Understanding the Relationship between CWE and CAPEC Through Two Scenarios
Organizations must protect the confidentiality, integrity, and availability of their information and data. Confidentiality protects the data from exposure to individuals or entities who should not view it; it means “preserving authorized restrictions on information access and disclosure” (Stallings & Brown, 2020, p. 25). To protect confidentiality, organizations can implement various controls. Experts define controls as “measures to minimize, mitigate, and respond to the intentional and unintentional threat to protect organisational information technology resources” (Onumo et al., 2021, p. 5).
This article will discuss potential controls to address breaches in confidentiality within two specific scenarios. The first scenario is network traffic discovered to be unencrypted going to and from a web server. The second involves emails leaving an organization in an unencrypted state. This article will review each scenario through the lens of threats to an organization and discuss potential technical controls that organization could enact to address any weaknesses in their cybersecurity posture.
The Scenarios
Unencrypted Web Traffic
In the first scenario, an organization that does not protect the confidentiality of its web traffic exposes that traffic to outside parties unintentionally. For example, if a user buys something from Amazon.com, anyone watching that network segment can see all the user’s activities because the confidentiality of the network traffic is lacking. This means the user’s credit card information, their shipping and billing address, their email address, what they bought, and how much it they bought is freely available to anyone with the technical know-how to monitor that traffic.
Unencrypted Email Traffic
In the second scenario, the same lack of confidentiality exists. The difference between this scenario and the first one is the application that the organization uses. Here, the organization is emailing information internally and to external parties. The risk remains the same: the network exposes sensitive employee data; proprietary information the organization requires for running its business becomes available; or personal information shared from work computers is at risk to those with the knowledge to tap the network. In each scenario, the ability to capture network traffic is not a technical challenge, as Orlando (2005) points out. The tools to execute this work are freely available on the Internet and have existed for many years.
Understanding the Threats the Scenarios Present
The MITRE Corporation is a federally funded research and development company that researches cybersecurity issues for the US government and makes their work publicly available for all practitioners. They developed three tools that can illuminate the specific weaknesses of unencrypted traffic threat actors seek to attack. The first tool is the Common Vulnerability Enumeration (CVE) process as part of the National Vulnerability Database (NVD). Next, the second is the Common Weakness Enumeration (CWE) dataset. Finally, the third is the Common Attack Pattern Enumeration and Classification (CAPEC) dataset. Figure 1 demonstrates the relationship between each of these tools.
Figure 1
Relationship between CVE, CWE, and CAPEC
Note. Adapted from “Tracing CAPEC attack patterns from CVE vulnerability information using natural language processing technique” by Kanakogi et al., 2021 https://10.24251/hicss.2021.841. Copyright 2021 by Kanakogi et al.
This article will not address the first tool (CVE) and its relationship to the scenarios, as there are no vulnerabilities with CVE identifiers presented.
CWE and Weaknesses Associated with the Scenarios
The CWE dataset describes potential vulnerabilities in a common text format, according to Hariyanti et al. (2021). Citing MITRE (2019), Hariyanti et al. (2021) state the CWE “is a list of information security vulnerabilities that commonly appear in software, providing a common language for discussing, finding and dealing with software security vulnerabilities that can appear in code, design or system architecture” (p. 3). CWE contains both software and hardware weakness and enables cybersecurity practitioners and software developers to have a common way of discussing weaknesses and ensure they address any potential weaknesses before the software or hardware becomes operational (MITRE, 2021e)
MITRE identifies a specific weakness that applies to each scenario above: cleartext transmission of sensitive information (CWE-319) for scenario one and missing encryption of sensitive data (CWE-311) for scenario two. CWE-319 is when “software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors” (MITRE, 2021d, para. 1). MITRE (2021d) describes the consequences of this weakness as “[a]nyone can read the information by gaining access to the channel being used for communication” (para. 6). This is the exact set of consequences described in scenario one previously. MITRE (2021d) also lists the likelihood of threat actors exploiting this weakness as high.
CWE-311 occurs when “[t]he software does not encrypt sensitive or critical information before storage or transmission” (MITRE, 2021c, para. 1). Here, threat actors exploit this weakness in scenario two in order to access the application traffic on the network and eavesdrop on the communications. Again, this describes the situation with scenario two exactly. Also again, MITRE (2021c) also lists the likelihood of threat actors exploiting this weakness as high.
CAPEC and Attack Patterns Associated with the Scenarios
According to MITRE (2019), CAPEC “provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities” (para. 1). Attack patterns are collections of attributes and tactics used by threat actors to exploit the weaknesses listed in CWEs; CAPEC can help practitioners understand the specific techniques or tactics a threat actor will use to exploit a weakness and thus prevent a successful attack (Kanakogi et al., 2021).
For the scenarios described, CAPEC has at least two entries: sniffing attacks (CAPEC-157) and adversary in the middle (CAPEC-94). Each of these apply equally to both scenarios. In CAPEC-157, the threat actors specifically only observe via, reading or hearing, the communication but do not desire to alter the communication stream (MITRE, 2021a). In CAPEC-94, the threat actor goes a step further by attempting to change the content of the data stream surreptitiously between the sender and the intended recipient (MITRE, 2021b). There are other CAPEC entries related to the CWE-319 and CWE-31, but space considerations prevent their discussion.
