Skip to content

Proposal: Refactor Behaviors

Ivan Kirillov edited this page Sep 8, 2015 · 17 revisions

Status:
Comment Period Closes:
Affects Backwards Compatibility: Yes

Background Information

In MAEC, Behaviors serve to capture the purpose behind a particular snippet of code as executed by a malware instance, and therefore have an important role in accurately characterizing the operations of malware at a middle level of abstraction, between Capabilities and Actions. Up to this point, their implementation in MAEC has purposefully remained rather abstract while we iterated and worked on some of the other components such as Capabilities and Actions. However, we feel that it is now appropriate to work on refactoring Behaviors for cohesiveness with respect to the other MAEC components, especially in the wake of the proposed changes around Capabilities.

Related Proposals

This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Actions,-Behaviors,-and-Capabilities-Top-Level-Entities https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-a-concept-and-output-format) https://github.com/MAECProject/schemas/wiki/Proposal:-Refactor-Capabilities

Proposal

There are two driving forces behind the changes with regards to the implementation of Behaviors in the MAEC schema:

  • Based on the associated changes outlined in the proposal on refactoring Capabilities, the majority of existing Capability Objectives (from MAEC v4.1) will now be recast as Behaviors, necessitating a corresponding change to the BehaviorType and also the creation of new vocabularies around Behaviors.
  • Simplification; as one of the primary drivers of change in MAEC 5.0, we feel that the existing implementation of Behaviors can be simplified to coincide with related changes.

Accordingly, this entails that the refactored BehaviorType, found in the MAEC Core (formerly MAEC Bundle) schema, should have the following fields:

Field Type Multiplicity Description
@id xs:QName 1 The required id field specifies a unique id for this Behavior.
Name cyboxCommon:ControlledVocabularyStringType 1 The required Name field captures the name of the Behavior. The default vocabulary for this field is the BehaviorNameVocab from the MAEC Default Vocabularies schema.
Description cyboxCommon:StructuredTextType 0-1 The Description field contains a basic textual description of the Behavior.
Property maecCore:BehaviorPropertyType 0-N The Property field permits the capture of a single property of the Behavior, as a key/value pair. More than one property can be specified via multiple occurrences of this field.
Action_Reference maecCore:BehavioralActionReferenceType 0-N The Action_Reference field specifies a reference to a single Action that serves as the underlying implementation of the Behavior. More than one such Action can be referenced via multiple occurrences of this field.

Note that the new Property field replaces the previous Purpose field. The primary intent of the Purpose field was to identify any vulnerabilities exploited by the Behavior, which can now be stated as a property (see below for example).


The new BehaviorPropertyType is very similar to the CapabilityPropertyType and therefore should have the following fields:

Field Type Multiplicity Description
Name cyboxCommon:ControlledVocabularyStringType 0-1 The Name field specifies the name of the Behavioral property being captured. The name can be either free form text or a standardized value from a vocabulary included in the MAEC Default Vocabularies schema. The default vocabulary for this field is the BehaviorPropertyVocab from the MAEC Default Vocabularies schema.
Value xs:string 0-1 The Value field specifies the value of the Behavioral property being captured.

Based on the above changes, the following types found in the MAEC Core (formerly MAEC Bundle) schema would be deprecated:

  • BehavioralActionType
  • BehavioralActionEquivalenceReferenceType
  • BehavioralActionsType
  • BehaviorPurposeType
  • ExploitType
  • CVEVulnerabilityType
  • PlatformListType

The following existing types found in the MAEC Core (formerly MAEC Bundle) schema would be deprecated:

  • CapabilityObjectiveType
  • CapabilityObjectiveReferenceType

The following vocabulary related changes will be made:

