schemas.v1.2.0.external.capec_2.7.ap_schema_v2.7.xsd Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
This is the enumerated catalog of common attack
patterns.
A category is a collection of attack patterns
sharing a common attribute. The shared attribute may any
number of things.
The Compound_Element structure represents a
meaningful aggregation of several attack patterns.
Each View element represents a perspective with which one might look
at the attack patterns in CAPEC.
The View_Attributes structure is a collection of common
elements which might be shared by all Views.
The ID attribute provides a unique identifier for the entry.
It will be static for the lifetime of the entry. In the event that this
entry becomes deprecated, the ID will not be reused and a pointer will be
left in this entry to the replacement. This is required for all
Views.
The Name is a descriptive attribute used to give the reader an
idea of what perspective this view represents. All words in the name should
be capitalized except for articles and prepositions unless they begin or end
the name. Subsequent words in a hyphenated chain are also not capitalized.
This is required for all Views.
The Status attribute defines the status level for this view.
This field provides a description of this Category. Its
primary subelement is Description_Summary which is intended to serve as
a minimalistic description which provides the information necessary to
understand the primary focus of this entry. Additionally, it has the
subelement Extended_Description which is optional and is used to provide
further information pertaining to this attack pattern.
This description should be short and should
limit itself to describing the key points that define this
entry. Further explanation can be included in the extended
description element. This is required for all entries.
This element provides a place for details
important to the description of this entry to be included
that are not necessary to convey the fundamental concept
behind the entry. This is not required for all entries and
should only be included where appropriate.
Which specific weaknesses does this attack target and
leverage? Specific weaknesses (underlying issues that may cause
vulnerabilities) reference the industry-standard Common Weakness
Enumeration (CWE). This list should include not only those weaknesses
that are directly targeted by the attack but also those whose presence
can directly increase the likelihood of the attack succeeding or the
impact if it does succeed.
This field describes an individual related
weakness.
The CWE_ID is a field that exists
for all weaknesses enumerated in the Common
Weakness Enumeration (CWE). It is a unique value
that allows each weakness to be unambiguously
identified. The CWE_ID field for the attack
pattern contains the value of the CWE_ID for the
specific related weakness.
This field describes the nature of
the relationship between this weakness and the
attack pattern. Weaknesses that are specifically
targeted by the attack are of type “Targeted”.
Weaknesses which are not specifically targeted but
whose presence may increase the likelihood of the
attack succeeding or the impact of the attack if
it does succeed are of type
“Secondary”.
This field describes the conditions that must exist or the
functionality and characteristics that the target software must have or
behavior it must exhibit for an attack of this type to
succeed.
This field describes an individual attack
prerequisite.
This field describes the mechanism of attack used by this
pattern. This field can help define the applicable attack surface
required for this attack.
This field describes the mechanism of attack
used by this pattern. In order to assist in normalization
and classification, this field involves a selection from an
enumerated list of defined vectors which is currently
incomplete and will grow as new relevant vectors are
identified. This field can help define the applicable attack
surface required for this attack.
This field describes the level of skills or specific
knowledge required by an attacker to execute this type of attack.
This field describes the level of skill or
specific knowledge required by an attacker to execute this
type of attack.
This should be communicated on a
rough scale (Low, Medium, High). For example: •
Low - Basic computer familiarity • Low - Basic SQL
knowledge • Medium - Moderate scripting and shell
experience and ability to disassemble and
decompile • High - Expert knowledge of LINUX
kernel • High - Detailed knowledge of target
software development practices and business
context (former employee) • Etc.
This field provides contextual
detail for the skill or knowledge
level.
This field describes the resources (CPU cycles, IP
addresses, tools, etc.) required by an attacker to effectively execute
this type of attack.
What is the attacker trying to achieve by using this
attack? This is not the end business/mission goal of the attack within
the target context but rather the specific technical result desired that
could be leveraged to achieve the end business/mission objective. This
information is useful for aligning attack patterns to threat models and
for determining which attack patterns are relevant for a given
context.
What is the attacker trying to achieve by
using this attack? This is not the end business/mission goal
of the attack within the target context but rather the
specific technical result desired that could be leveraged to
achieve the end business/mission objective. In order to
assist in normalization and classification, this field
involves a selection from an enumerated list of defined
motivations/consequences which is currently incomplete and
will grow as new relevant possibilities are identified. This
information is useful for aligning attack patterns to threat
models and for determining which attack patterns are
relevant for a given context.
The Relationships structure contains one or more
Relationship elements, each of which identifies an association between
this structure, whether it is an Attack Pattern, Category, or
Compound_Element and another structure.
This structure houses one or more Relationship_Note
elements, which each contain details regarding the relationships between
CAPEC entries.
This element contains one or more Maintenance_Note
elements which each contain significant maintenance tasks within this
entry that still need to be addressed, such as clarifying the concepts
involved or improving relationships. It should be filled out in any
entry that is still undergoing significant review by the CAPEC
team.
This structure contains one or more Background_Detail
elements, each of which holds information regarding the entry or any
technologies that are related to it, where the background information is
not related to the nature of the entry itself. It should be filled out
where appropriate.
