The first draft of CAPEC is now live. This is a list of common attack patterns (some of which appear in Hoglund and McGraw's book), where CWE and CVE give insight into weaknesses, the goal of the attack patterns is to examine these weaknesses from an attacker point of view.
Attacks are classified as:
Common Attack Pattern Enumeration and ClassificationAbuse of Functionality
Spoofing
Probabilistic Techniques
Exploitation of Authentication
Resource Depletion
Exploitation of Privilege/Trust
Injection (Injecting Control Plane content through the Data Plane)
Data Structure Attacks
Data Leakage Attacks
Resource Manipulation
Time and State Attacks
Further each attack pattern has a description, attack prerequisites, probing techniques, related CWE/CVE, and some countermeasures. I contributed to several patterns, I think CAPEC is taking a step in the right direction by mapping out at least some of the known attacks. For example
From Choosing a Message/Channel Identifier on a Public/Multicast Channel:
Attack Execution Flow1. Determine the nature of messages being transported as well as the identifiers to be used as part of the attack
2. If required, authenticate to the distribution channel
3. If any particular client's information is available through the transport means simply by selecting a particular identifier, an attacker can simply provide that particular identifier.
4.Attackers with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data.
...
Example Instance: A certain B2B interface on a large application codes for messages passed over a MQSeries queue, on a single "Partners" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Attackers having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another parnter's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows Attackers without partner status from conducting this attack.
Whereas CWE, CVE, et. al. show some valuable info about known weaknesses, its always a good idea to look at things from an attack point of view as well.
Comments