Ties to Existing Standards

MMDEF | CybOX | CPE | CVE | STIX

As illustrated below, MAEC makes use of several information security data standards to most accurately characterize malware:

MAEC's relationship with other information security standards

The standards noted above are increasingly being adopted by vendors and forming the basis for security management and measurement activities across wide groups of industry and government. Use of these standards is facilitating the ability of adopting organizations to use automation for assessing, managing, and improving the security posture of their enterprise security information infrastructures while also fostering effective security process coordination across their organization.

Additional information about each of these standards, and their relationships to MAEC, are provided below.

Back to top

Malware Metadata Exchange Format (MMDEF)

MMDEF is being developed by the Institute of Electrical and Electronics Engineers's (IEEE) Industry Connections Security Group (ICSG). The development of the original schema was led primarily by a group of anti-virus (AV) product vendors for the purpose of developing some way to augment shared malware samples with additional metadata. As such, it permits the characterization of some static features like hashes and file names, along with some basic behavioral features.

MAEC uses one major component from the MMDEF schema. In particular, it uses the fieldDataEntry type for capturing information about malware prevalence in the wild.

Back to top

Cyber Observables eXpression (CybOX™)

The CybOX Language is a U.S. Department of Homeland Security–led effort of the office of Cybersecurity and Communications that provides a structured language for the specification, capture, characterization, and communication of events or stateful properties that are observable in the operational domain.

MAEC uses components of the CybOX Language for characterizing cyber observables associated with malware. In particular, MAEC makes use of CybOX's Object and Action types (which are extended in MAEC's MalwareActionType type) to characterize malware-related system artifacts and low-level behaviors, respectively. See the CybOX Web site and the MAEC Specification document for additional information.

Back to top

Common Platform Enumeration (CPE)

CPE is a U.S. National Institute for Standards and Technology (NIST)-managed standard that provides a standard machine-readable format for encoding names of IT products and platforms

For a standardized description of the software and hardware platforms targeted by malware, MAEC (via CybOX) makes use of the respective CPE entry associated with the platforms, permitting tool-based identification of potential victim machines by IT administrators. Linking to CPE also allows organizations to assess the threat that a malware instance poses based on the platforms that it targets.

MAEC also leverages CPE to describe the software platforms used in the analysis of a malware instance. In particular, it is used to identify the virtual-machine (VM) hypervisor that may be used to host VMs for static or dynamic malware analysis, along with the software installed on the host machines (virtual or physical) themselves.

Back to top

Common Vulnerabilities and Exposures (CVE®)

CVE is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities and exposures. CVE is a MITRE-led effort sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.

By referencing the CVE entry associated with a particular vulnerability exploited by a malware instance, MAEC allows users to determine the nature of the vulnerability being exploited by the malware and allows CVE-Compatible tools to perform patch management and vulnerability assessment and remediation. Likewise, MAEC's link to CVE substantiates vulnerability-based threats by providing a concrete example of their exploitation via malware, which permits the prioritization of software vulnerability patching and associated threat assessment efforts.

Back to top

Structure Threat Information eXpression (STIX™)

The STIX Language is a U.S. Department of Homeland Security–led effort of the office of Cybersecurity and Communications to characterize a rich set of cyber threat information in a standardized and structured manner. STIX can describe malware using MAEC characterizations through use of a MAEC schema extension for the STIX TTP schema.

Back to top

Page Last Updated: January 02, 2014