1、 International Telecommunication Union ITU-T X.1544TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (04/2013) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cybersecurity information exchange Event/incident/heuristics exchange Common attack pattern enumeration and classification Rec
2、ommendation ITU-T X.1544 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SY
3、STEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 S
4、ECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURI
5、TY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/s
6、tate exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-T Recommendations.
7、Rec. ITU-T X.1544 (04/2013) i Recommendation ITU-T X.1544 Common attack pattern enumeration and classification Summary Recommendation ITU-T X.1544 is an XML/XSD-based specification for the identification, description, and enumeration of attack patterns. Attack patterns are a powerful mechanism to ca
8、pture and communicate the attackers perspective. They are descriptions of common methods for exploiting software. They derive from the concept of design patterns applied in a destructive rather than constructive context and are generated from in-depth analysis of specific real-world exploit examples
9、. The objective of the common attack pattern enumeration and classification (CAPEC) is to provide a publicly available catalogue of attack patterns along with a comprehensive schema and classification taxonomy. History Edition Recommendation Approval Study Group 1.0 ITU-T X.1544 2013-04-26 17 ii Rec
10、. ITU-T X.1544 (04/2013) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-
11、T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for stud
12、y by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a c
13、ollaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain c
14、ertain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requ
15、irements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Rig
16、ht. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intelle
17、ctual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2013 All right
18、s reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1544 (04/2013) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 1
19、 4 Abbreviations and acronyms 2 5 Conventions 2 6 High-level requirements . 2 7 Accuracy . 4 8 Documentation 4 9 CAPEC version usage 4 10 Revocation of CAPEC compatibility . 5 11 Review authority . 5 Annex A Type-specific requirements . 7 A.2 Tool requirements . 7 A.3 Security service requirements .
20、 8 A.4 Online capability requirements . 8 Annex B Media requirements . 10 B.3 Electronic documents (HTML, word processor, PDF, ASCII text, etc.) . 10 B.4 Graphical user interface 10 Bibliography. 11 iv Rec. ITU-T X.1544 (04/2013) Introduction The common attack pattern enumeration and classification
21、(CAPEC) Recommendation is an XML/XSD-based specification for the identification, description and enumeration of attack patterns. Attack patterns are a powerful mechanism to capture and communicate the attackers perspective. They are descriptions of common methods for exploiting software. They derive
22、 from the concept of design patterns applied in a destructive rather than constructive context and are generated from in-depth analysis of specific real-world exploit examples. The objective of CAPEC is to provide a publicly available catalogue of attack patterns along with a comprehensive schema an
23、d classification taxonomy. CAPEC enables: Standardizing the capture and description of attack patterns Collecting known attack patterns into an integrated enumeration that can be consistently and effectively leveraged by the community Classifying attack patterns so that users can easily identify the
24、 subset of the entire enumeration that is appropriate for their context Linking, through explicit references, the attack patterns and the common weakness enumerations (CWEs) that they are effective against. Recommendation ITU-T X.1544 has been developed bearing in mind the importance of maintaining,
25、 to the extent possible, technical compatibility with Requirements and Recommendation for CAPEC Compatibility, version 1.0, published by the MITRE Corporation, dated 30 August 2012 (https:/capec.mitre.org/compatible/requirements_v1.0.html). Rec. ITU-T X.1544 (04/2013) 1 Recommendation ITU-T X.1544 C
26、ommon attack pattern enumeration and classification 1 Scope This Recommendation provides for the structured exchange of publicly available attack patterns along with a comprehensive schema and classification taxonomy. 2 References The following ITU-T Recommendations and other references contain prov
27、isions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possib
28、ility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommen
29、dation. ITU-T X.1500 Recommendation ITU-T X.1500 (2011), Overview of cybersecurity information exchange (CYBEX). 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 review authority b-ITU-T X.1520: An entity that performs a review. NOTE MIT
30、RE is the only review authority at this time. 3.1.2 vulnerability ITU-T X.1500: Any weakness in software that could be exploited to violate a system or the information it contains. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 accuracy percentage: Th
31、e percentage of security elements in the review sample that reference the correct CAPEC identifiers. 3.2.2 attack instance: A specific detailed attack against an application or system targeting vulnerabilities or weaknesses in that system. 3.2.3 attack pattern: An abstraction of common approaches of
32、 attack observed in the wild against applications or systems (e.g., SQL injection, man-in-the-middle, session hijacking). NOTE A single attack pattern may potentially have many varying attack instances associable with it. 3.2.4 capability: An assessment tool, dynamic application security testing (DA
33、ST) tool, penetration testing tool, exploit framework tool, threat modelling tool, database, website, advisory, or service that provides information about attack instances and patterns. 3.2.5 map/mapping: The specification of relationships between attack pattern elements in a repository and the CAPE
34、C items that are related to those elements. 3.2.6 owner based on b-ITU-T X.1520: The custodian (real person or company) having responsibility for the capability (as defined in this Recommendation). 2 Rec. ITU-T X.1544 (04/2013) 3.2.7 repository: An implicit or explicit collection of attack pattern e
35、lements that supports a capability, e.g., a database of attack patterns, the set of attack instances in a DAST tool, or a website. 3.2.8 review: The process of determining whether a capability is CAPEC-compatible. 3.2.9 review version: The dated version of CAPEC that is being used for determining CA
36、PEC compatibility of a capability. 3.2.10 security element: A database record, assessment probe, attack instance, exploit, payload, etc., that is related to a specific attack pattern. 3.2.11 task: A tools probe, check, signature, etc., that performs some action that produces security information (i.
