MAEC Mechanisms Development

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

MAEC Mechanisms Development

Kirillov, Ivan A.
All,

I wanted to let you know that we've been busy working on the MAEC v4.1 update. The biggest change in this version will be the initial incorporation of Mechanisms:

Mechanisms represent the highest level abstraction of some particular group of goals or activities that malware may attempt to achieve. Accordingly, each Mechanism may have one or more corresponding Strategic Objectives, which represent the particular outcomes that may be desired in relation to the Mechanism. Each Strategic Objective may subsequently have one or more Tactical Objectives, which represent a more granular breakdown or variation of the parent objective. Tactical Objectives may be achieved with multiple means in malicious code, with each such implementation captured as a Behavior (currently captured in MAEC at an abstract level). Finally, Behaviors themselves can be achieved with one or more Actions (currently captured in MAEC at a detailed level), which represent the observable or discernible malware characteristics such as kernel API calls or particular snippets of machine code.

An example of a full Mechanism-> Action chain is:

Anti-Detection (Mechanism) -> Hide Malware Artifacts (Strategic Objective) -> Hide File System Artifacts (Tactical Objective) -> I/O Request Packet (IRP) filtering (Behavior) -> Hook nt!plofCallDriver() function pointer (Action)

Thus, notionally, the discovered Actions for a particular malware instance may be mapped to some set of Behaviors. Accordingly, these Behaviors would be mapped to their parent Mechanisms, with the Strategic and Tactical objectives in between providing detailed insight into what the malware author(s) are trying to accomplish.

For MAEC v4.1, we envision that we'll implement the Mechanisms and their Objectives as a controlled vocabulary for tagging a malware instance in a Bundle, with a schema structure that can abstract one or more Behaviors (much like the current BehaviorType). Thus, this will allow for the specification of whether a malware instance incorporates a particular Mechanism, and if known, the particular Objective(s) of the Mechanism. Also, we plan on capturing this taxonomy in a dictionary-like view on the MAEC website.

Here's the current list of Mechanisms that we've put together:
-Infection
-Anti-Behavioral Analysis
-Anti-Source Code Analysis
-Anti-Removal
-Anti-Detection
-Persistence
-Security Degradation
-Data Theft
-Spying
-Annoyance
-Destruction
-Integrity Violation
-Availability Violation

This is still very much a rough first pass, so we welcome your feedback and comments. Are there any Mechanisms that you feel are missing? Does this sort of taxonomy make sense?

Also, we've captured our current representation of Mechanisms and their objectives in a mind map, which can be found on the MAEC Development Group on Handshake (let me know if you'd like access and I'd be happy to add you). It contains MUCH more detail than I've included here, so I encourage those interested to take a look. Some of the Mechanisms and their objectives could also use much more fleshing out, so we'd greatly appreciate any assistance in that regard.

I plan on sharing more regarding the Mechanism development and implementation in MAEC v4.1 in the near future as we continue to make progress.

Regards,
Ivan Kirillov
MAEC Project
The MITRE Corporation
Reply | Threaded
Open this post in threaded view
|

RE: MAEC Mechanisms Development

Palmer, Cliff A. (NE)
Ivan, I'd recommend that you consider including an element in the Mechanism for linking it to a Campaign Element in STIX.   Perhaps this is obvious but it would be helpful to make it explicit.
Thanks
Cliff

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Kirillov, Ivan A.
Sent: Wednesday, July 24, 2013 2:44 PM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: MAEC Mechanisms Development

All,

I wanted to let you know that we've been busy working on the MAEC v4.1 update. The biggest change in this version will be the initial incorporation of Mechanisms:

Mechanisms represent the highest level abstraction of some particular group of goals or activities that malware may attempt to achieve. Accordingly, each Mechanism may have one or more corresponding Strategic Objectives, which represent the particular outcomes that may be desired in relation to the Mechanism. Each Strategic Objective may subsequently have one or more Tactical Objectives, which represent a more granular breakdown or variation of the parent objective. Tactical Objectives may be achieved with multiple means in malicious code, with each such implementation captured as a Behavior (currently captured in MAEC at an abstract level). Finally, Behaviors themselves can be achieved with one or more Actions (currently captured in MAEC at a detailed level), which represent the observable or discernible malware characteristics such as kernel API calls or particular snippets of machine code.

