'm open to hearing here specifically, around looking at the domains that we do cover and those that are important to you. How could they be improved or how could they be expanded or added to.
So that's this question here. any thoughts on that?
(26:05) Speaker: Joe Jarzombek - Synopsys (Guest)
We already kinda talked about the cyber physical systems.
And the notion of chained attacks where you've got both hardware and software involved with it.
And you could even consider social engineering as part of that.
But that is something that no single domain is going to [solve]. So you have to bring it together under the cyber physical systems security because we're really talking about where a cyber attack can have physical consequences. It's so already in the news. It's going to be in the news a lot more and this could become part of that solution space.
(26:42) Speaker: Alec J. Summers
Yeah, thanks for that it also reminds me, I mentioned before - moments ago - about these different groups that are being stood up. And one that has been approved and will be standing up very soon for those of you on the call that might be interested is that we are going to have an ongoing new special interest group focusing on ICS and OT systems. So be on the lookout for an invite to that… I believe call it's called the ICS - It's an acronym title of extraordinary length - it's the ICS OT CWE SIG: the industrial control systems operational technology common weakness enumeration special interest group, but of course, CAPEC is going to be just as relevant in there and so within the title we thought, maybe a few acronyms too many. But yeah, that great point and I just wanted to plug that too because that's coming as well for those interested in that space.
How about the next slide.
I guess this is sort of similar to but maybe a different way of thinking about it as far as the usability of the CAPEC site. Any features, perhaps that in addition to the things we talked about with regards to domains and content and the experience in certain use cases, but the actual usability any feedback would be most welcome here.
No wrong answers again. I know API was one that we've gotten a lot of positive feedback around already but anything else.
More information is available — Please select a different filter.