CAPEC Threat Modeling
What is CAPEC?
CAPEC stands for “The Common Attack Pattern Enumeration and Classification”. The National Institute of Standards and Technology describes it as “a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses”.
CAPEC provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
Originally established by the U.S. Department of Homeland Security and released in 2007, the list keeps evolving with the help of public participation as well as enterprise contributions with a view to establish a way for identifying, collecting, refining, and sharing attack patterns among the cybersecurity community.
CAPEC in Threat Modeling
IriusRisk provides a threat modeling and risk management platform that includes the CAPEC library as a source of Threats. As the architecture and components are selected, the rules engine calculates which threats (attacks) from the CAPEC library are applicable and generates a threat model with them. The model includes Threat (CAPEC), the potential Weaknesses (CWE) and countermeasures to apply.
The sheer comprehensiveness of the CAPEC library within IriusRisk also allows users to search for the most pertinent, relevant and current threats and take the remediation action suggested by the platform, with full data flow diagramming and integration with other DevSecOps tools.