This element contains background information
regarding the entry or any technologies that are related to
it, where the background information is not related to the
nature of the category itself. It should be filled out where
appropriate.
This element contains one or more Note elements, each of
which provide any additional notes or comments that cannot be captured
using other elements. New elements might be defined in the future to
contain this information. It should be filled out where needed.
This element contains one or more Alternate_Term elements,
each of which contains other names used to describe this attack
pattern.
This structure contains one or more Research gap elements,
each of which identifies potential opportunities for the vulnerability
research community to conduct further exploration of issues related to
this attack pattern. It is intended to highlight parts of CAPEC that
have not received sufficient attention from researchers. This should be
filled out where appropriate for attack patterns and
categories.
The References element contains one or more Reference
elements, each of which provide further reading and insight into this
attack pattern.
This element is used to keep track of the author of the
attack pattern entry and anyone who has made modifications to the
content. This provides a means of contacting the authors and modifiers
for clarifying ambiguities, merging overlapping contributions, etc. This
should be filled out for all entries.
This attribute provides a unique identifier for the entry. It
will be static for the lifetime of the entry. In the event that this entry
becomes deprecated, the ID will not be reused and a pointer will be left in
this entry to the replacement. This is required for all
Categories.
The Name is a descriptive name used to give the reader an idea
of what the commonality is amongst the children of this category. All words
in the name should be capitalized except for articles and prepositions
unless they begin or end the name. Subsequent words in a hyphenated chain
are also not capitalized. This is required for all
Categories.
The Status attribute defines the status level for this
category.
This element is an individual attack pattern.
This field provides a description of this Structure,
whether it is an Attack Pattern, Category or Compound Element. Its
primary subelement is Description_Summary which is intended to serve as
a minimalistic description which provides the information necessary to
understand the primary focus of this entry. Additionally, it has the
subelement Extended_Description which is optional and is used to provide
further information pertaining to this attack pattern.
This description should be short and should
limit itself to describing the key points that define this
entry. Further explanation can be included in the extended
description element. This is required for all entries.
This element provides a place for details
important to the description of this entry to be included
that are not necessary to convey the fundamental concept
behind the entry. This is not required for all entries and
should only be included where appropriate.
The Relationships structure contains one or more
Relationship elements, each of which identifies an association between
this structure, whether it is an Attack Pattern, Category, or
Compound_Element and another structure.
This structure houses one or more Relationship_Note
elements, which each contain details regarding the relationships between
CAPEC entries.
This element contains one or more Maintenance_Note
elements which each contain significant maintenance tasks within this
entry that still need to be addressed, such as clarifying the concepts
involved or improving relationships. It should be filled out in any
entry that is still undergoing significant review by the CAPEC
team.
This structure contains one or more Background_Detail
elements, each of which holds information regarding the entry or any
technologies that are related to it, where the background information is
not related to the nature of the entry itself. It should be filled out
where appropriate.
This element contains background information
regarding the entry or any technologies that are related to
it, where the background information is not related to the
nature of the attack pattern itself. It should be filled out
where appropriate.
This element contains one or more Note elements, each of
which provide any additional notes or comments that cannot be captured
using other elements. New elements might be defined in the future to
contain this information. It should be filled out where needed.
This element contains one or more Alternate_Term elements,
each of which contains other names used to describe this attack
pattern.
This structure contains one or more Research gap elements,
each of which identifies potential opportunities for the vulnerability
research community to conduct further exploration of issues related to
this attack pattern. It is intended to highlight parts of CAPEC that
have not received sufficient attention from researchers. This should be
filled out where appropriate for attack patterns and
categories.
The References element contains one or more Reference
elements, each of which provide further reading and insight into this
attack pattern.
This element is used to keep track of the author of the
attack pattern entry and anyone who has made modifications to the
content. This provides a means of contacting the authors and modifiers
for clarifying ambiguities, merging overlapping contributions, etc. This
should be filled out for all entries.
This attribute provides a unique identifier for the entry. It
will be static for the lifetime of the entry. In the event that this entry
becomes deprecated, the ID will not be reused and a pointer will be left in
this entry to the replacement. This is required for all
Compound_Elements.
The Name is a descriptive name used to give the reader an idea
of the meaning behind the compound attack pattern structure. All words in
the name should be capitalized except for articles and prepositions unless
they begin or end the name. Subsequent words in a hyphenated chain are also
not capitalized. This is required for all Compound_Elements.
The Abstraction defines the abstraction level for this attack
pattern. The abstraction levels for Compound_Elements and Attack Patterns
are the same. For example, if the Compound_Element is a chain, and all
elements of the chain are Meta level, then the Compound_Element Abstraction
attribute is Meta. This is required for all
Compound_Elements.
The Structure attribute defines the structural nature of this
compound element - that is, composed of other attack patterns concurrently,
as in a composite, or consecutively, as in a chain.
The Status attribute defines the status level for this
compound element.
Description and globally unique ID for a kind of environment or
context that is required. Used in Attack Steps, Indicators of Susceptibility,
and Security Controls, etc.
