MAEC - Ties to Existing Standards

Ties to Existing Standards

Introduction | CAPEC | CEE | CWE | CVE | CPE | CCE | OVAL

Introduction

Where appropriate, MAEC will make use of Making Security Measurable standards to more accurately characterize malware, especially with regards to standardized reporting and assessment of threats and vulnerabilities.

"Making Security Measurable" is collection of information security data standards developed by MITRE and others that are increasingly being adopted by vendors and forming the basis for security management and measurement activities across wide groups of industry and government. Use of these standards are facilitating the ability of adopting organizations to use automation for assessing, managing, and improving the security posture of their enterprise security information infrastructures while also fostering effective security process coordination across their organization. Refer to the Making Security Measurable Web site for additional information and to view the current collection.

MAEC’s Relationship with the MSM Standards

The specific Making Security Measurable standards that can be utilized by MAEC to more accurately characterize malware are included below.

Common Attack Pattern Enumeration and Classification (CAPEC™)

MAEC will make use of CAPEC for describing the relevant attack patterns associated with the high-level malware taxonomy, such as those dealing with network reconnaissance, propagation, insertion, and command and control. MAEC’s usage of CAPEC will allow for such behaviors to be defined through an industry standard attack pattern enumeration, thus ensuring that the attacker’s perspective in implementing these behaviors is properly represented.

This association will also provide researchers with detailed information regarding the behavior’s motivation (if included in the CAPEC entry). It is conceivable that such information could be utilized by researchers for determining the over-arching intentions of the malware author (by abstracting multiple CAPECs and other malware behaviors), as well as by developers for creating software with improved security against malware.

Common Event Expression (CEE™)

MAEC will use the ubiquitous event description language provided by CEE to describe logged events associated with malware activity. Such entries can be linked to specific malware behaviors and used to determine the presence of malware.

Common Weakness Enumeration (CWE™)

If it is determined that a malware instance exploits a particular software weakness, MAEC will link to its corresponding CWE entry. This linkage will allow for the generation of statistics with regard to the most common types of weaknesses being exploited by malware, thereby highlighting the areas where better security-oriented coding practices need to be implemented. This linkage will also provide an attribute for correlation of malware when a specific CVE or CCE isn’t being targeted by the malware.

Common Vulnerabilities and Exposures (CVE®)

MAEC will link to the CVE entry associated with a particular vulnerability exploited by malware. This will allow users to determine the nature of the vulnerability being exploited by the malware, as well as for automated fix and patch assessment through CVE-Compatible tools. Likewise, MAEC’s link to CVE will substantiate vulnerability-based threats by providing a concrete example of their exploitation, which will permit the prioritization of software vulnerability patching and associated threat assessment efforts.

Common Platform Enumeration (CPE™)

For a standardized description of the software and hardware platforms targeted by malware, MAEC will make use of the respective CPE entry associated with the platforms, permitting the tool-based identification of potential victim machines by IT administrators. Linking to CPE will also allow for assessment of the threat that a malware instance poses to organizational computing resources based on the platforms that it targets.

Common Configuration Enumeration (CCE™)

The linkage of MAEC to the CCE will allow for the description of any of the vulnerabilities associated with malware that are not related to software flaws. This will allow for the host-based detection of specific configuration-related vulnerabilities exploited by malware, as well as the detection of general configuration issues that malware could potentially exploit. MAEC’s link to CCE can also substantiate non-flaw based vulnerability threats by providing a concrete example of their exploitation, which will permit the prioritization of configuration vulnerability patching and associated threat assessment efforts.

Open Vulnerability Assessment Language (OVAL®)

Certain low-level malware observables may represent attempts at software vulnerability exploitation, meaning that such entries can be linked to corresponding OVAL definitions (if in existence). Such a connection would allow for improved malware threat mitigation, by tying in the ability to easily check for the host-based existence of a vulnerability that is directly associated with a particular malware instance. Likewise, it can narrow down the potential malware variants capable of infecting a system by correlating the un-patched vulnerabilities present on a system with those linked to by MAEC characterizations.

OVAL can also be used to determine malware presence based on comparison of multiple scans. A common malware behavior is to patch the particular vulnerability used to exploit a system after successful infection, so that detection of such a "silently" patched vulnerability can be used to establish the presence of malware.

Page Last Updated: August 09, 2010