Skip to content

Proposal: Refactor Capabilities

Ivan Kirillov edited this page Sep 30, 2015 · 23 revisions

Status: CLOSED
Comment Period Closes: September 24th, 2015
Affects Backwards Compatibility: Yes

Background Information

Capturing the capabilities possessed by a malware instance is one of the key components of MAEC (along with actions and behaviors). However, we feel that there are some issues around the current model of Capabilities (as of MAEC v4.1), including an arbitrary and likely unnecessary distinction between Capabilities and Strategic and Tactical Objectives. Accordingly, we feel that the model around Capabilities and its corresponding implementation in the MAEC schema should be refactored to address this and other issues.

Related Proposals

This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Actions,-Behaviors,-and-Capabilities-Top-Level-Entities https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-a-concept-and-output-format) https://github.com/MAECProject/schemas/wiki/Proposal:-Refactor-Behaviors https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Relationships-Top-Level-Entities

Proposal

The core of this proposal revolves around how we think about malware capabilities and behaviors, and therefore we break this discussion down into two components: the data model itself, and the schema implementation that goes along with it.

Data Model

In MAEC v4.1, we had the following associated entities:

  1. Capabilities
  2. Capability Strategic Objectives
  3. Capability Tactical Objectives
  4. Behaviors

The notion was that a Capability corresponds to a high-level ability that a malware instance possesses. Examples include anti-detection, command and control, and privilege escalation. Strategic Objectives and Tactical Objectives then serve to more granularly capture the details of each Capability. Simply put, a Capability can have one or more Strategic Objectives that it attempts to carry out, and accordingly a Strategic Objective can have one or more Tactical Objectives in the same manner. For example, let's say that for the Data Exfiltration Capability a malware instance could have a Strategic Objective of “Stage Data for Exfiltration,” which in turn could have a Tactical Objective of “Move Data to Staging Server.

On the other hand, a Behavior corresponds to the specific purpose behind a particular snippet of code, as executed by a malware instance. Examples include keylogging, detecting a virtual machine, and installing a backdoor. In relation to Capabilities, the notion was that a Capability could have one or more Behaviors that serve as its implementations in a malware instance (i.e. how the malware instance carries out the Capability); the same was true for both Strategic and Tactical Objectives.

While this sort of breakdown made sense on paper, after the release of MAEC v4.1 we realized that Objectives and Behaviors served almost identical purposes, and accordingly that Objectives could subsume Behaviors, which was contradictory to their intent. After some deliberation, we came to the conclusion that Objectives are simply unnecessary and that what we had previously defined as Objectives in our vocabularies should for the most part be recast as Behaviors (especially because almost all tended to have some verb in their name, e.g. "move, test, detect", etc.).

Thus, after some further thinking along what the Capabilities data model should encompass, we came to the following conclusions:

  • A Capability corresponds to a high-level ability that a malware instance possesses. Some Capabilities are intentionally more abstract than others (e.g., "persistence" versus "continuous execution"), in order to more generally serve as a label for identifying the particular abilities possessed by a malware instance.
  • Capabilities have two primary purposes:
    • Specifying, at a high level, the abilities of a malware instance.
    • As organizational structures for the creation of a taxonomy of malware behaviors.
  • A Capability can have one more Behaviors that represent its implementation in a Malware Instance.
  • Accordingly, all existing Tactical Objectives should be recast as Behaviors; most Strategic Objectives, with a few exceptions (explained below), should be recast as Behaviors as well.
    • Certain existing Strategic Objectives (e.g., "anti-vm") that are at a high enough level of abstraction compared to others (e.g., "patch operating system files") should be recast as more abstract Capabilities.
  • Strategic and Tactical Objectives should be deprecated.
Schema Implementation

There are two primary changes with regards to the implementation of Capabilities in the MAEC schema, based on the associated data model changes discussed above:

  • Strategic and Tactical Objectives are deprecated, and no longer included.
  • Additional, less abstract Capabilities, are now included in the default Capabilities vocabulary.