Segment the attack steps into the various
phases of attack. One of three phases "Explore,"
"Experiment," or "Exploit." Each phase should appear at most
once, and attack steps should be grouped by what kind of
activities the attacker is carrying out. The exploration and
experimentation phases may or may not occur during a
particular attack, because the attacker may already know
exactly how to exploit a system.
One of three phases "Explore,"
"Experiment," or "Exploit." Each phase should appear
at most once, and attack steps should be grouped by
what kind of activities the attacker is carrying
out.
Brief description of an
individual action step in carrying out the
attack
"Explore," "Experiment," or "Exploit."
A particular technique that may accomplish this attack step.
This field contains a brief description of the attack step
technique.
References the defined environments where this attack step
technique is applicable.
The View_Attributes structure is a collection of common elements which
might be shared by all Views.
The View_Structure element describes how this view is being
constructed. Valid values are: Implicit Slice = a slice based on a filter
criteria; Explicit Slice = a slice based on arbitrary membership, as defined
by specific relationships between entries; Graph = a bounded graphical slice
based on ChildOf relationships.
The View_Objective element describes the perspective from
which this View is constructed.
The View_Audience element provides a reference to the targeted
audiences or groups for this view.
The Audience element provides a reference to the
target audience or group for this view.
The Stakeholder element specifies what
types of members of the CAPEC community might be
interested in this view.
The Stakeholder_Description el
provides some text describing what properties of
this View this particular Stakeholder might find
useful.
The Relationships structure contains one or more Relationship
elements, each of which identifies an association between this structure,
whether it is a Attack Pattern, Category, or Compound_Element and another
structure.
This structure houses one or more Relationship_Note elements,
which each contain details regarding the relationships between CAPEC
entries.
This element contains one or more Maintenance_Note elements
which each contain significant maintenance tasks within this entry that
still need to be addressed, such as clarifying the concepts involved or
improving relationships. It should be filled out in any entry that is still
undergoing significant review by the CAPEC team.
This element contains one or more Note elements, each of which
provide any additional notes or comments that cannot be captured using other
elements. New elements might be defined in the future to contain this
information. It should be filled out where needed.
This element contains one or more Alternate_Term elements,
each of which contains other names used to describe this attack pattern.
This structure contains one or more Research gap elements,
each of which identifies potential opportunities for the vulnerability
research community to conduct further exploration of issues related to this
attack pattern. It is intended to highlight parts of CAPEC that have not
received sufficient attention from researchers. This should be filled out
where appropriate for attack patterns and categories.
The References element contains one or more Reference
elements, each of which provide further reading and insight into this view.
This should be filled out when the view is based on sources or projects that
are external to the CAPEC project.
The View_Filter element holds an XSL query for identifying
which elements are members of an implicit slice. This should only be present
for implicit slices.
This element is used to keep track of the author of the attack
pattern entry and anyone who has made modifications to the content. This
provides a means of contacting the authors and modifiers for clarifying
ambiguities, merging overlapping contributions, etc. This should be filled
out for all entries.
The Relationships structure contains one or more Relationship
elements, each of which identifies an association between this structure, whether it
is a Attack Pattern, Category, or Compound_Element and another
structure.
Each Relationship identifies an association between this
structure, whether it is an Attack Pattern, Category, or
Compound_Element and another structure. The relationship also identifies
the views under which the relationship is applicable.
This element contains a list of the individual Views to which
this relationship pertains.
Specifies the unique ID of the individual view
element to which this relationship pertains. This ID must
correspond to a View.
The ordinal attribute is used to
determine if this relationship is the primary
ChildOf relationship for this entry for a given
Relationship_View_ID element.. This attribute can
only have the value "Primary" and should only be
included for the primary parent/child
relationship.
This element contains a list of the individual Chains this
relationship pertains to.
This element specifies the unique ID of an
individual chain element this relationship pertains
to.
The Relationship_Target_Form element defines the form of the
target of this relationship, such as Category, Attack Pattern, View or
Compound_Element.
The Relationship_Nature element defines the nature of the
relationship between this element and the target element, such as ChildOf,
HasMember or Requires to name a few.
This Relationship_Nature denotes the specified
entry as a top level member of this View. This value for
Relationship_Nature can only be used in Views. The complementary
relationship is MemberOf.
This Relationship_Nature denotes membership of
this entry in the top level of the View specified in
Relationship_Target_ID. The complementary relationship is
HasMember.
This Relationship_Nature denotes a specified entry
as a parent of this entry. In general, this means that the
parent will be a higher level representation of this entry from
the perspective of the View provided in Relationship_View_ID.
The complementary relationship is ParentOf.
This Relationship_Nature denotes a specified entry
as a child of this entry. In general, this means that the child
will be a lower level representation of this entry from the
perspective of the View provided in Relationship_View_ID. The
complementary relationship is ChildOf.
This Relationship_Nature denotes a specified entry
as having some similarity with this entry which does not fit any
of the other Relationship_Nature values. In this case, a
Relationship_Note should also be provided explaining the
connection. The complementary relationship is itself
(PeerOf).
This Relationship_Nature denotes a
Compound_Element of Compound_Element_Structure="Composite". All
entries that a Composite Requires must exist simultaneously in
order for the Compound_Element to exist. The complementary
relationship is RequiredBy.