An example of a full Mechanism-> Action chain is:

Anti-Detection (Mechanism) -> Hide Malware Artifacts (Strategic Objective) -> Hide File System Artifacts (Tactical Objective) -> I/O Request Packet (IRP) filtering (Behavior) -> Hook nt!plofCallDriver() function pointer (Action)

Thus, notionally, the discovered Actions for a particular malware instance may be mapped to some set of Behaviors. Accordingly, these Behaviors would be mapped to their parent Mechanisms, with the Strategic and Tactical objectives in between providing detailed insight into what the malware author(s) are trying to accomplish.

For MAEC v4.1, we envision that we'll implement the Mechanisms and their Objectives as a controlled vocabulary for tagging a malware instance in a Bundle, with a schema structure that can abstract one or more Behaviors (much like the current BehaviorType). Thus, this will allow for the specification of whether a malware instance incorporates a particular Mechanism, and if known, the particular Objective(s) of the Mechanism. Also, we plan on capturing this taxonomy in a dictionary-like view on the MAEC website.

Here's the current list of Mechanisms that we've put together:
-Infection
-Anti-Behavioral Analysis
-Anti-Source Code Analysis
-Anti-Removal
-Anti-Detection
-Persistence
-Security Degradation
-Data Theft
-Spying
-Annoyance
-Destruction
-Integrity Violation
-Availability Violation

This is still very much a rough first pass, so we welcome your feedback and comments. Are there any Mechanisms that you feel are missing? Does this sort of taxonomy make sense?

Also, we've captured our current representation of Mechanisms and their objectives in a mind map, which can be found on the MAEC Development Group on Handshake (let me know if you'd like access and I'd be happy to add you). It contains MUCH more detail than I've included here, so I encourage those interested to take a look. Some of the Mechanisms and their objectives could also use much more fleshing out, so we'd greatly appreciate any assistance in that regard.

I plan on sharing more regarding the Mechanism development and implementation in MAEC v4.1 in the near future as we continue to make progress.

Regards,
Ivan Kirillov
MAEC Project
The MITRE Corporation
Reply | Threaded
Open this post in threaded view
|

RE: MAEC Mechanisms Development

Kirillov, Ivan A.
Good point Cliff - this could certainly be a useful linkage. However, since STIX subsumes MAEC, it may make more sense to have an element in a STIX Campaign that can point to a MAEC Mechanism rather than the other way around. I've added a tracker item on the STIX Schemas GitHub repository so that we consider this for future releases: https://github.com/STIXProject/schemas/issues/36

Regards,
Ivan

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Palmer, Cliff A. (NE)
Sent: Wednesday, July 24, 2013 2:57 PM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: RE: MAEC Mechanisms Development

Ivan, I'd recommend that you consider including an element in the Mechanism for linking it to a Campaign Element in STIX.   Perhaps this is obvious but it would be helpful to make it explicit.
Thanks
Cliff

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Kirillov, Ivan A.
Sent: Wednesday, July 24, 2013 2:44 PM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: MAEC Mechanisms Development

All,

I wanted to let you know that we've been busy working on the MAEC v4.1 update. The biggest change in this version will be the initial incorporation of Mechanisms:

Mechanisms represent the highest level abstraction of some particular group of goals or activities that malware may attempt to achieve. Accordingly, each Mechanism may have one or more corresponding Strategic Objectives, which represent the particular outcomes that may be desired in relation to the Mechanism. Each Strategic Objective may subsequently have one or more Tactical Objectives, which represent a more granular breakdown or variation of the parent objective. Tactical Objectives may be achieved with multiple means in malicious code, with each such implementation captured as a Behavior (currently captured in MAEC at an abstract level). Finally, Behaviors themselves can be achieved with one or more Actions (currently captured in MAEC at a detailed level), which represent the observable or discernible malware characteristics such as kernel API calls or particular snippets of machine code.

An example of a full Mechanism-> Action chain is:

Anti-Detection (Mechanism) -> Hide Malware Artifacts (Strategic Objective) -> Hide File System Artifacts (Tactical Objective) -> I/O Request Packet (IRP) filtering (Behavior) -> Hook nt!plofCallDriver() function pointer (Action)

Thus, notionally, the discovered Actions for a particular malware instance may be mapped to some set of Behaviors. Accordingly, these Behaviors would be mapped to their parent Mechanisms, with the Strategic and Tactical objectives in between providing detailed insight into what the malware author(s) are trying to accomplish.

