-
Notifications
You must be signed in to change notification settings - Fork 16
Proposal: Refactor Capabilities
Status: CLOSED
Comment Period Closes: September 24th, 2015
Affects Backwards Compatibility: Yes
Capturing the capabilities possessed by a malware instance is one of the key components of MAEC (along with actions and behaviors). However, we feel that there are some issues around the current model of Capabilities (as of MAEC v4.1), including an arbitrary and likely unnecessary distinction between Capabilities and Strategic and Tactical Objectives. Accordingly, we feel that the model around Capabilities and its corresponding implementation in the MAEC schema should be refactored to address this and other issues.
This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Actions,-Behaviors,-and-Capabilities-Top-Level-Entities https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-a-concept-and-output-format) https://github.com/MAECProject/schemas/wiki/Proposal:-Refactor-Behaviors https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Relationships-Top-Level-Entities
The core of this proposal revolves around how we think about malware capabilities and behaviors, and therefore we break this discussion down into two components: the data model itself, and the schema implementation that goes along with it.
In MAEC v4.1, we had the following associated entities:
- Capabilities
- Capability Strategic Objectives
- Capability Tactical Objectives
- Behaviors
The notion was that a Capability corresponds to a high-level ability that a malware instance possesses. Examples include anti-detection, command and control, and privilege escalation. Strategic Objectives and Tactical Objectives then serve to more granularly capture the details of each Capability. Simply put, a Capability can have one or more Strategic Objectives that it attempts to carry out, and accordingly a Strategic Objective can have one or more Tactical Objectives in the same manner. For example, let's say that for the Data Exfiltration Capability a malware instance could have a Strategic Objective of “Stage Data for Exfiltration,” which in turn could have a Tactical Objective of “Move Data to Staging Server.
On the other hand, a Behavior corresponds to the specific purpose behind a particular snippet of code, as executed by a malware instance. Examples include keylogging, detecting a virtual machine, and installing a backdoor. In relation to Capabilities, the notion was that a Capability could have one or more Behaviors that serve as its implementations in a malware instance (i.e. how the malware instance carries out the Capability); the same was true for both Strategic and Tactical Objectives.
While this sort of breakdown made sense on paper, after the release of MAEC v4.1 we realized that Objectives and Behaviors served almost identical purposes, and accordingly that Objectives could subsume Behaviors, which was contradictory to their intent. After some deliberation, we came to the conclusion that Objectives are simply unnecessary and that what we had previously defined as Objectives in our vocabularies should for the most part be recast as Behaviors (especially because almost all tended to have some verb in their name, e.g. "move, test, detect", etc.).
Thus, after some further thinking along what the Capabilities data model should encompass, we came to the following conclusions:
- A Capability corresponds to a high-level ability that a malware instance possesses. Some Capabilities are intentionally more abstract than others (e.g., "persistence" versus "continuous execution"), in order to more generally serve as a label for identifying the particular abilities possessed by a malware instance.
- Capabilities have two primary purposes:
- Specifying, at a high level, the abilities of a malware instance.
- As organizational structures for the creation of a taxonomy of malware behaviors.
- A Capability can have one more Behaviors that represent its implementation in a Malware Instance.
- Accordingly, all existing Tactical Objectives should be recast as Behaviors; most Strategic Objectives, with a few exceptions (explained below), should be recast as Behaviors as well.
- Certain existing Strategic Objectives (e.g., "anti-vm") that are at a high enough level of abstraction compared to others (e.g., "patch operating system files") should be recast as more abstract Capabilities.
- Strategic and Tactical Objectives should be deprecated.
There are two primary changes with regards to the implementation of Capabilities in the MAEC schema, based on the associated data model changes discussed above:
- Strategic and Tactical Objectives are deprecated, and no longer included.
- Additional, less abstract Capabilities, are now included in the default Capabilities vocabulary.