Remediating the Weaknesses
In both of the CWEs listed, a common approach to solving them is encryption to protect the confidentiality of the data. Stallings and Brown (2020) describe encryption as fundamental to ensuring data confidentiality. Which encryption scheme deployed depends on the scenario, however. In scenario one, MITRE (2021d) recommends implementing secure connection across the entire session as a remediation for CWE-319. One method of doing this for web traffic is via the transport layer security (TLS) protocol (the current version is 1.3). TLS is an application protocol that creates an authenticated and encrypted connection between two endpoints via a ‘handshake and record’ set of sub-protocols (Rescorla, 2018). Fortunately, most major web server vendors provide easy-to-follow guides for setting up TLS on a web server (Stewart et al., 2021 and Apache, 2021).
In scenario two, MITRE (2021c) recommends using approved and analyzed encryption algorithms; specifically those allowed under the current version of Federal Information Processing Standard number 140 (FIPS 140); the current version of this document is version 3. Encryption compliant with FIPS 140 means US government and cryptographic experts have reviewed it and determined it has a secure design and implementation as well as possesses cryptographic modules that operate as intended (National Institute of Standards and Technology, 2019).
Conclusion
In the two scenarios listed above, the likelihood of threat actors exploiting poor configurations to access or change sensitive communication data is high. Threat actors possess known attack methods described in CAPEC format for exploiting these weaknesses enumerated in the CWE. An organization with these flaws needs to deploy technical controls, such as encryption to protect the confidentiality of their data. It is the proper technical control for both scenarios.
References
Apache. (2021). SSL/TLS Strong Encryption: How-to. SSL/TLS Strong Encryption: How-To — Apache HTTP Server Version 2.4. Retrieved December 3, 2021, from https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html.
Hariyanti, E., Djunaidy, A., & Siahaan, D. (2021). Information security vulnerability prediction based on business process model using machine learning approach. Computers & Security, 110, 102422. https://doi.org/10.1016/j.cose.2021.102422.
Kanakogi, K., Washizaki, H., Fukazawa, Y., Ogata, S., Okubo, T., Kato, T., Kanuka, H., Hazeyama, A., & Yoshioka, N. (2021). Tracing CAPEC attack patterns from CVE vulnerability information using natural language processing technique. Proceedings of the 54th Hawaii International Conference on System Sciences, 6996–7004. https://doi.org/10.24251/hicss.2021.841.
MITRE. (2019, April 4). Common attack pattern enumeration and classification. CAPEC. Retrieved December 3, 2021, from https://capec.mitre.org/about/index.html.
MITRE. (2021a). CAPEC-157: sniffing attacks. CAPEC. Retrieved December 3, 2021, from https://capec.mitre.org/data/definitions/157.html.
MITRE. (2021b). CAPEC-94: adversary in the middle. CAPEC. Retrieved December 3, 2021, from https://capec.mitre.org/data/definitions/94.html.
MITRE. (2021c). CWE-311: missing encryption of sensitive data. CWE. Retrieved December 3, 2021, from http://cwe.mitre.org/data/definitions/311.html.
MITRE. (2021d). CWE-319: cleartext transmission of sensitive information. CWE. Retrieved December 3, 2021, from http://cwe.mitre.org/data/definitions/319.html.
MITRE. (2021e). Common weakness enumeration. CWE. Retrieved December 3, 2021, from http://cwe.mitre.org/about/index.html.
National Institute of Standards and Technology. (2019). (publication). Security requirements for cryptographic modules. National Institute of Standards and Technology. Retrieved December 3, 2021, from https://doi.org/10.6028/NIST.FIPS.140-3.
National Institute of Standards and Technology. (2020). (publication). Security and privacy controls for information systems and organizations. National Institute of Standards and Technologies. Retrieved November 16, 2021, from https://doi.org/10.6028/NIST.SP.800-53r5.
Onumo, A., Ullah-Awan, I., & Cullen, A. (2021). Assessing the moderating effect of security technologies on employees’ compliance with cybersecurity control procedures. ACM Transactions on Management Information Systems, 12(2), 1–29. https://doi.org/10.1145/3424282.
Orlando, N. (2005). (rep.). Simple traffic analysis with Ethereal. SANS. Retrieved December 3, 2021, from https://sansorg.egnyte.com/dl/IaitLP67eh.
Rescorla, E. (2018, August). RFC 8446- the transport layer security (TLS) protocol version 1.3. RFC 8446 — the Transport Layer Security (TLS) protocol version 1.3. Retrieved December 3, 2021, from https://datatracker.ietf.org/doc/rfc8446/.
Stallings, W., & Brown, L. (2020). Computer security: principles and practice (4th ed.). Pearson India Education Services Pvt Ltd.
Stewart, M., Czechowski, A., & Eby, D. (2021, November 24). Enable TLS 1.2 on servers — configuration manager. Enable TLS 1.2 on servers — Configuration Manager | Microsoft Docs. Retrieved December 3, 2021, from https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-server.