Accordingly, this entails that the refactored CapabilityType, found in the MAEC Core (formerly MAEC Bundle) schema, should have the following fields:

Field Type Multiplicity Description
@id xs:QName 1 The required id field specifies a unique id for this Capability.
@reference xs:anyURI 0-1 The reference field specifies the URL of the corresponding entry in the MAEC Semantic MediaWiki for the Capability.
Name cyboxCommon:ControlledVocabularyStringType 1 The required Name field captures the name of the Capability. The default vocabulary for this field is the CapabilityNameVocab from the MAEC Default Vocabularies schema.
Description cyboxCommon:StructuredTextType 0-1 The Description field contains a basic textual description of the Capability.
Attribute maecCore:CapabilityAttributeType 0-N The Attribute field permits the capture of a single attribute of the Capability, as a key/value pair. More than one attribute can be specified via multiple occurrences of this field.
Behavior_Reference maecCore:BehaviorReferenceType 0-N The Behavior_Reference field captures a reference to a Behavior that serves as an implementation of the Capability.

The following existing types found in the MAEC Core (formerly MAEC Bundle) schema would be deprecated:

  • CapabilityObjectiveType
  • CapabilityObjectiveReferenceType

The following existing types found in the MAEC Core (formerly MAEC Bundle) schema will be renamed:

  • CapabilityPropertyType will be renamed to CapabilityAttributeType

The following vocabulary related changes will be made:

  • A new CapabilityNameVocab-1.0 will be created, along with a corresponding enumeration, the CapabilityNameEnum-1.0.
  • The existing MalwareCapabilityEnum-1.0 enumeration will be deprecated.
  • To correspond with the renaming of the 'Property' field to 'Attribute' in the CapabilityType, and to highlight its general nature (i.e. that it can also be used in Behaviors), the CommonCapabilityPropertiesVocab-1.0 and CommonCapabilityPropertiesVocab-1.0 will be renamed to CommonAttributesVocab-1.0 and CommonAttributesVocab-1.0, respectively.
  • The existing vocabularies around Strategic and Tactical Objectives will be deprecated, including the AntiCodeAnalysisStrategicObjectivesVocab-1.0, AntiCodeAnalysisTacticalObjectivesVocab-1.0, AntiDetectionStrategicObjectivesVocab-1.0, AntiDetectionTacticalObjectivesVocab-1.0, AntiRemovalStrategicObjectivesVocab-1.0, AntiRemovalTacticalObjectivesVocab-1.0, CapabilityObjectiveRelationshipTypeVocab-1.0, CommandandControlStrategicObjectivesVocab-1.0, CommandandControlTacticalObjectivesVocab-1.0, DataExfiltrationStrategicObjectivesVocab-1.0, DataExfiltrationTacticalObjectivesVocab-1.0, DestructionStrategicObjectivesVocab-1.0, DestructionTacticalObjectivesVocab-1.0, FraudStrategicObjectivesVocab-1.0, FraudTacticalObjectivesVocab-1.0, InfectionPropagationStrategicObjectivesVocab-1.0, InfectionPropagationTacticalObjectivesVocab-1.0, IntegrityViolationStrategicObjectivesVocab-1.0, IntegrityViolationTacticalObjectivesVocab-1.0, MachineAccessControlStrategicObjectivesVocab-1.0, MachineAccessControlTacticalObjectivesVocab-1.0, PersistenceStrategicObjectivesVocab-1.0, PersistenceTacticalObjectivesVocab-1.0, PrivilegeEscalationStrategicObjectivesVocab-1.0, PrivilegeEscalationTacticalObjectivesVocab-1.0, ProbingStrategicObjectivesVocab-1.0, ProbingTacticalObjectivesVocab-1.0, RemoteMachineManipulationStrategicObjectivesVocab-1.0, RemoteMachineManipulationTacticalObjectivesVocab-1.0, SecondaryOperationStrategicObjectivesVocab-1.0, SecondaryOperationTacticalObjectivesVocab-1.0, SecurityDegradationStrategicObjectivesVocab-1.0, SecurityDegradationTacticalObjectivesVocab-1.0, SpyingStrategicObjectivesVocab-1.0, SpyingTacticalObjectivesVocab-1.0.