Accordingly, this entails that the refactored CapabilityType
, found in the MAEC Core (formerly MAEC Bundle) schema, should have the following fields:
Field | Type | Multiplicity | Description |
---|---|---|---|
@id | xs:QName |
1 | The required id field specifies a unique id for this Capability. |
@reference | xs:anyURI |
0-1 | The reference field specifies the URL of the corresponding entry in the MAEC Semantic MediaWiki for the Capability. |
Name | cyboxCommon:ControlledVocabularyStringType |
1 | The required Name field captures the name of the Capability. The default vocabulary for this field is the CapabilityNameVocab from the MAEC Default Vocabularies schema. |
Description | cyboxCommon:StructuredTextType |
0-1 | The Description field contains a basic textual description of the Capability. |
Attribute | maecCore:CapabilityAttributeType |
0-N | The Attribute field permits the capture of a single attribute of the Capability, as a key/value pair. More than one attribute can be specified via multiple occurrences of this field. |
Behavior_Reference | maecCore:BehaviorReferenceType |
0-N | The Behavior_Reference field captures a reference to a Behavior that serves as an implementation of the Capability. |
The following existing types found in the MAEC Core (formerly MAEC Bundle) schema would be deprecated:
CapabilityObjectiveType
CapabilityObjectiveReferenceType
The following existing types found in the MAEC Core (formerly MAEC Bundle) schema will be renamed:
-
CapabilityPropertyType
will be renamed toCapabilityAttributeType
The following vocabulary related changes will be made:
- A new
CapabilityNameVocab-1.0
will be created, along with a corresponding enumeration, theCapabilityNameEnum-1.0
. - The existing
MalwareCapabilityEnum-1.0
enumeration will be deprecated. - To correspond with the renaming of the 'Property' field to 'Attribute' in the
CapabilityType
, and to highlight its general nature (i.e. that it can also be used in Behaviors), theCommonCapabilityPropertiesVocab-1.0
andCommonCapabilityPropertiesVocab-1.0
will be renamed toCommonAttributesVocab-1.0
andCommonAttributesVocab-1.0
, respectively. - The existing vocabularies around Strategic and Tactical Objectives will be deprecated, including the
AntiCodeAnalysisStrategicObjectivesVocab-1.0
,AntiCodeAnalysisTacticalObjectivesVocab-1.0
,AntiDetectionStrategicObjectivesVocab-1.0
,AntiDetectionTacticalObjectivesVocab-1.0
,AntiRemovalStrategicObjectivesVocab-1.0
,AntiRemovalTacticalObjectivesVocab-1.0
,CapabilityObjectiveRelationshipTypeVocab-1.0
,CommandandControlStrategicObjectivesVocab-1.0
,CommandandControlTacticalObjectivesVocab-1.0
,DataExfiltrationStrategicObjectivesVocab-1.0
,DataExfiltrationTacticalObjectivesVocab-1.0
,DestructionStrategicObjectivesVocab-1.0
,DestructionTacticalObjectivesVocab-1.0
,FraudStrategicObjectivesVocab-1.0
,FraudTacticalObjectivesVocab-1.0
,InfectionPropagationStrategicObjectivesVocab-1.0
,InfectionPropagationTacticalObjectivesVocab-1.0
,IntegrityViolationStrategicObjectivesVocab-1.0
,IntegrityViolationTacticalObjectivesVocab-1.0
,MachineAccessControlStrategicObjectivesVocab-1.0
,MachineAccessControlTacticalObjectivesVocab-1.0
,PersistenceStrategicObjectivesVocab-1.0
,PersistenceTacticalObjectivesVocab-1.0
,PrivilegeEscalationStrategicObjectivesVocab-1.0
,PrivilegeEscalationTacticalObjectivesVocab-1.0
,ProbingStrategicObjectivesVocab-1.0
,ProbingTacticalObjectivesVocab-1.0
,RemoteMachineManipulationStrategicObjectivesVocab-1.0
,RemoteMachineManipulationTacticalObjectivesVocab-1.0
,SecondaryOperationStrategicObjectivesVocab-1.0
,SecondaryOperationTacticalObjectivesVocab-1.0
,SecurityDegradationStrategicObjectivesVocab-1.0
,SecurityDegradationTacticalObjectivesVocab-1.0
,SpyingStrategicObjectivesVocab-1.0
,SpyingTacticalObjectivesVocab-1.0
.- These vocabularies will be replaced with the new Behavior vocabularies - for more information see Proposal:Refactor Behaviors.
