Use Cases
Introduction
Typical MAEC Usage Scenario
At its highest level, MAEC is a domain-specific language for non-signature based malware characterization. Since languages serve to provide a vocabulary and grammar for the encoding and decoding of information, it follows that the majority of the six use cases for MAEC are motivated by the unambiguous and accurate communication of malware attributes that MAEC enables.
As shown in the illustration, MAEC will typically be utilized to encode the data garnered from malware analysis. In such a scenario, malware would be analyzed using some dynamic analysis/sandbox-based method. This information would then be classified using MAEC’s enumerations and schema, and a MAEC cluster would then be generated for use in analyzing or communicating the results.
While there are a number of ways that MAEC-encoded information can be utilized in some automated form, the majority of MAEC’s use cases are human-oriented. That is, while MAEC will provide a foundational basis and structure for use in characterizing malware, such characterizations will most often be interpreted and utilized by humans rather than by machines. The six use cases below illustrate this in more detail.
Uniform Malware Reporting Format
Current malware reporting, while useful for determining the general type and nature of a malware instance, is inherently ambiguous due to the lack of a common structure and vocabulary. Likewise, it often excludes key malware attributes that may be useful for mitigation and detection purposes, such as the specific vulnerability being exploited. Clearly, the current value of malware reporting to end-users is significantly degraded without an encompassing, common format.
The use of MAEC’s standardized vocabulary and grammar in malware reporting will facilitate the creation of a separate, uniform reporting format. Such a format will reduce confusion as to the nature of malware threats through the accurate and unambiguous communication of malware attributes, while also ensuring uniformity between reports composed by disparate authors and organizations.
Malware Detection
Characterizing malware based on its attributes with MAEC will permit the use of actionable information for malware assessment and detection. In this sense, low-level observables and mid-level behaviors will permit malware detection, while malware threat assessment can be carried out through MAEC’s link to relevant MSM standards.
In terms of detection, a single MAEC characterization, represented by a MAEC cluster, can provide data that can be used to detect multiple malware instances, unlike with physical signatures. As there are only a finite number of ways of accomplishing a single software behavior (for instance, malware insertion), particularly at the assembly level, it is statistically likely that there will be an intersection of such attributes between multiple malware instances. Therefore, the MAEC characterization of a single instance can permit the detection of malware families and even otherwise un-related malware that have certain attributes in common with the instance.
Malware Threat Assessment
For IT administrators and others charged with protecting systems from cyber threats, one of the most useful aspects of malware reporting is data which details the specific threat that the malware represents. In particular, they are interested in details regarding the specific platforms, vulnerabilities, and weaknesses targeted by the malware. Such data, combined with information regarding the actions performed by the malware, would enable prioritization of malware assessment and change management efforts.
Although current malware reporting may include these useful characteristics, such information has no commonality between reports and does not link to other relevant standards. Therefore, this makes it difficult to judge the true threat that malware represents.
MAEC’s linkage to OVAL, CPE, CVE, and CWE, will provide system administrators with the necessary information for determining the specific vulnerabilities and weaknesses targeted by malware. Accordingly, MAEC’s encoding of mid-level behaviors and a high-level taxonomy will allow for the accurate discernment of the threat that it represents to their organization and infrastructure.
This linkage could also allow for the creation of a malware threat scoring system, similar to that of the Common Vulnerability Scoring System (CVSS) for software vulnerabilities. As described above, MAEC’s link to the relevant MSM standards as well as its characterization of mid and high-level malware features would provide the necessary data for accurately describing the attack vectors and payload of a malware instance. This data could then be used to score the potential impact of the malware based on pre-defined categories, such as payload type (e.g., data theft, bot-like behavior, etc.) and degree of entrenchment/propagation.
Malware Remediation
One of the current realities with cyber security is that malware detection and prevention of infection is not always a possibility, especially with new and targeted malware threats, thereby making remediation of malware infections increasingly important. Unfortunately, most conventional AV tools and utilities are not capable of removing every trace of a detected malware instance. Thus, even if the explicitly malicious portions of an infection are cleaned from a system (which is not always the case), the remaining pieces may lead to false positives in future scans, thereby potentially leading to a misallocation of remediation resources. Likewise, an incomplete remediation could render the system unstable, as well as prone to future infection.
By providing the means for communicating the exact artifacts and low-level attributes associated with a malware instance, MAEC will permit greatly improved remediation of malware infections. Administrators could perform manual remediation based on the data contained in a MAEC cluster, or double-check the remediation performed by another tool by checking for the existence of the aforementioned artifacts.
Malware Analysis
The analysis of malware using static and dynamic/behavioral methods is becoming increasingly important for the purpose of understanding the inner workings of malware. Such information can be utilized for malware detection, mitigation, the development of countermeasures, and further analysis. However, the lack of a common vocabulary for analysis makes it difficult to compare and utilize the results of analyses performed by different people and tools.
The encompassing attribute enumerations provided by MAEC, containing all possible malware attributes capable of being characterized through malware analysis, will enable the convergence of malware analysis results upon a common vocabulary. Utilization of such a vocabulary for malware analysis should eliminate the confusion and ambiguity resulting from the use of multiple disparate vocabularies for analysis results.
Likewise, through its high-level taxonomy, MAEC will provide a way of guiding and helping the analysis process. By including an enumeration of the highest classes of malware behavior, MAEC will give analysts the ability to search for any attributes that correspond to these classes, as well as to easily classify previously discovered attributes.
MAEC clusters could also be utilized as a standard format for use in the creation of visualizations of malware behavior. Such visualizations would permit clear assessment of the low-level actions and mid-level behaviors performed by malware and facilitate natural comparison between two or more malware instances.
Malware Repository
Malware repositories oriented towards analysis often have very specific needs that require the use of a highly customized schema. This entails that sharing or exporting data from a repository defined by such a schema would be very difficult without the existence of a standardized intermediate format for relating information about malware.
The disparity among the malware schemas currently in use by repositories (essentially, every security organization utilizes their own custom schema) means that no sharing of malware analysis information could take place, even if the desire was there do so. As such, it is clear that the creation of a standardized intermediate structure for use in malware repositories is essential to the proliferation of malware data sharing among researchers.
MAEC’s schema could be used as a common intermediate format for mapping between the dissimilar schemas utilized in malware repositories. This would facilitate the sharing of analysis information stored in disparate repositories. Likewise, the usage of MAEC in malware repositories would permit improved data-mining due its structuring and labeling of malware attributes.
Objective Criteria for Tool Assessments
MAEC’s typing of malware based on discrete attributes can be utilized as objective criteria for use in the assessment of anti-malware tools. In this sense, a tool would be assessed on the basis of its support in detecting all of the attributes associated with a particular malware type. A tool that cannot detect certain MAEC-defined attributes associated with a particular malware type can miss any malware that contain such attributes, and therefore cannot objectively be defined as capable of detecting that type of malware.
Linking Malware Tools, Techniques, and Procedures
In cyber attack analysis, it is often useful to characterize the tools, techniques, and procedures used in the attack as being part of a set belonging to a particular attacker. When correlated across multiple attacks, such a connection can be helpful for the purposes of attribution.
Accordingly, with malware being one of the most prevalent tools used by attackers, it would be useful to characterize specific malware instances as belonging to a set of tools used by specific attackers. MAEC would provide this function, as its standard vocabulary and grammar will permit the accurate identification of the malware attributes observed in previous attacks, and with the "attacker" being defined as a metadata attribute, this would allow for the construction of an accurate link based on previously observed and characterized malware.
Page Last Updated: January 19, 2011
