This document describes how to query and manipulate CAPEC data in this repository. Machine-readable CAPEC data is available in a JSON-based STIX 2.0 and STIX 2.1 formats. See Release Notes for any changes to the generation of the STIX CAPEC data.
STIX 2.x is just JSON and so should be very accessible from Python and other programming languages. If you are using Python, the python-stix2 library can help you work with the content as shown in the examples below.
First, we must describe how CAPEC objects and properties map to STIX 2.x objects and properties.
In CAPEC, the main object is the Attack Pattern. Most Attack Pattern also have Mitigations. There are other types of objects in CAPEC (e.g, Category, View, etc.), but these are not (currently) part of the repository.
The STIX types are found as literal strings assigned to the
property of the STIX JSON object. The STIX 2.x object called “Attack Pattern” corresponds to a CAPEC attack pattern. In STIX 2.x, there are objects called “Course(s) of Action” which can be used to describe CAPEC Mitigations.1
type
The following is a table mapping of CAPEC properties to STIX properties. Some of these properties are standard STIX properties, while others were custom-created for compatibility with CAPEC. These properties are accessed from STIX objects as JSON properties.
| CAPEC 3.6 Property | STIX Properties | STIX type |
| ————— | ————— | ————— |
Name |
| string |
Description | 1
name
| string
Extended_Definition | 1
description
| string
Abstraction | 1
x_capec_extended_definition
| enumeration(1
x_capec_abstraction
)
Alternate_Terms | 1
Meta, Standard, Detailed
| list(string)
Consequences | 1
x_capec_alternate_terms
| dictionary(enumeration(1
x_capec_consequences
), string)
Example_Instances | 1
High, Medium, Low
| list(string)
Execution_Flows | 1
x_capec_example_instances
| (XHTML) string
Likelihood_Of_Attack | 1
x_capec_execution_flows
| enumeration(1
x_capec_likelihood_of_attack
)
Notes | Other_Notes | 1
High, Medium, Low
| list(string)
Prerequisites | 1
x_capec_notes
| list(string)
Skills_Required | 1
x_capec_prerequisites
| dictionary(string, enumeration(1
x_capec_skills_required
))
Typical_Severity | 1
High, Medium, Low
| enumeration(1
x_capec_typical_severity
)
ID | 1
High, Medium, Low
| integer
Related_Weaknesses | 1
external_references[i].external_id where external_references[i].source_name == "capec"
| integer
References | 1
external_references[i].external_id where external_references[i].source_name == "cwe"
| 1
external_references[i].external_id where external_references[i].source_name == "reference_from_CAPEC"
Mitigation | 1
external-reference
| 1
relationship_type == "mitigates"
1
relationship
| CAPEC 3.6 Relationship | STIX Properties | STIX type |
| ————— | ————— | ————— |
parent_of |
| list(identifier)
child_of | 1
x_capec_parent_of_refs
| list(identifier)
can_precede | 1
x_capec_child_of_refs
| list(identifier)
can_follow | 1
x_capec_can_precede_refs
| list(identifier)
peer_of | 1
x_capec_can_follow_refs
| list(identifier)1
x_capec_peer_of_refs
CAPEC 3.6 properties not mapped (at this time): Indicators, Taxonomy_Mappings, Content_History
CAPEC 3.6 properties not appropriate to map: Status
In this section, we will describe how to query and manipulate CAPEC data that has been stored in a STIX 2.x repository. A Python library has been created for using and creating STIX 2.x data by the OASIS Technical Committee for Cyber Threat Intelligence, which develops the STIX standard. This library abstracts storage and transport details so that the same code can be used to interact with data locally on the filesystem or in memory, or remotely via TAXII. The source code, installation instructions, and basic documentation for the library can be found here. There is a more thorough API documentation as well.
To begin querying STIX 2.x data, you must first have a DataSource. For these examples, we will simply use a FileSystemSource. The CAPEC corpus must first be cloned or downloaded from GitHub.
Once the stix2 Python library is installed and the corpus is acquired, we need to open the DataStore for querying:
1
2
from stix2 import FileSystemSource
fs = FileSystemSource('./cti/capec')
When creating the DataSource, the keyword agrument
must be set to 1
allow_custom
. This is because the CAPEC data uses several custom properties which are not part of the STIX 2.x specification (1
True
, 1
x_capec_prerequisites
, etc).1
x_capec_example_instances
To perform a query, we must define a Filter. As of this writing, a filter must, at a minimum, specify object
’s or an object 1
id
. The following filter can be used to retrieve all CAPEC attack patterns:1
type
1
2
from stix2 import Filter
filt = Filter('type', '=', 'attack-pattern')
Once this filter is defined, you can pass it to the DataSource
function in order to actually query the data:1
query
1
attack_patterns = fs.query([filt])
Notice that the
function takes a list of filters. These filters are logically AND’d together during the query. As of this writing, 1
query
must be set to 1
allow_custom
in order to query CAPEC data. This is because the CAPEC data uses several custom properties which are not part of the STIX 2.0 specification (1
True
, 1
x_capec_prerequisites
, etc).1
x_capec_example_instances
For the remaining examples, these imports and the FileSystemStore initialization will be omitted.
In this example, the STIX 2.x type must be passed into the function. Here we query for the attack pattern with ID
(SQL Injection).1
66
1
2
3
4
5
6
7
8
9
def get_attack_pattern_by_capec_id(src, capec_id):
filt = [
Filter('type', '=', 'attack-pattern'),
Filter('external_references.external_id', '=', 'CAPEC-' + capec_id),
Filter('external_references.source_name', '=', 'capec'),
]
return src.query(filt)
get_attack_pattern_by_capec_id(fs, '66')
The mitigations for a technique are stored in objects separate from the technique. These objects are found through a
relationship.1
mitigates
1
2
3
4
5
6
7
8
def get_mitigations_by_attack_pattern(src, ap_stix_id):
relations = src.relationships(ap_stix_id, 'mitigates', target_only=True)
return src.query([
Filter('type', '=', 'course-of-action'),
Filter('id', 'in', [r.source_ref for r in relations])])
ap = get_attack_pattern_by_capec_id(fs, '66')[0]
get_mitigations_by_attack_pattern(fs, ap.id)
The STIX CAPEC data is generated by a python script named
. In this section the changes to the script for each new CAPEC release is listed.1
capec2stix
1
x_capec_extended_definition
property1
x_capec_child_of_refs
: contains a list of STIX ids of the Attack Pattern objects which the current object is a child of1
x_capec_parent_of_refs
: contains a list of STIX ids of the Attack Pattern objects which the current object is a parent of1
x_capec_can_precede_refs
: contains a list of STIX ids of the Attack Pattern objects which the current object can precede1
x_capec_can_follow_refs
: contains a list of STIX ids of the Attack Pattern objects which the current object can follow1
x_capec_peer_of_refs
: contains a list of STIX ids of the Attack Pattern objects which the current object is a peer of