The new CapabilityNameEnum-1.0 will have the following values, based on the entries in the MAEC Semantic MediaWiki:

Value Description
anti-behavioral analysis The 'anti-behavioral analysis' Capability indicates that the malware instance is able to prevent behavioral analysis or make it more difficult.
anti-code analysis The 'anti-code analysis' Capability indicates that the malware instance is able to prevent code analysis or make it more difficult.
anti-detection The 'anti-detection' Capability indicates that the malware instance is able to prevent itself and its components from being detected on a system.
anti-removal The 'anti-removal' Capability indicates that the malware instance is able to prevent itself and its components from being removed from a system.
availability violation The 'availability violation' Capability indicates that the malware instance is able to compromise the availability of a system or some aspect of the system.
command and control The 'command and control' (C2) Capability indicates that the malware instance is able to receive and/or execute remotely submitted commands.
data exfiltration The 'data exfiltration' Capability indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data.
data theft The 'data theft' Capability indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser.
destruction The 'destruction' Capability indicates that the malware instance is able to destroy some aspect of a system.
fraud The 'fraud' Capability indicates that the malware instance is able to defraud a user or a system.
infection/propagation The 'infection/propagation' Capability indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system. The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email). This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself.
integrity violation The 'integrity violation' Capability indicates that the malware instance is able to compromise the integrity of a system.
machine access/control The 'machine access/control' Capability indicates that the malware instance is able to access or control one or more remote machines and/or the machine on which it is executing.
persistence The 'persistence' Capability indicates that the malware instance is able to persist and remain on a system regardless of system events.
privilege escalation The 'privilege escalation' Capability indicates that the malware instance is able to elevate the privileges under which it executes.
probing The 'probing' Capability indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives.
secondary operation The 'secondary operation' Capability indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives.
security degradation The 'security degradation' Capability indicates that the malware instance is able to bypass or disable security features and/or controls.
spying The 'spying' Capability indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices).
OS security feature degradation The ‘OS security feature degradation’ Capability indicates that the malware instance is able to bypass or disable operating system (OS) security mechanisms.
access control degradation The ‘access control degradation’ Capability indicates that the malware instance is able to bypass or disable access control mechanisms designed to prevent unauthorized or unprivileged use or execution of applications or files.
anti-VM The 'anti-VM' Capability indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult.
anti-debugging The 'anti-debugging' Capability indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult.
anti-disassembly The 'anti-disassembly' Capability indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult.
anti-memory forensics The 'anti-memory forensics' Capability indicates that the malware instance is able to prevent or make memory forensics more difficult.
anti-sandbox The 'anti-sandbox' Capability specifies that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult.
authentication credentials theft The 'authentication credentials theft' Capability indicates that the malware instance is able to steal authentication credentials.
clean traces of infection The 'clean traces of infection' Capability indicates that the malware instance is able to clean traces of its infection (e.g., file system artifacts) from a system.
compromise data availability The 'compromise data availability' Capability indicates that the malware instance is able to compromise the availability of data on the local system on which it is executing and/or one or more remote systems.
compromise system availability The 'compromise system availability' Capability indicates that the malware instance is able to compromise the availability of the local system on which it is executing and/or one or more remote systems.
continuous execution The 'continuous execution' Capability indicates that the malware instance is able to continue to execute on a system after significant system events, such as a system reboot.
data integrity violation The 'data integrity violation' Capability indicates that the malware instance is able to compromise the integrity of some data that resides on (e.g., in the case of files) or is received/transmitted (e.g., in the case of network traffic) by the system on which it is executing.
data obfuscation The 'data obfuscation' Capability indicates that the malware is able to obfuscate data that will be exfiltrated.
data staging The 'data staging' Capability indicates that the malware instance is able to gather, prepare, and stage data for exfiltration.
determine c2 server The 'determine c2 server' Capability indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate..
email spam The 'email spam' Capability indicates that the malware instance is able to send spam email messages.
ensure compatibility The 'ensure compatibility' Capability indicates that the malware instance is able to manipulate or modify the system on which it executes to ensure that it is able to continue executing.
environment awareness The 'environment awareness' Capability indicates that the malware instance can fingerprint or otherwise identify the environment in which it is executing, for the purpose of altering its behavior based on this environment.
file infection The 'file infection' Capability indicates that the malware instance is able to infect one or more files.
