Celebrating the 15th anniversary of CAPEC™
March 2022 is the 15th anniversary of Common Attack Pattern Enumerations and Classifications (CAPEC™). On this important milestone, we thought we would reflect on the development of the project and the plans for the future, with collaboration of the CAPEC community.
The idea of a software design pattern had been around for quite some time [1], when security researchers realized it could be used to describe cyber-attacks [2]. With support from DHS, Cigital (later part of Synopsys) and MITRE created the “Common Attack Pattern Enumeration and Classification (CAPEC)” in 2006 as a corpus of “‘”attack patterns’”— or design patterns for attackers. At the time, Common Weakness Enumeration (CWE™) was already in development and CAPEC initially focused on how attackers exploit CWEs to enable attacks. This type of information is valuable to the community as it helps organizations better manage cyber risk and avoid/mitigate the types of mistakes and attacks that put enterprises at risk. CAPEC 1.0 was released 15 years ago this month and contained 91 attack patterns. CAPEC and CWE were part of the MITRE/DHS establishment of various corpuses under the umbrella concept of “Making Security Measurable”.
In 2010, CAPEC’s scope extended beyond software with the inclusion of attack patterns across three additional domains — social engineering, physical security, and supply chain. These entries were often less based on the traditional exploitation of a CWE, which at the time still included only software-related weaknesses. In collaboration with community stakeholders across academia, government, and industry, CAPEC grew to 450 entries.
From the beginning, CAPEC has engaged its user community to find ways of increasing its value and utility. The CAPEC team has worked with the OWASP, WASC, and MITRE ATT&CK teams over the years to integrate information and expand coverage. CAPEC grew to be recognized as a vital corpus of cyber security information. ITU recommended CAPEC in 2013 [3] and ISO included CAPEC in its technical report in 2015 [4]. Adam Shostack, who developed STRIDE at Microsoft, commented in his seminal book “Threat Modeling: Designing for Security” [5] as “The impressive size and scope of CAPEC may … make it easier to use for someone who’s just getting started in security, where specificity helps to identify attacks.”
Many individuals have been responsible for the concept and the development of CAPEC over the years. It is difficult to name them all, but we would like to especially mention and thank the following people: Gary McGraw, Sean Barnum, Bob Martin, Joe Jarzombek, Mark Loveless, Drew Buttner, Eric Dalci, Romain Gaucher, Tom Stracener, Pravir Chandra and Rich Struse.
As of February 2022, when CAPEC version 3.7 was released; there are 546 attack patterns in the corpus. Looking forward, CAPEC hopes to continue improving and modernizing the program through direct engagement with community stakeholders in several key areas:
- Supply chain domain
- Better integration with CWE (especially with its expansion into the hardware domain)
- User experience (e.g., a more dynamic website, a REST API)
- Develop a lesson plan using CWE/CAPEC for use in university curriculum
- Entry completeness and quality throughout the corpus
These are challenging tasks that require community input and contributions, and there are many ways for you to get involved. Consider joining the CWE/CAPEC User Experience Working Group or one of the other community groups mentioned on the landing page of the CWE and CAPEC sites. Other working groups and special interest groups are in the works, including one related to the REST API.
We invite you to be a part of the future of CWE/CAPEC!
A big thanks from the community to Rich Piazza as the primary author of this blog and the CAPEC lead for letting the community know what is going on.
References
[1] E. Gamma, R. Helm, R. Johnson and J. Vlissides, Design Patterns: Elements of Reusable Object-Oriented Software, Addison-Wesley, 1995.
[2] McGraw, Gary. Software Security: Building Security In. Boston, MA: Addison-Wesley, 2006
[3] https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=11753
[4] https://www.iso.org/standard/68837.html
[5] A. Shostack, Threat Modeling: Designing for Security, John Wiley & Sons, 2014