This Relationship_Nature denotes an entry that is
required in order for the Compound_Element specified in
Relationship_Target_ID to exist. The complementary relationship
is Requires.
This Relationship_Nature denotes the starting
point in this chain as the entry specified by
Relationship_Target_ID. This Relationship_Nature can only be
used for Compound_Elements with
Compound_Element_Structure="Chain". For named chains, the
complementary relationship is StartsChain.
This Relationship_Nature denotes this entry as the
starting point in the chain specified in Relationship_Target_ID.
For named chains, the complementary relationship is
StartsWith.
This Relationship_Nature denotes a chain where
this entry can precede the entry specified by
Relationship_Target_ID in a sequential fashion. It is important
to note that not all CanPrecede relationships are captured in a
Compound_Element chain, only the most common for now. The
complementary relationship is CanFollow.
This Relationship_Nature denotes a chain where
this entry can follow the entry specified by
Relationship_Target_ID in a sequential fashion. It is important
to note that not all CanFollow relationships are captured in a
Compound_Element chain, only the most common for now. The
complementary relationship is CanPrecede.
This Relationship_Nature denotes an entry that, in
the proper environment and context, can also be perceived as the
entry specified by Relationship_Target_ID. This relationship is
not necessarily reciprocal.
The Relationship_Target_ID specifies the unique ID of the
target element of the relationship.
This structure houses one or more Relationship_Note elements, which
each contain details regarding the relationships between CAPEC entries.
This element contains a note regarding the relationships
between CAPEC entries.
This element contains one or more Maintenance_Note elements which each
contain significant maintenance tasks within this entry that still need to be
addressed, such as clarifying the concepts involved or improving relationships. It
should be filled out in any entry that is still undergoing significant review by the
CAPEC team.
This element describes a significant maintenance task
within this entry that still need to be addressed, such as clarifying
the concepts involved or improving relationships. It should be filled
out in any entry that is still undergoing significant review by the
CAPEC team.
This element contains one or more Note elements, each of which provide
any additional notes or comments that cannot be captured using other elements. New
elements might be defined in the future to contain this information. It should be
filled out where needed.
This element contains any additional notes or comments
that cannot be captured using other elements. New elements might be
defined in the future to contain this information. It should be filled
out where needed.
This element contains one or more Alternate_Term elements, each of
which contains other names used to describe this attack pattern.
This element contains alternate terms by which this attack
pattern may be known and a description to explain the context in which
the term may be relevant. This is not required for all entries and
should only be included where appropriate.
This element contains the actual term for the
Alternate_Term element. Each term should follow the same
conventions as the entry Name attribute.
This element provides context to each
Alternate_Term by which this attack pattern may be
known.
This structure contains one or more Research gap elements, each of
which identifies potential opportunities for the attack research community to
conduct further exploration of issues related to this attack pattern. It is intended
to highlight parts of CAPEC that have not received sufficient attention from
researchers. This should be filled out where appropriate for attack patterns and
categories.
This element identifies potential opportunities for the
vulnerability research community to conduct further exploration of
issues related to this attack pattern. It is intended to highlight parts
of CAPEC that have not received sufficient attention from researchers.
This should be filled out where appropriate for attack patterns and
categories.
This element is used to keep track of the author of the attack pattern
entry and anyone who has made modifications to the content. This provides a means of
contacting the authors and modifiers for clarifying ambiguities, merging overlapping
contributions, etc. This should be filled out for all entries.
This structure contains one or more Submission
elements.
This element houses the subelements which
identify the submitter and the submitter's comments related
to this entry. This element has a single attribute,
Submission_Source, which provides a general idea of how the
initial information for this entry was obtained, whether
internal to the CAPEC team, external, donated,
etc.
This element should contain the
name of the author for this entry.
This element should identify the
author's organization.
This element should provide the
date on which this content was authored in
YYYY-MM-DD format.
This element provides the author
with a place to store any comments regarding the
content of this attack pattern entry, such as
assumptions made, reasons for omitting elements,
contact information, pending questions,
etc.
This attribute identifies how the
initial information for this entry was obtained.
This structure contains one or more Contribution
elements.
This element houses the subelements which
identify the contributor and contributor's comments related
to this entry. This element has a single attribute,
Contribution_Mode, which indicates whether the contribution
was part of feedback given to the CAPEC team or actual
content that was donated.
This element should contain the
name of the author for this entry.
This element should identify the
author's organization.
This element should provide the
date on which this content was authored in
YYYY-MM-DD format.
This element provides the author
with a place to store any comments regarding the
content of this attack patterns entry, such as
assumptions made, reasons for omitting elements,
contact information, pending questions,
etc.
This attribute indicates whether the
contribution was part of feedback given to the CAPEC
team or actual content that was
donated.
This structure contains one or more Modification
elements.
This element houses the subelements which
identify the modifier and modifier's comments related to
this entry. A new Modification element should exist for each
modification of the entry content. This element has a single
attribute, Modification_Source, which indicates whether this
modification was made by a CAPEC team member or an external
party.
