Use Cases

At its highest level, MAEC is a domain-specific language for non-signature based malware characterization. Because MAEC provides a common vocabulary and grammar for the malware domain, it follows that the majority of the use cases for MAEC are motivated by the unambiguous and accurate communication of malware attributes enabled by MAEC. To illustrate this in more detail, we provide high-level use cases in four general areas: malware analysis, cyber threat analysis, intrusion detection, and incident management.

Malware Analysis

As shown in the illustration, MAEC will typically be used to encode the data garnered from malware analysis. In such a scenario, a malware instance is analyzed automatically or manually using either dynamic or static methods. The results are then captured using the MAEC schema and either a single MAEC Package (with one or more MAEC Bundles) or one or more standalone MAEC Bundles are generated to communicate the analysis results.

Use Cases img

The analysis of malware using static and dynamic/behavioral methods is critical for understanding the malware's inner workings. Information obtained from such analyses can be used for malware detection, mitigation, the development of countermeasures, and as a means of triage for determining whether further analysis is necessary.

In terms of static analysis, MAEC can be used to capture the particular details that are extracted from a malware instance. Details can range from the static attributes of a malware instance binary, such as information on the packers that the instance was packed with, to interesting code snippets obtained from the manual reverse engineering of the instance binary code.

With regard to dynamic analysis, MAEC can be used to capture details of the particular behaviors exhibited by executing the malicious binary or code. This can be done at multiple levels of abstraction, starting with the lowest level (which is most commonly captured as some form of native system API call) and extending to higher levels describing a particular unit of malicious functionality, such as keylogging or vulnerability exploitation.

For both static and dynamic analysis, MAEC can capture information on each analysis as a separate item, including the particular findings of the analysis, information on any tools that were used, and other associated data such as the details of the analysis environment. As such, MAEC permits all of the analyses for a malware instance to be described in a standard fashion and captured in a single document, the MAEC Package.

Please see the MAEC Language Specification on the Documents page for details on how MAEC can also be used for visualization, to capture data for storage in analysis-oriented repositories, and as a means for standardizing tool output.

Back to top

Cyber Threat Analysis

Current malware reporting, while useful for determining the general type and nature of a malware instance, is inherently ambiguous due to the lack of a common structure and vocabulary. Likewise, it often excludes key malware attributes that may be useful for mitigation and detection purposes, such as the specific vulnerability being exploited. Clearly, the current value of malware reporting to end-users is significantly degraded without an encompassing, common format.

For successful cyber threat analysis, detailed analysis information about the malware instances must be obtained. For example, triage procedures may reveal information such as spear-phishing email headers or URLs to malicious websites, while in-depth malware analysis may uncover command and control domain names and IP addresses. Although today's malware reporting may include such details, currently there is usually no standardization between reports, and reports do not typically reference relevant standards (e.g., Common Vulnerabilities and Exposures (CVE®)). As a result, IT administrators and others charged with protecting systems from cyber threats may find it difficult to judge the true threat that malware represents. However, capturing this information in MAEC will result in a threat being more readily understood and evaluated because the information will be more consistent across analysts and incidents. Furthermore, MAEC's standardized encoding of the Behaviors exhibited by a malware instance and MAEC's future support of high-level Mechanisms will allow for the accurate discernment of the threat that the malware poses to an organization and its infrastructure.

Please see the MAEC Language Specification on the Documents page for details on MAEC's relationship to other security efforts (e.g., Structured Threat Information Expression (STIX™)), as well as ways that MAEC can be leveraged to create malware threat scoring systems and for purposes of attribution.

Back to top

Intrusion Detection

Effective intrusion detection is central to keeping networks safe from malicious actors. Using MAEC to characterize malware based on its attributes provides actionable information for malware detection and assessment: more specifically, low-level Objects and Actions and mid-level Behaviors enable malware detection.

Unlike a physical signature, a single MAEC characterization, represented by a MAEC Bundle or MAEC Package, can provide data that can be used to detect multiple malware instances. Because there are a finite number of ways of implementing a particular software behavior (for instance, keylogging), particularly at the assembly level, there is likely to be an intersection of such attributes between multiple malware instances. Therefore, the MAEC characterization of a single malware instance — to include behavior-based indicators to detect the presence of the malware — can permit an intrusion detection system to detect malware families and even otherwise un-related malware that have certain attributes in common with the malware instance.

MAEC characterization data can also be used as host-based checks via translation into the Open Vulnerability and Assessment Language (OVAL®) or Open Indicators of Compromise (OpenIOC) formats.

Back to top

Incident Management

When a cyber incident occurs, a defending organization must coordinate their response among a team of analysts and decision makers. In some cases, the organization may solicit help from Computer Security Incident Response Teams (CSIRTs), law enforcement, Internet Service Providers (ISPs), or product vendors. Regardless of the underlying threat, when numerous people or parties are involved, even within the same organization, effective incident management is extremely important. As we discuss further in the MAEC Language Specification on the Documents page, a uniform malware reporting format, standardized malware repositories, and the ability to verify remediation procedures — all based on the MAEC data model — greatly enhance incident management efforts.

Back to top

Page Last Updated: April 18, 2014