The new CapabilityNameEnum-1.0
will have the following values, based on the entries in the MAEC Semantic MediaWiki:
Value | Description |
---|---|
anti-behavioral analysis | The 'anti-behavioral analysis' Capability indicates that the malware instance is able to prevent behavioral analysis or make it more difficult. |
anti-code analysis | The 'anti-code analysis' Capability indicates that the malware instance is able to prevent code analysis or make it more difficult. |
anti-detection | The 'anti-detection' Capability indicates that the malware instance is able to prevent itself and its components from being detected on a system. |
anti-removal | The 'anti-removal' Capability indicates that the malware instance is able to prevent itself and its components from being removed from a system. |
availability violation | The 'availability violation' Capability indicates that the malware instance is able to compromise the availability of a system or some aspect of the system. |
command and control | The 'command and control' (C2) Capability indicates that the malware instance is able to receive and/or execute remotely submitted commands. |
data exfiltration | The 'data exfiltration' Capability indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data. |
data theft | The 'data theft' Capability indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser. |
destruction | The 'destruction' Capability indicates that the malware instance is able to destroy some aspect of a system. |
fraud | The 'fraud' Capability indicates that the malware instance is able to defraud a user or a system. |
infection/propagation | The 'infection/propagation' Capability indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system. The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email). This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself. |
integrity violation | The 'integrity violation' Capability indicates that the malware instance is able to compromise the integrity of a system. |
machine access/control | The 'machine access/control' Capability indicates that the malware instance is able to access or control one or more remote machines and/or the machine on which it is executing. |
persistence | The 'persistence' Capability indicates that the malware instance is able to persist and remain on a system regardless of system events. |
privilege escalation | The 'privilege escalation' Capability indicates that the malware instance is able to elevate the privileges under which it executes. |
probing | The 'probing' Capability indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives. |
secondary operation | The 'secondary operation' Capability indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives. |
security degradation | The 'security degradation' Capability indicates that the malware instance is able to bypass or disable security features and/or controls. |
spying | The 'spying' Capability indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices). |
OS security feature degradation | The ‘OS security feature degradation’ Capability indicates that the malware instance is able to bypass or disable operating system (OS) security mechanisms. |
access control degradation | The ‘access control degradation’ Capability indicates that the malware instance is able to bypass or disable access control mechanisms designed to prevent unauthorized or unprivileged use or execution of applications or files. |
anti-VM | The 'anti-VM' Capability indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult. |
anti-debugging | The 'anti-debugging' Capability indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult. |
anti-disassembly | The 'anti-disassembly' Capability indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult. |
anti-memory forensics | The 'anti-memory forensics' Capability indicates that the malware instance is able to prevent or make memory forensics more difficult. |
anti-sandbox | The 'anti-sandbox' Capability specifies that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult. |
authentication credentials theft | The 'authentication credentials theft' Capability indicates that the malware instance is able to steal authentication credentials. |
clean traces of infection | The 'clean traces of infection' Capability indicates that the malware instance is able to clean traces of its infection (e.g., file system artifacts) from a system. |
compromise data availability | The 'compromise data availability' Capability indicates that the malware instance is able to compromise the availability of data on the local system on which it is executing and/or one or more remote systems. |
compromise system availability | The 'compromise system availability' Capability indicates that the malware instance is able to compromise the availability of the local system on which it is executing and/or one or more remote systems. |
continuous execution | The 'continuous execution' Capability indicates that the malware instance is able to continue to execute on a system after significant system events, such as a system reboot. |
data integrity violation | The 'data integrity violation' Capability indicates that the malware instance is able to compromise the integrity of some data that resides on (e.g., in the case of files) or is received/transmitted (e.g., in the case of network traffic) by the system on which it is executing. |
data obfuscation | The 'data obfuscation' Capability indicates that the malware is able to obfuscate data that will be exfiltrated. |
data staging | The 'data staging' Capability indicates that the malware instance is able to gather, prepare, and stage data for exfiltration. |
determine c2 server | The 'determine c2 server' Capability indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate.. |
email spam | The 'email spam' Capability indicates that the malware instance is able to send spam email messages. |
ensure compatibility | The 'ensure compatibility' Capability indicates that the malware instance is able to manipulate or modify the system on which it executes to ensure that it is able to continue executing. |
environment awareness | The 'environment awareness' Capability indicates that the malware instance can fingerprint or otherwise identify the environment in which it is executing, for the purpose of altering its behavior based on this environment. |