This element should contain the
name of the person modifying this entry.
This element should contain the
modifier's organization.
This element should contain the
date of the modifications.
This element provides the modifier
with a place to store any comments regarding the
content of this attack pattern entry, such as
assumptions made, reasons for omitting elements,
contact information, pending questions,
etc.
This attribute identifies how
significant the modification is to the attack
pattern with regard to the meaning and
interpretation of the pattern. If a modification has
a value of Critical, then the meaning of the entry
or how it might be interpreted has changed and
requires attention from anyone previously dependent
on the attack pattern.
This attribute indicates whether this
modification was created by a CAPEC team member or
provided by an external party.
This structure contains one or more Previous_Entry_Name
elements, each of which describes a previous name that was used for this
entry. This should be filled out whenever a substantive name change
occurs.
This element identifies a name that was
previously used for this entry.
This lists the date on which
this name was changed to something else.
Typically, this date will be closely aligned with
new releases of CAPEC.
Block is a Structured_Text element consisting of one of
Text_Title, Text, Code_Example_Language, or Code followed by another
Block element. Structured_Text elements help define whitespace and text
segments.
Presentation Element: This element is used to
definebold-faced title for a subsequent block of text.
Presentation Element: This element is used to define a
paragraph of text.
Presentation Element: This element is used to identify the
programming language being used in the following block of
Code
Presentation Element: This element is used to define a
line of code.
Presentation Element: This element is used to define a
comment in code.
Presentation Element: This element is used to define an
image.
Presentation Element: This element is used to
define an image.
This element provides the location
of the image file.
This element provides a title for
the image.
Block is a Structured_Text element consisting of one of Text_Title,
Text, Code_Example_Language, or Code followed by another Block element.
Structured_Text elements help define whitespace and text segments.
Block is a Structured_Text element consisting of one of
Text_Title,Text, Code_Example_Language, or Code followed by another
Block element. Structured_Text elements help define whitespace and text
segments.
This attribute identifies the nature of the content
containedwithin the Block.
The References_List_Type contains one or more Reference elements, each
of which provide further reading and insight into the item. This should be filled
out as appropriate.
Each Reference subelement should provide a single source from
which more information and deeper insight can be obtained, such as a
research paper or an excerpt from a publication. Multiple Reference
subelements can exist. The sole attribute of this element is the id. The id
is optional and translates to a preceding footnote below the context notes
if the author of the entry wants to cite a reference. Not all subelements
need to be completed, since some are designed for web references and others
are designed for book references. The fields Reference_Author and
Reference_Title should be filled out for all references if possible.
Reference_Section and Reference_Date can be included for either book
references or online references. Reference_Edition, Reference_Publication,
Reference_Publisher, and Reference_PubDate are intended for book references,
however they can be included where appropriate for other types of
references. Reference_Link is intended for web references, however it can be
included for book references as well if applicable.
This element identifies an individual author of the material
being referenced. It is not required, but may be repeated sequentially in
order to identify multiple authors for a single piece of
material.
This element identifies the title of the material
beingreferenced. It is not required if the material does not have a
title.
This element is intended to provide a means of identifying the
exact location of the material inside of the publication source, such as the
relevant pages of a research paper, the appropriate chapters from a book,
etc. This is useful for both book references and internet
references.
This element identifies the edition of the material being
referenced in the event that multiple editions of the material exist. This
will usually only be useful for book references.
This element identifies the publication source of the
reference material, if one exists.
This element identifies the publisher of the reference
material, if one exists.
This element identifies the date when the reference was
included in the entry. This provides the reader with a time line for when
the material in the reference, usually the link, was valid. The date should
be of the format YYYY-MM-DD.
This field describes the date when the reference was published
YYYY.
This element should hold the URL for the material being
referenced, if one exists. This should always be used for web references,
and may optionally be used for book and other publication
references.
The Reference_ID is an optional value for the related Reference
entry identifier as a string. Only one Reference_ID element can exist for each
Reference element (ex: REF-1). However, References across CAPEC with the same ID
should only vary in small details. Text citing this reference should use the
local reference ID, as this ID is only for reference library related consistency
checking and maintenance.
The Local_Reference_ID is an optional value for the related Local
Reference entry identifier as a string. Only one Local_Reference_ID element can
exist for each Reference element (ex: R.78.1). Text citing this reference should
use the format [R.78.1].
This field contains a short descriptive title for the attack
step. It should be kept as short as possible but also clearly convey the
nature of the attack step being described.
This field contains a brief description of the attack
step.
This field captures various techniques that the
attacker can use to achieve the attack step’s goal. For example,
an attacker may use tools such as WebScarab and Tamper Data in
the experimentation phase of a SQL Injection attack pattern. The
techniques include references to environments, because not all
techniques work in all environments
These are indicators that the application may or
may not be susceptible to the given attack step (not necessarily
the pattern as a whole).
This field contains a brief
description of the indicator.
References the defined environments
where this indicator of susceptibility is
applicable.
This field contains a unique integer
identifier for the indicator.
