If you take a look at the long list of breaches that make front-page news, you may think that a single framework can do a decent job of explaining the mechanisms. But that is not the case – some of the largest most famous breaches or vulnerabilities were web application related like the Equifax breach, Yahoo, First American, Facebook, and more. We can thank these breaches for endless credit monitoring – thanks folks! When we talked about MITRE ATT&CK, we discussed a very popular methodology that focused greatly on network and endpoint attacks. Web and application attack patters are missing, though, so how do we discuss a web or application threat? CAPEC helps us understand those web attack patterns and defend against them!

The CAPEC Origin Story

The US Department of Homeland Security and MITRE established the Common Attack Pattern Enumeration and Classification (CAPEC). There goal in doing so was to create a comprehensive catalog of common attack patterns or techniques used by adversaries in web and application focused cyberattacks. Fast forward to now, and CAPEC is now an open and collaborative effort. Now the cybersecurity community – including security researchers, analysts, and organizations – maintain and expand it. This collective input helps keep CAPEC up-to-date and relevant in the face of evolving cyber threats.

In some ways CAPEC is like ATT&CK but focuses specifically on web and application threats. It breaks down how attackers exploit vulnerabilities, gain unauthorized access, steal data, disrupt systems, or achieve other malicious goals. Because of its web and application focus, CAPEC plays well with other cybersecurity standards and frameworks, such as the Common Weakness Enumeration (CWE) and the Common Vulnerability Enumeration (CVE) as shown below. Tackling these together, you get solid understanding of the relationships between attack patterns, vulnerabilities, and weaknesses. If you and your team are wrestling with application security, this approach is for you!

Illustration of how the CVE, CWE, and CAPEC projects all can work together to outline web attack patterns and improve defenses for websites and applications.
The CAPEC Model’s Relationship with CWE and CVE Projects

What makes CAPEC so helpful?

CAPEC describes how an attacker overcomes challenges in exploiting known weaknesses – pretty cool stuff! For that reason, it’s like having an operator’s manual – it documents each attack pattern with detailed information. These include a description, prerequisites, typical attack scenarios, and related countermeasures. CAPEC even organizes and classifies attack patterns into a hierarchical structure. This classification system helps Blue and Red Team-ers alike navigate and prioritize threats based on their characteristics and potential impact. The end goal is to make it easier for you and your organization to understand, analyze, and defend against various threats.

How Do We Use CAPEC?

CAPEC assists both red team and blue team folks alike. A Red Teamer, for instance, may prefer the the “Mechanisms of Attack” view, which outlines the different realms of security that are exposed to them. By burrowing in this way, they quickly emulate an attacker who is executing their playbook. In the example below, we see how a tester quickly dives down to uncover CAPEC Web Attack Patterns for manipulating data in an application using path traversal techniques.

CAPEC's Mechanisms of Attack view, which is very useful for attackers or testers.
CAPEC’s tailor-made Mechanisms of Attack view for the offense!

Defenders think differently, rooted in their job role and responsibilities. CAPEC covers that with the “Domains of Attack” view, which groups together similar attack methods based on the discipline. As an example, developers focus on Software and some aspects of Supply Chain, while SecOps primarily focuses their activity in policing Communications.

CAPEC's Domains of Attack, which is very well aligned with Web or Applicaiton defenders and developers.
CAPEC’s Domains of Attack view outlines attack patterns for the defense

Where’s the Attack Pattern Beef?

Every CAPEC Attack pattern includes a plethora of data sorted by the sections show below:

Every CAPEC Attack Pattern record includes multiple fields, grouped in Description, Likelihood of Attack, Typical Severity, Relationships, Execution Flow, Prerequisites, Skills Required, Resources Required, Consequences, Mitigations, Example Instances, Related Weaknesses, and more.
Every CAPEC Attack Pattern includes these fields, making it easy to serve a variety of stakeholders in web security.

When it comes to the parts most interesting for Red Teamers, the sections for “Prerequisites”, “Skills Required”, “Resources Required” are all table stakes, but the “Execution Flow” section of each pattern is golden. Pen testers and red teamers can see exactly how to carry these out. Detection folks also learn from these, as the insight as to how adversaries probe and exploit the attack surface will inspire new analytics.

This is a snapshot of the XSS execution flow from the CAPEC website.
CAPEC described Cross Site Scripting in some gory detail here – what a great resource! (https://capec.mitre.org/data/definitions/63.html)

For GRC folks and management, the “Likelihood of Attack” and “Typical Severity” sections beg to be mapped to the Risk Management program, and the “Consequences” section further justifies those ratings. For the blue teamers who have to actually act and mitigate, the Mitigations section is a great step. Sometimes security folks take these actions, but usually security folks guide implementation by the developers themselves.

Consequences and Mitigations in a CAPEC Attack Pattern are useful for defenders of many types.
Consequences and Mitigations are gold for the defenders!

Pros, Cons and Who Uses CAPEC?

What are the pros of CAPEC? It reads more like a cookbook than any other framework or methodology. This makes it a must see in my book! Furthermore, it’s detailed and comprehensive, providing a common language for discussing and analyzing attacks. It is a fantastic learning resource for bug bounty folks too. In addition, it’s continuously updated, so it provides timely material to help train stakeholders.

Cons? First, it can be overwhelming due to its depth, so operationalizing all of that can be overwhelming without expert help. Second, how many companies do you know that ONLY have a web app? No network, no endpoints, no email? My point is that organizations will have other threats that exceed CAPEC’s scope. You’d most likely combine CAPEC with other modeling tools to provide a well-rounded threat picture.

We should see most web developers, web application penetration testers, and application architects paying attention to CAPEC. OWASP‘s own approach is a good start, but CAPEC is really well organized, covers more ground in more detail, and better blends with the CWE and CVE efforts. For customers using MITRE ATT&CK, it really compliments that well. It certainly provides an abundance of awesome insight, and we’ll discuss it more in future posts!