For MAEC v4.1, we envision that we'll implement the Mechanisms and their Objectives as a controlled vocabulary for tagging a malware instance in a Bundle, with a schema structure that can abstract one or more Behaviors (much like the current BehaviorType). Thus, this will allow for the specification of whether a malware instance incorporates a particular Mechanism, and if known, the particular Objective(s) of the Mechanism. Also, we plan on capturing this taxonomy in a dictionary-like view on the MAEC website.

Here's the current list of Mechanisms that we've put together:
-Infection
-Anti-Behavioral Analysis
-Anti-Source Code Analysis
-Anti-Removal
-Anti-Detection
-Persistence
-Security Degradation
-Data Theft
-Spying
-Annoyance
-Destruction
-Integrity Violation
-Availability Violation

This is still very much a rough first pass, so we welcome your feedback and comments. Are there any Mechanisms that you feel are missing? Does this sort of taxonomy make sense?

Also, we've captured our current representation of Mechanisms and their objectives in a mind map, which can be found on the MAEC Development Group on Handshake (let me know if you'd like access and I'd be happy to add you). It contains MUCH more detail than I've included here, so I encourage those interested to take a look. Some of the Mechanisms and their objectives could also use much more fleshing out, so we'd greatly appreciate any assistance in that regard.

I plan on sharing more regarding the Mechanism development and implementation in MAEC v4.1 in the near future as we continue to make progress.

Regards,
Ivan Kirillov
MAEC Project
The MITRE Corporation
Reply | Threaded
Open this post in threaded view
|

Re: MAEC Mechanisms Development

Eric Freyssinet
In reply to this post by Kirillov, Ivan A.
Hello Ivan,

To help you, here is the list compiled on botnets.fr of features of malware/botnets:

Best regards,

Eric Freyssinet

On Wed, Jul 24, 2013 at 8:44 PM, Kirillov, Ivan A. <[hidden email]> wrote:
All,

I wanted to let you know that we've been busy working on the MAEC v4.1 update. The biggest change in this version will be the initial incorporation of Mechanisms:

Mechanisms represent the highest level abstraction of some particular group of goals or activities that malware may attempt to achieve. Accordingly, each Mechanism may have one or more corresponding Strategic Objectives, which represent the particular outcomes that may be desired in relation to the Mechanism. Each Strategic Objective may subsequently have one or more Tactical Objectives, which represent a more granular breakdown or variation of the parent objective. Tactical Objectives may be achieved with multiple means in malicious code, with each such implementation captured as a Behavior (currently captured in MAEC at an abstract level). Finally, Behaviors themselves can be achieved with one or more Actions (currently captured in MAEC at a detailed level), which represent the observable or discernible malware characteristics such as kernel API calls or particular snippets of machine code.

An example of a full Mechanism-> Action chain is:

Anti-Detection (Mechanism) -> Hide Malware Artifacts (Strategic Objective) -> Hide File System Artifacts (Tactical Objective) -> I/O Request Packet (IRP) filtering (Behavior) -> Hook nt!plofCallDriver() function pointer (Action)

Thus, notionally, the discovered Actions for a particular malware instance may be mapped to some set of Behaviors. Accordingly, these Behaviors would be mapped to their parent Mechanisms, with the Strategic and Tactical objectives in between providing detailed insight into what the malware author(s) are trying to accomplish.

For MAEC v4.1, we envision that we'll implement the Mechanisms and their Objectives as a controlled vocabulary for tagging a malware instance in a Bundle, with a schema structure that can abstract one or more Behaviors (much like the current BehaviorType). Thus, this will allow for the specification of whether a malware instance incorporates a particular Mechanism, and if known, the particular Objective(s) of the Mechanism. Also, we plan on capturing this taxonomy in a dictionary-like view on the MAEC website.

Here's the current list of Mechanisms that we've put together:
-Infection
-Anti-Behavioral Analysis
-Anti-Source Code Analysis
-Anti-Removal
-Anti-Detection
-Persistence
-Security Degradation
-Data Theft
-Spying
-Annoyance
-Destruction
-Integrity Violation
-Availability Violation

This is still very much a rough first pass, so we welcome your feedback and comments. Are there any Mechanisms that you feel are missing? Does this sort of taxonomy make sense?

Also, we've captured our current representation of Mechanisms and their objectives in a mind map, which can be found on the MAEC Development Group on Handshake (let me know if you'd like access and I'd be happy to add you). It contains MUCH more detail than I've included here, so I encourage those interested to take a look. Some of the Mechanisms and their objectives could also use much more fleshing out, so we'd greatly appreciate any assistance in that regard.