Each indicator has a mandatory type
attribute that can be one of the values “Positive,”
“Negative,” or “Inconclusive.” For example, a positive
indicator of susceptibility to parameter tampering is
the existence of parameters in the URL. Although it does
not guarantee susceptibility, it indicates a cause for
further examination. A negative indicator for the
technique of privilege escalation is a lack of
credentials and user identifiers in an application.
Again, this is not a conclusive measure of resistance to
attack, but an indicator that the attack step technique
is unlikely to bear significant fruit. An inconclusive
indicator of susceptibility to dynamic code injection is
a page whose URL ends in .jsp, .asp, or .do but which
has no visible explicit parameters. Such URLs typically
indicate dynamic processing, but since no visible
parameters are passed, it is inconclusive whether
dynamic code could be injected into the
application.
This field captures possible outcomes for this
attack step.
This field contains a unique integer
identifier for the outcome.
An outcome has a mandatory type attribute
that can be one of the values “success,” “failure,” or
“inconclusive.” It indicates what results of executing
the attack step techniques should be considered
successes, which should be considered failures, and
which ones are inconclusive. Outcomes’ successes are
determined relative to the attacker’s point of view. It
is a success if the attack step got the attacker closer
to his goal of attacking the application. It is a
failure if the attacker got no closer to his
goal.
This field captures security controls for this
attack step that describe ways in which the attack step can be
detected, corrected, or prevented. These are presented from a
defender’s point of view, where the defender may be a developer,
tester, operations administrator, or other resource resisting
the attacker.
This field contains a unique integer
identifier for the security control.
Each security control has a mandatory type
attribute that can be one of the values “Detective,”
“Corrective,” or “Preventative.” Detective controls
detect an attacker’s activities in the attack step,
whether the activities are successful or not. Corrective
controls attempt to mitigate an attacker’s success by
responding to a successful outcome. They are not related
to or normalized against outcomes. Preventative controls
are those that make the attack step unlikely or
impossible to succeed.
This subelement identifies an individual consequence that may
result from this attack pattern.
This subelement describes the technical impacts that can
result from successful execution of this attack pattern.
This subelement provides additional commentary about this
consequence.
The Common_Consequence_ID stores the value for the related
Common_Consequence entry identifier as a string. Only one Common_Consequence_ID
element can exist for each Common_Consequence element (ex: CC-1). However,
Common_Consequences across CAPEC with the same ID should only vary in small
details.
This element represents a detailed description of an attack
pattern. Content may include a summary and a list of steps taken by the
attacker. USAGE: This element can be used to capture a range of descriptive
information. Comprehensive descriptions might include attack trees, exploit
graphs, etc., to more clearly elaborate this type of attack.
This element provides a summary description of the
attack that includes the attack target and sequence of steps.
This element lists the steps typically performed
by an attacker when executing the attack.
This element contains one or more alternative terms used to
identify the attack pattern.
This element characterizes the locations where an attacker
interacts with the target system.
An attack prerequisite is a condition that must exist in order
for an attack of this type to succeed.
This field describes an individual attack
prerequisite.
This element reflect the typical severity of an attack on a
scale of {Very Low, Low, Medium, High, Very High}. USAGE: This element is
used to capture an overall typical average value for this type of attack
with the understanding that it will not be completely accurate for all
attacks.
This element represents the typical likelihood that the attack
will succeed, and provides a likelihood estimate and an explanation that
qualifies the estimate. USAGE: This element is used to capture an overall
typical average value for this type of attack with the understanding that it
will not be completely accurate for all attacks.
This element reflect the likelihood of attack
success on a scale of {Very Low, Low, Medium, High, Very High},
in consideration of the attack prerequisites, targeted weakness,
attack surface, skills and resources required, as well as
effectiveness of likely implemented blocking solutions.
This element provides qualifications or
assumptions regarding the estimated likelihood.
This element represents a container of one or more methods of
attack. Method of attack is enumerated list of defined vectors that identify
the underlying mechanism(s) used in the attack.
Method of attack is enumerated list of defined
vectors that identify the underlying mechanism(s) used in the
attack. USAGE: This element is represented as an enumerated list
to facilitate normalization and classification of attack
patterns, and to help define the applicable attack surface
required for this attack.
This element represents a container of one or more example
instances. An example instance details an explanatory example or
demonstrative exploit instance of this attack, USAGE: This element is used
to to help the reader understand the nature, context and variability of the
attack in more practical and concrete terms.
This element represents an exploit description and
may also provide an external reference and/or a range of related
vulnerabilities.
This element describes in detail a
specific example or exploit instance of this attack
pattern. USAGE: This element is used to define the
context of an attack, targeted weaknesses or
vulnerabilities, the sequence of attack steps, and
the resulting impact of attack success or failure.
This element represents a container of
one or more instance related vulnerabilities. An
instance related vulnerability identifies
vulnerabilities targeted by this exploit instance of
the attack.
This element identifies specific
vulnerabilities targeted by this exploit instance
of the attack. USAGE: This element is used to
reference industry-standard identifiers such as
Common Vulnerabilities and Exposures (CVE) numbers
and/or US-CERT numbers.
This element represents a container of one or more attacker
skill or knowledge required. Attacker skill or knowledge required describes
the level of skills or specific knowledge needed by an attacker to execute
this type of attack.