file infection | The 'file infection' Capability indicates that the malware instance is able to infect one or more files. |
hide artifacts | The 'hide artifacts' Behavior indicates that the malware instance is able to hide its artifacts, such as files and open ports. |
hide executing code | The 'hide executing code' Capability indicates that the malware instance is able to hide its executing code. |
host configuration probing | The 'host configuration probing' Capability indicates that the malware instance is able to probe the configuration of the host system on which it executes. |
information gathering for improvement | The 'information gathering for improvement' Capability indicates that the malware instance is able to gather information from its environment to make itself less likely to be detected. |
input peripheral capture | The 'input peripheral capture' Capability indicates that the malware instance is able to capture data from a system's input peripheral devices, such as a keyboard or mouse. |
install other components | The 'install other components' Capability indicates that the malware instance is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools. |
local machine control | The 'local machine control' Capability indicates that the malware instance is able to control the machine on which it is executing. |
network environment probing | The 'network environment probing' Capability indicates that the malware instance is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy. |
capture system output peripheral data | The 'capture system output peripheral data' Behavior captures data sent to a system's output peripherals, such as a display. |
physical entity destruction | The 'physical entity destruction' Capability indicates that the malware instance is able to destroy physical entities. |
prevent artifact access | The 'prevent artifact access' Capability indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being accessed. |
prevent artifact deletion | The 'prevent artifact deletion' Capability indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being deleted. |
consume system resources | The 'consume system resources' Capability indicates that the malware instance is able to consume system resources for its own purposes, such as password cracking. |
receive data from c2 server | The 'receive data from c2 server' Capability indicates that the malware instance is able to receive some data from a command and control server. |
remote machine access | The 'remote machine access' Capability indicates that the malware instance is able to access one or more remote machines. |
remote machine infection | The 'remote machine infection' Capability indicates that the malware instance is able to self-propagate to a remote machine or infect a machine with malware that is different than itself. |
security software degradation | The 'security software degradation' Capability indicates that the malware instance is able to bypass or disable security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters. |
security software evasion | The 'security software evasion' Capability indicates that the malware instance is able to evade security software (e.g., anti-virus tools). |
self-modification | The 'self-modification' Capability indicates that the malware instance is able to modify itself. |
send data to c2 server | The 'send data to c2 server' Capability indicates that the malware instance is able to send some data to a command and control server. |
service provider security feature degradation | The ‘service provider security feature degradation’ Capability indicates that the malware instance is able to bypass or disable mobile device service provider security features that would otherwise identify or notify users of its presence. |
stored information theft | The 'stored information theft' Capability indicates that the malware instance is able to steal information stored on a system (e.g., files). |
system interface data capture | The 'system interface data capture' Capability indicates that the malware instance is able to capture data from a system's logical or physical interfaces, such as from a network interface. |
system operation integrity violation | The 'system operational integrity violation' Capability indicates that the malware instance is able to compromise the operational integrity of the system on which it is executing and/or one or more remote systems, e.g., by causing them to operate beyond their set of specified operational parameters. |
system re-infection | The 'system re-infection' Capability indicates that the malware instance is able to re-infect a system after one or more of its components have been removed. |
system state data capture | The 'system state data capture' Capability indicates that the malware instance is able to capture information about a system's state (e.g., data currently in its RAM). |
system update degradation | The 'system update degradation' Capability indicates that the malware instance is able to disable the downloading and installation of system updates and patches. |
user data theft | The 'user data theft' Capability indicates that the malware instance is able to steal data associated with one or more users (e.g., browser history). |
virtual entity destruction | The 'virtual entity destruction' Capability indicates that the malware instance is able to destroy a virtual entity. |
Before this change - MAEC 4.1
<maecBundle:Capability id="example:capability-1" name="persistence">
<maecBundle:Strategic_Objective id="example:objective-1">
<maecBundle:Name xsi:type="maecVocabs:PersistenceStrategicObjectivesVocab-1.0">persist to continuously execute on system</maecBundle:Name>
</maecBundle:Strategic_Objective>
</maecBundle:Capability>
After this change - MAEC 5.0
<maecCore:Capability id="example:capability-1">
<maecCore:Name xsi:type="maecVocabs:CapabilityNameVocab-1.0">persistence</Name>
</maecCore:Capability>
<maecCore:Capability id="example:capability-2">
<maecCore:Name xsi:type="maecVocabs:CapabilityNameVocab-1.0">continuous execution</Name>
</maecCore:Capability>
This change will not be backward compatible and is one of several revisions planned in new major version.
- Do the changes to the Capability data model with respect to deprecating Objectives in favor of Behaviors make sense?
- Do the values in the
CapabilityNameEnum-1.0
make sense?