I plan on sharing more regarding the Mechanism development and implementation in MAEC v4.1 in the near future as we continue to make progress.

Regards,
Ivan Kirillov
MAEC Project
The MITRE Corporation



--
Eric Freyssinet
perso: [hidden email]
pro: [hidden email]
blog: http://blog.crimenumerique.fr/ - twitter: @ericfreyss
Reply | Threaded
Open this post in threaded view
|

RE: MAEC Mechanisms Development

Kirillov, Ivan A.

Thanks Eric – this is great! If you don’t mind, I’d like to incorporate this data in our mind map, with appropriate references/credit of course.

 

Also, it looks like I missed a few Mechanisms in my original email. We also have:

 

-Command & Control

-Data Exfiltration

-Remote Machine Access

 

Regards,

Ivan

 

From: Eric Freyssinet [mailto:[hidden email]]
Sent: Wednesday, July 24, 2013 3:59 PM
To: Kirillov, Ivan A.
Cc: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: Re: MAEC Mechanisms Development

 

Hello Ivan,

 

To help you, here is the list compiled on botnets.fr of features of malware/botnets:

 

Best regards,


Eric Freyssinet

On Wed, Jul 24, 2013 at 8:44 PM, Kirillov, Ivan A. <[hidden email]> wrote:

All,

I wanted to let you know that we've been busy working on the MAEC v4.1 update. The biggest change in this version will be the initial incorporation of Mechanisms:

Mechanisms represent the highest level abstraction of some particular group of goals or activities that malware may attempt to achieve. Accordingly, each Mechanism may have one or more corresponding Strategic Objectives, which represent the particular outcomes that may be desired in relation to the Mechanism. Each Strategic Objective may subsequently have one or more Tactical Objectives, which represent a more granular breakdown or variation of the parent objective. Tactical Objectives may be achieved with multiple means in malicious code, with each such implementation captured as a Behavior (currently captured in MAEC at an abstract level). Finally, Behaviors themselves can be achieved with one or more Actions (currently captured in MAEC at a detailed level), which represent the observable or discernible malware characteristics such as kernel API calls or particular snippets of machine code.

An example of a full Mechanism-> Action chain is:

Anti-Detection (Mechanism) -> Hide Malware Artifacts (Strategic Objective) -> Hide File System Artifacts (Tactical Objective) -> I/O Request Packet (IRP) filtering (Behavior) -> Hook nt!plofCallDriver() function pointer (Action)

Thus, notionally, the discovered Actions for a particular malware instance may be mapped to some set of Behaviors. Accordingly, these Behaviors would be mapped to their parent Mechanisms, with the Strategic and Tactical objectives in between providing detailed insight into what the malware author(s) are trying to accomplish.

For MAEC v4.1, we envision that we'll implement the Mechanisms and their Objectives as a controlled vocabulary for tagging a malware instance in a Bundle, with a schema structure that can abstract one or more Behaviors (much like the current BehaviorType). Thus, this will allow for the specification of whether a malware instance incorporates a particular Mechanism, and if known, the particular Objective(s) of the Mechanism. Also, we plan on capturing this taxonomy in a dictionary-like view on the MAEC website.

Here's the current list of Mechanisms that we've put together:
-Infection
-Anti-Behavioral Analysis
-Anti-Source Code Analysis
-Anti-Removal
-Anti-Detection
-Persistence
-Security Degradation
-Data Theft
-Spying
-Annoyance
-Destruction
-Integrity Violation
-Availability Violation

This is still very much a rough first pass, so we welcome your feedback and comments. Are there any Mechanisms that you feel are missing? Does this sort of taxonomy make sense?

Also, we've captured our current representation of Mechanisms and their objectives in a mind map, which can be found on the MAEC Development Group on Handshake (let me know if you'd like access and I'd be happy to add you). It contains MUCH more detail than I've included here, so I encourage those interested to take a look. Some of the Mechanisms and their objectives could also use much more fleshing out, so we'd greatly appreciate any assistance in that regard.

I plan on sharing more regarding the Mechanism development and implementation in MAEC v4.1 in the near future as we continue to make progress.