Attacker skill or knowledge required describes the
level of skills or specific knowledge needed by an attacker to
execute this type of attack.
This element reflects the level of
knowledge or skill required to execute this type of
attack on a scale of { Low, Medium, High }. USAGE:
This element is used to represent the level with
respect to a specified type of skill or knowledge,
e.g., low - basic SQL knowledge, high - expert
knowledge of LINUX kernel, etc.
This element details the skill or
knowledge required.
This element describes the resources (CPU cycles, IP
addresses, tools, etc.) required by an attacker to effectively execute this
type of attack.
This element represents a container of one or more probing
techniques. A probing technique describes a method used to probe and
reconnoiter a potential target to determine vulnerability and/or to prepare
for this type of attack.
A probing technique describes a method used to
probe and reconnoiter a potential target to determine
vulnerability and/or to prepare for this type of attack.
This element provides an explanatory
description of the probing technique.
This element specifies detailed cyber
observable patterns for potential detection of the
probing technique activity.
This element represents a container of one or more indicator
warning of attack. Indicator warning of attack describes activities, events,
conditions or behaviors that may indicate that an attack of this type is
imminent, in progress or has occurred.
Indicator warning of attack describes activities,
events, conditions or behaviors that may indicate that an attack
of this type is imminent, in progress or has occurred.
This element provides an explanatory
description of the indicator warning of attack.
This element specifies detailed cyber
observable patterns for potential detection of the
indicator warning of attack.
This element represents a container of one or more obfuscation
techniques. An obfuscation technique can be used to disguise the fact that
an attack of this type is imminent, in progress or has occurred.
An obfuscation technique can be used to disguise
the fact that an attack of this type is imminent, in progress or
has occurred.
This element provides an explanatory
description of the obfuscation technique.
This element specifies detailed cyber
observable patterns for potential detection of the
obfuscation technique.
This element represents a container of one or more solutions
or mitigations. A solution or mitigation describes actions or approaches to
prevent or mitigate the risk of this attack by improving the resilience of
the target system, reduce its attack surface or to reduce the impact of the
attack if it is successful.
A solution or mitigation describes actions or
approaches to prevent or mitigate the risk of this attack by
improving the resilience of the target system, reduce its attack
surface or to reduce the impact of the attack if it is
successful.
This element represents a container of one ore more attack
motivation consequences. Attack motivation consequence represents the
desired technical results that could be achieved/leveraged by this attack
pattern, represented as an enumerated list of defined adversary
motivations/consequences. USAGE: This element is used to identify specific
technical results that could be leveraged to achieve the adversary's
business or mission objective. This information is useful for aligning
attack patterns to threat models and for determining which attack patterns
are relevant for a given context.
Attack motivation consequence represents the
desired technical results that could be achieved/leveraged by
this attack pattern, represented as an enumerated list of
defined adversary motivations/consequences.
This element details the mechanism and format of an
input-driven attack of this type. Injection vectors take into account the
grammar of an attack, the syntax accepted by the system, the position of
various fields, and the ranges of data that are acceptable.
This element describes the code, configuration or other data
to be executed or otherwise activated as part of an injection-based attack
of this type.
This element describes the area within the target software
that is capable of executing or otherwise activating the payload of an
injection-based attack of this type. The activation zone is where the intent
of the attacker is put into action. The activation zone may be a command
interpreter, some active machine code in a buffer, a client browser, a
system API call, etc.
This element describes the impact that the activation of the
attack payload for an injection-based attack of this type would typically
have on the confidentiality, integrity or availability of the target
software.
This element provides an explanatory description
of the payload activation impact.
This element specifies detailed cyber observable
patterns for potential detection of the payload activation
impact.
This element represents a container of one or more related
weaknesses. Related weaknesses refer to software weaknesses potentially
targeted for exploit by this attack pattern. USAGE: This element is used to
reference industry standard Common Weakness Enumeration (CWE) data,
including weaknesses that are exploited by the attack as well as weaknesses
whose presence increases the likelihood or impact of the attack.
Related weaknesses refer to software weaknesses
potentially targeted for exploit by this attack pattern.
The element contains the Common
Weakness Enumeration (CWE) ID of the exploited
software weakness.
This element describes the nature of
the relationship between the attack pattern and the
software weakness, represented as the enumerated
list {Targeted, Secondary}. USAGE: This element is
used to indicate whether the weakness is targeted or
secondary. If the attack is designed to exploit the
weakness, then that weakness is Targeted. A
weaknesses whose presence may increase the
likelihood of the attack succeeding or the impact of
the attack if it does succeed is Secondary.
This element represents a container of one or more related
vulnerabilities. A related vulnerability refers to a specific instance
vulnerability targeted for exploit by this attack pattern. USAGE: This
element is used to identify specific vulnerabilities by their
industry-standard Common Vulnerabilities and Exposures (CVE) numbers and/or
US-CERT numbers. As vulnerabilities are much more specific and localized
than weaknesses, it is uncommon that an attack pattern would target a
specific vulnerability. This would most likely occur if the attack pattern
were targeting vulnerabilities in the underlying platform, framework, or
software library.