37、e., the security element). 3.2.12 tool: A software application or device that tests the security properties of an application or system through simulation, emulation or characterization of potential attacks against that system, e.g., an assessment tool, dynamic application security testing (DAST) to
38、ol, penetration testing tool, exploit framework tool, threat modelling tool. 3.2.13 user based on b-ITU-T X.1520: A consumer or potential consumer of the capability (as defined in this Recommendation). 3.2.14 weakness: A shortcoming or imperfection in the software code, design, architecture, or depl
39、oyment that could, at some point, become a vulnerability or could contribute to the introduction of other vulnerabilities. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: CAPEC Common Attack Pattern Enumeration and Classification CCR Coverage Claim Rep
40、resentation CIA Confidentially, Integrity or Availability CWE Common Weakness Enumeration DAST Dynamic Application Security testing Tool GUI Graphical User Interface IDS Intrusion Detection System POC Point Of Contact 5 Conventions The keywords “required“, “shall“, “shall not“, “should“, “should not
41、“, “recommended“, “may“ and “optional“ in this Recommendation are interpreted in accordance with the ITU-T Authors Guide (available at http:/www.itu.int/oth/T0A0F000004/en). 6 High-level requirements The following items define the concepts, roles and responsibilities related to the proper use of CAP
42、EC identifiers to share data across separate security testing capabilities (tools, repositories and services) to allow these security testing capabilities to be used together, and to facilitate the comparison of security testing tools and services. Rec. ITU-T X.1544 (04/2013) 3 Prerequisites 6.1 The
43、 capability owner must be a valid legal entity, i.e., an organization or a specific individual, with a valid phone number, e-mail address and street mail address. 6.2 The capability must provide additional value or information beyond that which is provided in CAPEC itself (i.e., name, description, r
44、isks, references and associated weakness information). 6.3 The capability owner must provide the review authority with a technical point of contact who is qualified to answer questions related to the mapping accuracy and any CAPEC-related functionality of the capability. 6.4 The capability must be a
45、vailable to the public, or to a set of consumers, in a production or public version. 6.5 For CAPEC compatibility the capability owner must provide the review authority with a completed “CAPEC compatibility Requirements Evaluation Form“. 6.6 The capability owner must provide the review authority with
46、 free access to the repository so that the review authority can determine that the repository satisfies all associated mapping accuracy requirements. 6.7 The capability owner must allow the review authority to use the repository to identify any attack pattern that should be added to CAPEC. 6.8 The c
47、apability owner must agree to abide by all of the mandatory CAPEC compatibility requirements, which includes the mandatory requirements for the specific type of capability. Functionality 6.9 For CAPEC compatibility, the capability must allow users to locate security elements using CAPEC identifiers
48、(“CAPEC-Searchable“). 6.10 For CAPEC compatibility when the capability presents security elements to the user, it must allow the user to obtain the associated CAPEC identifiers (“CAPEC-Output“). 6.11 For CAPEC compatibility, the capabilitys mapping must accurately link security elements to the appro
49、priate CAPEC identifiers (“Mapping Accuracy“). 6.12 For CAPEC compatibility, the capabilitys documentation must adequately describe CAPEC, CAPEC compatibility and how the CAPEC-related functionality in the capability is used (“CAPEC-Documentation“). 6.13 For CAPEC compatibility, the capabilitys publicly available documentation must explicitly list the CAPEC identifiers that the capability owner considers the capability to cover as part of its functionality (“CAPEC-Coverage“). 6.14 For CAPEC compatibility, the ca