Regards,
Ivan Kirillov
MAEC Project
The MITRE Corporation



 

--
Eric Freyssinet
perso: [hidden email]
pro: [hidden email]
blog: http://blog.crimenumerique.fr/ - twitter: @ericfreyss

Reply | Threaded
Open this post in threaded view
|

Re: MAEC Mechanisms Development

Eric Freyssinet
No problem, everything on botnets.fr is for sharing and sourced.

On Wed, Jul 24, 2013 at 10:05 PM, Kirillov, Ivan A. <[hidden email]> wrote:

Thanks Eric – this is great! If you don’t mind, I’d like to incorporate this data in our mind map, with appropriate references/credit of course.

 

Also, it looks like I missed a few Mechanisms in my original email. We also have:

 

-Command & Control

-Data Exfiltration

-Remote Machine Access

 

Regards,

Ivan

 

From: Eric Freyssinet [mailto:[hidden email]]
Sent: Wednesday, July 24, 2013 3:59 PM
To: Kirillov, Ivan A.
Cc: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: Re: MAEC Mechanisms Development

 

Hello Ivan,

 

To help you, here is the list compiled on botnets.fr of features of malware/botnets:

 

Best regards,


Eric Freyssinet

On Wed, Jul 24, 2013 at 8:44 PM, Kirillov, Ivan A. <[hidden email]> wrote:

All,

I wanted to let you know that we've been busy working on the MAEC v4.1 update. The biggest change in this version will be the initial incorporation of Mechanisms:

Mechanisms represent the highest level abstraction of some particular group of goals or activities that malware may attempt to achieve. Accordingly, each Mechanism may have one or more corresponding Strategic Objectives, which represent the particular outcomes that may be desired in relation to the Mechanism. Each Strategic Objective may subsequently have one or more Tactical Objectives, which represent a more granular breakdown or variation of the parent objective. Tactical Objectives may be achieved with multiple means in malicious code, with each such implementation captured as a Behavior (currently captured in MAEC at an abstract level). Finally, Behaviors themselves can be achieved with one or more Actions (currently captured in MAEC at a detailed level), which represent the observable or discernible malware characteristics such as kernel API calls or particular snippets of machine code.

An example of a full Mechanism-> Action chain is:

Anti-Detection (Mechanism) -> Hide Malware Artifacts (Strategic Objective) -> Hide File System Artifacts (Tactical Objective) -> I/O Request Packet (IRP) filtering (Behavior) -> Hook nt!plofCallDriver() function pointer (Action)

Thus, notionally, the discovered Actions for a particular malware instance may be mapped to some set of Behaviors. Accordingly, these Behaviors would be mapped to their parent Mechanisms, with the Strategic and Tactical objectives in between providing detailed insight into what the malware author(s) are trying to accomplish.

For MAEC v4.1, we envision that we'll implement the Mechanisms and their Objectives as a controlled vocabulary for tagging a malware instance in a Bundle, with a schema structure that can abstract one or more Behaviors (much like the current BehaviorType). Thus, this will allow for the specification of whether a malware instance incorporates a particular Mechanism, and if known, the particular Objective(s) of the Mechanism. Also, we plan on capturing this taxonomy in a dictionary-like view on the MAEC website.

Here's the current list of Mechanisms that we've put together:
-Infection
-Anti-Behavioral Analysis
-Anti-Source Code Analysis
-Anti-Removal
-Anti-Detection
-Persistence
-Security Degradation
-Data Theft
-Spying
-Annoyance
-Destruction
-Integrity Violation
-Availability Violation

This is still very much a rough first pass, so we welcome your feedback and comments. Are there any Mechanisms that you feel are missing? Does this sort of taxonomy make sense?

Also, we've captured our current representation of Mechanisms and their objectives in a mind map, which can be found on the MAEC Development Group on Handshake (let me know if you'd like access and I'd be happy to add you). It contains MUCH more detail than I've included here, so I encourage those interested to take a look. Some of the Mechanisms and their objectives could also use much more fleshing out, so we'd greatly appreciate any assistance in that regard.

I plan on sharing more regarding the Mechanism development and implementation in MAEC v4.1 in the near future as we continue to make progress.

Regards,
Ivan Kirillov
MAEC Project
The MITRE Corporation



 

--
Eric Freyssinet
perso: [hidden email]
pro: [hidden email]
blog: http://blog.crimenumerique.fr/ - twitter: @ericfreyss




--
Eric Freyssinet
perso: [hidden email]
pro: [hidden email]
blog: http://blog.crimenumerique.fr/ - twitter: @ericfreyss
Reply | Threaded
Open this post in threaded view
|

Re: MAEC Mechanisms Development

PAT MARONEY-2
In reply to this post by Kirillov, Ivan A.
Can you share your mind map directly as well?