This element represents a specific instance
vulnerability targeted for exploit by this attack pattern.
The element contains the Common
Vulnerabilities and Explosures (CVE) or US-CERT
number identifying the vulnerability.
This element contains a short textual
description of the specific related vulnerability
taken from the industry standard vulnerability
listing.
This element represents a container of one or more related
attack patterns. A related attack pattern refers to an attack pattern that
is dependent on or applied in conjunction with this attack pattern.
A related attack pattern refers to an attack
pattern that is dependent on or applied in conjunction with this
attack pattern.
This element represents a container of one or more relevant
security requirements. A relevant security requirement is a general security
requirement that is relevant to this type of attack.
A relevant security requirement is a general
security requirement that is relevant to this type of attack.
This element represents a container of one or more relevant
design patterns. Relevant design patterns include both recommended design
patterns, which increase the software's resistance or resilience to this
type of attack, and non-recommended design patterns, which could leave the
system especially susceptible to this type of attack.
This element represents a container of one or more
recommended design patterns. A recommended design pattern
increases the software's resistance or resilience to this type
of attack.
A design pattern that is likely to
increase the software’s resistance or resiliency to
this type of attack.
This element represents a container of one or more
non-recommended design patterns. A non-recommended design can
decrease a sofware's resistence or resilience to this type of
attack, leaving the system more susceptible.
A non-recommended design can decrease
a sofware's resistence or resilience to this type of
attack, leaving the system more susceptible.
This element represents a container of one or more relevant
security patterns. A relevant security pattern provides resistance or
resilience to this type of attack.
A relevant security pattern provides resistance or
resilience to this type of attack.
This element represents a container of one or more related
security principles. A principle is defined as a rule or standard for good
behavior. A related security principle is a security rule or practice that
impedes this attack pattern. USAGE: Usage defined in NIST SP 800-27A,
"Engineering Principles for Information Technology Security", Revision A.
A related security principle is a security rule or
practice that impedes this attack pattern.
This element represents a container of one or more related
guidelines. A related guideline represents a security guideline that is
relevant to identifying or mitigating this type of attack. USAGE: It would
be helpful to provide a usage reference. However links to security principle
and guideline documentation on the BSI site appear to be broken. NIST SP
800-27 uses the terms principle and guideline interchangeably.
A related guideline represents a security
guideline that is relevant to identifying or mitigating this
type of attack.
This element represents a container of one or more purposes.
Purpose refers to the intended purpose behind the attack pattern relative to
an enumerated list of attack objectives. USAGE: This element is used to
capture pattern composibility and assist with normalization and
classification of attack patterns within the CAPEC catalog.
Purpose refers to the intended purpose behind the
attack pattern relative to an enumerated list of attack
objectives. USAGE: This element is represented as an enumerated
list to facilitate normalization and classification of attack
patterns
This element characterizes the typical relative impact of this
pattern on the confidentiality, integrity, and availability of the targeted
software.
This element describes the typical impact of this
pattern on the confidentiality characteristics of the targeted
software and related data.
This element describes the typical impact of this
pattern on the integrity characteristics of the targeted
software and related data.
This element describes the typical impact of this
pattern on the availability characteristics of the targeted
software and related data.
This element characterizes the technical context where this
pattern is applicable.
This element represents a container of one or more
architectural paradigms in which this attack pattern is possible
and relevant. Architectural paradigm characterizes the target
using an enumerated list of paradigms utilized by the target.
Architectural paradigm characterizes
the target using an enumerated list of supported
paradigms in which this attack pattern is possible
and relevant. USAGE: This element is represented as
an enumerated list to facilitate normalization and
classification of attack patterns
This element represents a container of one or more
frameworks in which this attack pattern is possible and
relevant. Frameworks characterizes the target using an
enumerated list of frameworks utilized by the target.
Framework characterizes the target
using an enumerated list of supported frameworks in
which this attack pattern is possible and relevant.
USAGE: This element is represented as an enumerated
list to facilitate normalization and classification
of attack patterns
This element represents a container of one or more
platforms in which this attack pattern is possible and relevant.
Platforms characterizes the target using an enumerated list of
platforms utilized by the target.
Platform characterizes the target
using an enumerated list of supported platforms in
which this attack pattern is possible and relevant.
USAGE: This element is represented as an enumerated
list to facilitate normalization and classification
of attack patterns
This element represents a container of one or more
languages in which this attack pattern is possible and relevant.
Languages characterizes the target using an enumerated list of
languages utilized by the target.
Language characterizes the target
using an enumerated list of implementation languages
in which this attack pattern is possible and
relevant. USAGE: This element is represented as an
enumerated list to facilitate normalization and
classification of attack patterns
This element represents a container of one or more keywords.
Keyword correspond to text strings used to tag and search CAPEC catalog
data.
Keyword correspond to text strings used to tag and
search CAPEC catalog data.
This element represents a container of one or more references.
Reference represents a documentary resource used to develop the definition
of this attack pattern.
Reference represents a documentary resource used
to develop the definition of this attack pattern.
The Status attribute defines the status level for this view.