hide artifacts The 'hide artifacts' Behavior indicates that the malware instance is able to hide its artifacts, such as files and open ports.
hide executing code The 'hide executing code' Capability indicates that the malware instance is able to hide its executing code.
host configuration probing The 'host configuration probing' Capability indicates that the malware instance is able to probe the configuration of the host system on which it executes.
information gathering for improvement The 'information gathering for improvement' Capability indicates that the malware instance is able to gather information from its environment to make itself less likely to be detected.
input peripheral capture The 'input peripheral capture' Capability indicates that the malware instance is able to capture data from a system's input peripheral devices, such as a keyboard or mouse.
install other components The 'install other components' Capability indicates that the malware instance is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools.
local machine control The 'local machine control' Capability indicates that the malware instance is able to control the machine on which it is executing.
network environment probing The 'network environment probing' Capability indicates that the malware instance is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy.
capture system output peripheral data The 'capture system output peripheral data' Behavior captures data sent to a system's output peripherals, such as a display.
physical entity destruction The 'physical entity destruction' Capability indicates that the malware instance is able to destroy physical entities.
prevent artifact access The 'prevent artifact access' Capability indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being accessed.
prevent artifact deletion The 'prevent artifact deletion' Capability indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being deleted.
consume system resources The 'consume system resources' Capability indicates that the malware instance is able to consume system resources for its own purposes, such as password cracking.
receive data from c2 server The 'receive data from c2 server' Capability indicates that the malware instance is able to receive some data from a command and control server.
remote machine access The 'remote machine access' Capability indicates that the malware instance is able to access one or more remote machines.
remote machine infection The 'remote machine infection' Capability indicates that the malware instance is able to self-propagate to a remote machine or infect a machine with malware that is different than itself.
security software degradation The 'security software degradation' Capability indicates that the malware instance is able to bypass or disable security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters.
security software evasion The 'security software evasion' Capability indicates that the malware instance is able to evade security software (e.g., anti-virus tools).
self-modification The 'self-modification' Capability indicates that the malware instance is able to modify itself.
send data to c2 server The 'send data to c2 server' Capability indicates that the malware instance is able to send some data to a command and control server.
service provider security feature degradation The ‘service provider security feature degradation’ Capability indicates that the malware instance is able to bypass or disable mobile device service provider security features that would otherwise identify or notify users of its presence.
stored information theft The 'stored information theft' Capability indicates that the malware instance is able to steal information stored on a system (e.g., files).
system interface data capture The 'system interface data capture' Capability indicates that the malware instance is able to capture data from a system's logical or physical interfaces, such as from a network interface.
system operation integrity violation The 'system operational integrity violation' Capability indicates that the malware instance is able to compromise the operational integrity of the system on which it is executing and/or one or more remote systems, e.g., by causing them to operate beyond their set of specified operational parameters.
system re-infection The 'system re-infection' Capability indicates that the malware instance is able to re-infect a system after one or more of its components have been removed.
system state data capture The 'system state data capture' Capability indicates that the malware instance is able to capture information about a system's state (e.g., data currently in its RAM).
system update degradation The 'system update degradation' Capability indicates that the malware instance is able to disable the downloading and installation of system updates and patches.
user data theft The 'user data theft' Capability indicates that the malware instance is able to steal data associated with one or more users (e.g., browser history).
virtual entity destruction The 'virtual entity destruction' Capability indicates that the malware instance is able to destroy a virtual entity.

Example

Before this change - MAEC 4.1

<maecBundle:Capability id="example:capability-1" name="persistence">
    <maecBundle:Strategic_Objective id="example:objective-1">
        <maecBundle:Name xsi:type="maecVocabs:PersistenceStrategicObjectivesVocab-1.0">persist to continuously execute on system</maecBundle:Name>
    </maecBundle:Strategic_Objective>
</maecBundle:Capability>

After this change - MAEC 5.0

<maecCore:Capability id="example:capability-1">
  <maecCore:Name xsi:type="maecVocabs:CapabilityNameVocab-1.0">persistence</Name>
</maecCore:Capability>
<maecCore:Capability id="example:capability-2">
  <maecCore:Name xsi:type="maecVocabs:CapabilityNameVocab-1.0">continuous execution</Name>
</maecCore:Capability>

Impact

This change will not be backward compatible and is one of several revisions planned in new major version.

Requested Feedback

  1. Do the changes to the Capability data model with respect to deprecating Objectives in favor of Behaviors make sense?
  2. Do the values in the CapabilityNameEnum-1.0 make sense?
Clone this wiki locally