Patrick Maroney
(609)841-5104

On Jul 24, 2013, at 4:05 PM, "Kirillov, Ivan A." <[hidden email]> wrote:

Thanks Eric – this is great! If you don’t mind, I’d like to incorporate this data in our mind map, with appropriate references/credit of course.

 

Also, it looks like I missed a few Mechanisms in my original email. We also have:

 

-Command & Control

-Data Exfiltration

-Remote Machine Access

 

Regards,

Ivan

 

From: Eric Freyssinet [[hidden email]]
Sent: Wednesday, July 24, 2013 3:59 PM
To: Kirillov, Ivan A.
Cc: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: Re: MAEC Mechanisms Development

 

Hello Ivan,

 

To help you, here is the list compiled on botnets.fr of features of malware/botnets:

 

Best regards,


Eric Freyssinet

On Wed, Jul 24, 2013 at 8:44 PM, Kirillov, Ivan A. <[hidden email]> wrote:

All,

I wanted to let you know that we've been busy working on the MAEC v4.1 update. The biggest change in this version will be the initial incorporation of Mechanisms:

Mechanisms represent the highest level abstraction of some particular group of goals or activities that malware may attempt to achieve. Accordingly, each Mechanism may have one or more corresponding Strategic Objectives, which represent the particular outcomes that may be desired in relation to the Mechanism. Each Strategic Objective may subsequently have one or more Tactical Objectives, which represent a more granular breakdown or variation of the parent objective. Tactical Objectives may be achieved with multiple means in malicious code, with each such implementation captured as a Behavior (currently captured in MAEC at an abstract level). Finally, Behaviors themselves can be achieved with one or more Actions (currently captured in MAEC at a detailed level), which represent the observable or discernible malware characteristics such as kernel API calls or particular snippets of machine code.

An example of a full Mechanism-> Action chain is:

Anti-Detection (Mechanism) -> Hide Malware Artifacts (Strategic Objective) -> Hide File System Artifacts (Tactical Objective) -> I/O Request Packet (IRP) filtering (Behavior) -> Hook nt!plofCallDriver() function pointer (Action)

Thus, notionally, the discovered Actions for a particular malware instance may be mapped to some set of Behaviors. Accordingly, these Behaviors would be mapped to their parent Mechanisms, with the Strategic and Tactical objectives in between providing detailed insight into what the malware author(s) are trying to accomplish.

For MAEC v4.1, we envision that we'll implement the Mechanisms and their Objectives as a controlled vocabulary for tagging a malware instance in a Bundle, with a schema structure that can abstract one or more Behaviors (much like the current BehaviorType). Thus, this will allow for the specification of whether a malware instance incorporates a particular Mechanism, and if known, the particular Objective(s) of the Mechanism. Also, we plan on capturing this taxonomy in a dictionary-like view on the MAEC website.

Here's the current list of Mechanisms that we've put together:
-Infection
-Anti-Behavioral Analysis
-Anti-Source Code Analysis
-Anti-Removal
-Anti-Detection
-Persistence
-Security Degradation
-Data Theft
-Spying
-Annoyance
-Destruction
-Integrity Violation
-Availability Violation

This is still very much a rough first pass, so we welcome your feedback and comments. Are there any Mechanisms that you feel are missing? Does this sort of taxonomy make sense?

Also, we've captured our current representation of Mechanisms and their objectives in a mind map, which can be found on the MAEC Development Group on Handshake (let me know if you'd like access and I'd be happy to add you). It contains MUCH more detail than I've included here, so I encourage those interested to take a look. Some of the Mechanisms and their objectives could also use much more fleshing out, so we'd greatly appreciate any assistance in that regard.

I plan on sharing more regarding the Mechanism development and implementation in MAEC v4.1 in the near future as we continue to make progress.

Regards,
Ivan Kirillov
MAEC Project
The MITRE Corporation



 

--
Eric Freyssinet
perso: [hidden email]
pro: [hidden email]
blog: http://blog.crimenumerique.fr/ - twitter: @ericfreyss

Reply | Threaded
Open this post in threaded view
|

RE: MAEC Mechanisms Development

Kirillov, Ivan A.
In reply to this post by Kirillov, Ivan A.

Small update – we’ve moved the Mechanisms mind map to our new working documents repository on GitHub:

 

https://github.com/MAECProject/working-documents/blob/master/mind_maps/MAEC_Malware_Mechanisms.mm

 

We’ll be keeping this copy up to date with the latest changes and additions, so feel free to take a look if you’re interested in seeing its evolution.

 

Regards,

Ivan

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kirillov, Ivan A.
Sent: Wednesday, July 24, 2013 4:05 PM
To: Eric Freyssinet
Cc: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: RE: MAEC Mechanisms Development

 

Thanks Eric – this is great! If you don’t mind, I’d like to incorporate this data in our mind map, with appropriate references/credit of course.

 

Also, it looks like I missed a few Mechanisms in my original email. We also have:

 

-Command & Control

-Data Exfiltration

-Remote Machine Access

 

Regards,

Ivan

 

From: Eric Freyssinet [[hidden email]]
Sent: Wednesday, July 24, 2013 3:59 PM
To: Kirillov, Ivan A.
Cc: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: Re: MAEC Mechanisms Development

 

Hello Ivan,

 

To help you, here is the list compiled on botnets.fr of features of malware/botnets:

 

Best regards,


Eric Freyssinet

On Wed, Jul 24, 2013 at 8:44 PM, Kirillov, Ivan A. <[hidden email]> wrote:

All,

I wanted to let you know that we've been busy working on the MAEC v4.1 update. The biggest change in this version will be the initial incorporation of Mechanisms:

Mechanisms represent the highest level abstraction of some particular group of goals or activities that malware may attempt to achieve. Accordingly, each Mechanism may have one or more corresponding Strategic Objectives, which represent the particular outcomes that may be desired in relation to the Mechanism. Each Strategic Objective may subsequently have one or more Tactical Objectives, which represent a more granular breakdown or variation of the parent objective. Tactical Objectives may be achieved with multiple means in malicious code, with each such implementation captured as a Behavior (currently captured in MAEC at an abstract level). Finally, Behaviors themselves can be achieved with one or more Actions (currently captured in MAEC at a detailed level), which represent the observable or discernible malware characteristics such as kernel API calls or particular snippets of machine code.

An example of a full Mechanism-> Action chain is:

Anti-Detection (Mechanism) -> Hide Malware Artifacts (Strategic Objective) -> Hide File System Artifacts (Tactical Objective) -> I/O Request Packet (IRP) filtering (Behavior) -> Hook nt!plofCallDriver() function pointer (Action)

Thus, notionally, the discovered Actions for a particular malware instance may be mapped to some set of Behaviors. Accordingly, these Behaviors would be mapped to their parent Mechanisms, with the Strategic and Tactical objectives in between providing detailed insight into what the malware author(s) are trying to accomplish.

For MAEC v4.1, we envision that we'll implement the Mechanisms and their Objectives as a controlled vocabulary for tagging a malware instance in a Bundle, with a schema structure that can abstract one or more Behaviors (much like the current BehaviorType). Thus, this will allow for the specification of whether a malware instance incorporates a particular Mechanism, and if known, the particular Objective(s) of the Mechanism. Also, we plan on capturing this taxonomy in a dictionary-like view on the MAEC website.

Here's the current list of Mechanisms that we've put together:
-Infection
-Anti-Behavioral Analysis
-Anti-Source Code Analysis
-Anti-Removal
-Anti-Detection
-Persistence
-Security Degradation
-Data Theft
-Spying
-Annoyance
-Destruction
-Integrity Violation
-Availability Violation

This is still very much a rough first pass, so we welcome your feedback and comments. Are there any Mechanisms that you feel are missing? Does this sort of taxonomy make sense?

Also, we've captured our current representation of Mechanisms and their objectives in a mind map, which can be found on the MAEC Development Group on Handshake (let me know if you'd like access and I'd be happy to add you). It contains MUCH more detail than I've included here, so I encourage those interested to take a look. Some of the Mechanisms and their objectives could also use much more fleshing out, so we'd greatly appreciate any assistance in that regard.

I plan on sharing more regarding the Mechanism development and implementation in MAEC v4.1 in the near future as we continue to make progress.

Regards,
Ivan Kirillov
MAEC Project
The MITRE Corporation



 

--
Eric Freyssinet
perso: [hidden email]
pro: [hidden email]
blog: http://blog.crimenumerique.fr/ - twitter: @ericfreyss