  • A new CapabilityNameVocab-1.0 will be created, along with a corresponding enumeration, the CapabilityNameEnum-1.0.
  • The existing MalwareCapabilityEnum-1.0 enumeration will be deprecated.
  • The existing vocabularies around Strategic and Tactical Objectives will be deprecated, including the AntiCodeAnalysisStrategicObjectivesVocab-1.0, AntiCodeAnalysisTacticalObjectivesVocab-1.0, AntiDetectionStrategicObjectivesVocab-1.0, AntiDetectionTacticalObjectivesVocab-1.0, AntiRemovalStrategicObjectivesVocab-1.0, AntiRemovalTacticalObjectivesVocab-1.0, CapabilityObjectiveRelationshipTypeVocab-1.0, CommandandControlStrategicObjectivesVocab-1.0, CommandandControlTacticalObjectivesVocab-1.0, DataExfiltrationStrategicObjectivesVocab-1.0, DataExfiltrationTacticalObjectivesVocab-1.0, DestructionStrategicObjectivesVocab-1.0, DestructionTacticalObjectivesVocab-1.0, FraudStrategicObjectivesVocab-1.0, FraudTacticalObjectivesVocab-1.0, InfectionPropagationStrategicObjectivesVocab-1.0, InfectionPropagationTacticalObjectivesVocab-1.0, IntegrityViolationStrategicObjectivesVocab-1.0, IntegrityViolationTacticalObjectivesVocab-1.0, MachineAccessControlStrategicObjectivesVocab-1.0, MachineAccessControlTacticalObjectivesVocab-1.0, PersistenceStrategicObjectivesVocab-1.0, PersistenceTacticalObjectivesVocab-1.0, PrivilegeEscalationStrategicObjectivesVocab-1.0, PrivilegeEscalationTacticalObjectivesVocab-1.0, ProbingStrategicObjectivesVocab-1.0, ProbingTacticalObjectivesVocab-1.0, RemoteMachineManipulationStrategicObjectivesVocab-1.0, RemoteMachineManipulationTacticalObjectivesVocab-1.0, SecondaryOperationStrategicObjectivesVocab-1.0, SecondaryOperationTacticalObjectivesVocab-1.0, SecurityDegradationStrategicObjectivesVocab-1.0, SecurityDegradationTacticalObjectivesVocab-1.0, SpyingStrategicObjectivesVocab-1.0, SpyingTacticalObjectivesVocab-1.0.

The new CapabilityNameEnum-1.0 will have the following values:

Value Description
anti-behavioral analysis The 'anti-behavioral analysis' Capability indicates that the malware instance is able to prevent behavioral analysis or make it more difficult.
anti-code analysis The 'anti-code analysis' Capability indicates that the malware instance is able to prevent code analysis or make it more difficult.
anti-detection The 'anti-detection' Capability indicates that the malware instance is able to prevent itself and its components from being detected on a system.
anti-removal The 'anti-removal' Capability indicates that the malware instance is able to prevent itself and its components from being removed from a system.
availability violation The 'availability violation' Capability indicates that the malware instance is able to compromise the availability of a system or some aspect of the system.
command and control The 'command and control' (C2) Capability indicates that the malware instance is able to receive and/or execute remotely submitted commands.
data exfiltration The 'data exfiltration' Capability indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data.
data theft The 'data theft' Capability indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser.
destruction The 'destruction' Capability indicates that the malware instance is able to destroy some aspect of a system.
fraud The 'fraud' Capability indicates that the malware instance is able to defraud a user or a system.
infection/propagation The 'infection/propagation' Capability indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system. The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email). This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself.
integrity violation The 'integrity violation' Capability indicates that the malware instance is able to compromise the integrity of a system.
machine access/control The 'machine access/control' Capability indicates that the malware instance is able to access or control one or more remote machines and/or the machine on which it is executing.
persistence The 'persistence' Capability indicates that the malware instance is able to persist and remain on a system regardless of system events.
privilege escalation The 'privilege escalation' Capability indicates that the malware instance is able to elevate the privileges under which it executes.
probing The 'probing' Capability indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives.
secondary operation The 'secondary operation' Capability indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives.
security degradation The 'security degradation' Capability indicates that the malware instance is able to bypass or disable security features and/or controls.
spying The 'spying' Capability indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices).
OS security feature degradation The ‘OS security feature degradation’ Subcapability indicates that the malware instance is able to bypass or disable operating system (OS) security mechanisms.
access control degradation The ‘access control degradation’ Subcapability indicates that the malware instance is able to bypass or disable access control mechanisms designed to prevent unauthorized or unprivileged use or execution of applications or files.
anti-VM The 'anti-VM' Subcapability indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult.
anti-debugging The 'anti-debugging' Subcapability indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult.
anti-disassembly The 'anti-disassembly' Subcapability indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult.
anti-memory forensics The 'anti-memory forensics' Subcapability indicates that the malware instance is able to prevent or make memory forensics more difficult.
anti-sandbox The 'anti-sandbox' Subcapability specifies that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult.
authentication credentials theft The 'authentication credentials theft' Subcapability indicates that the malware instance is able to steal authentication credentials.
clean traces of infection The 'clean traces of infection' Subcapability indicates that the malware instance is able to clean traces of its infection (e.g., file system artifacts) from a system.
compromise data availability The 'compromise data availability' Subcapability indicates that the malware instance is able to compromise the availability of data on the local system on which it is executing and/or one or more remote systems.
compromise system availability The 'compromise system availability' Subcapability indicates that the malware instance is able to compromise the availability of the local system on which it is executing and/or one or more remote systems.
continuous execution The 'continuous execution' Subcapability indicates that the malware instance is able to continue to execute on a system after significant system events, such as a system reboot.
data integrity violation The 'data integrity violation' Subcapability indicates that the malware instance is able to compromise the integrity of some data that resides on (e.g., in the case of files) or is received/transmitted (e.g., in the case of network traffic) by the system on which it is executing.
data obfuscation The 'data obfuscation' Subcapability indicates that the malware is able to obfuscate data that will be exfiltrated.
data staging The 'data staging' Subcapability indicates that the malware instance is able to gather, prepare, and stage data for exfiltration.
determine c2 server The 'determine c2 server' Subcapability indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate..
email spam The 'email spam' Subcapability indicates that the malware instance is able to send spam email messages.
ensure compatibility The 'ensure compatibility' Subcapability indicates that the malware instance is able to manipulate or modify the system on which it executes to ensure that it is able to continue executing.
environment awareness The 'environment awareness' Subcapability indicates that the malware instance can fingerprint or otherwise identify the environment in which it is executing, for the purpose of altering its behavior based on this environment.
file infection The 'file infection' Subcapability indicates that the malware instance is able to infect one or more files.
hide artifacts The 'hide artifacts' Behavior indicates that the malware instance is able to hide its artifacts, such as files and open ports.
hide executing code The 'hide executing code' Subcapability indicates that the malware instance is able to hide its executing code.
host configuration probing The 'host configuration probing' Subcapability indicates that the malware instance is able to probe the configuration of the host system on which it executes.
information gathering for improvement The 'information gathering for improvement' Subcapability indicates that the malware instance is able to gather information from its environment to make itself less likely to be detected.
input peripheral capture The 'input peripheral capture' Subcapability indicates that the malware instance is able to capture data from a system's input peripheral devices, such as a keyboard or mouse.
install other components The 'install other components' Subcapability indicates that the malware instance is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools.
local machine control The 'local machine control' Subcapability indicates that the malware instance is able to control the machine on which it is executing.
network environment probing The 'network environment probing' Subcapability indicates that the malware instance is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy.
capture system output peripheral data The 'capture system output peripheral data' Behavior captures data sent to a system's output peripherals, such as a display.
physical entity destruction The 'physical entity destruction' Subcapability indicates that the malware instance is able to destroy physical entities.
prevent artifact access The 'prevent artifact access' Subcapability indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being accessed.
prevent artifact deletion The 'prevent artifact deletion' Subcapability indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being deleted.
consume system resources The 'consume system resources' Subcapability indicates that the malware instance is able to consume system resources for its own purposes, such as password cracking.
receive data from c2 server The 'receive data from c2 server' Subcapability indicates that the malware instance is able to receive some data from a command and control server.
remote machine access The 'remote machine access' Subcapability indicates that the malware instance is able to access one or more remote machines.
remote machine infection The 'remote machine infection' Subcapability indicates that the malware instance is able to self-propagate to a remote machine or infect a machine with malware that is different than itself.
security software degradation The 'security software degradation' Subcapability indicates that the malware instance is able to bypass or disable security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters.
security software evasion The 'security software evasion' Subcapability indicates that the malware instance is able to evade security software (e.g., anti-virus tools).
self-modification The 'self-modification' Subcapability indicates that the malware instance is able to modify itself.
send data to c2 server The 'send data to c2 server' Subcapability indicates that the malware instance is able to send some data to a command and control server.
service provider security feature degradation The ‘service provider security feature degradation’ Subcapability indicates that the malware instance is able to bypass or disable mobile device service provider security features that would otherwise identify or notify users of its presence.
stored information theft The 'stored information theft' Subcapability indicates that the malware instance is able to steal information stored on a system (e.g., files).
system interface data capture The 'system interface data capture' Subcapability indicates that the malware instance is able to capture data from a system's logical or physical interfaces, such as from a network interface.
system operation integrity violation The 'system operational integrity violation' Subcapability indicates that the malware instance is able to compromise the operational integrity of the system on which it is executing and/or one or more remote systems, e.g., by causing them to operate beyond their set of specified operational parameters.
system re-infection The 'system re-infection' Subcapability indicates that the malware instance is able to re-infect a system after one or more of its components have been removed.
system state data capture The 'system state data capture' Subcapability indicates that the malware instance is able to capture information about a system's state (e.g., data currently in its RAM).
system update degradation The 'system update degradation' Subcapability indicates that the malware instance is able to disable the downloading and installation of system updates and patches.
user data theft The 'user data theft' Subcapability indicates that the malware instance is able to steal data associated with one or more users (e.g., browser history).
virtual entity destruction The 'virtual entity destruction' Subcapability indicates that the malware instance is able to destroy a virtual entity.

Example

Before this change - MAEC 4.1

<maecBundle:Capability id="example:capability-1" name="persistence">
    <maecBundle:Strategic_Objective id="example:objective-1">
        <maecBundle:Name xsi:type="maecVocabs:PersistenceStrategicObjectivesVocab-1.0">persist to continuously execute on system</maecBundle:Name>
    </maecBundle:Strategic_Objective>
</maecBundle:Capability>

After this change - MAEC 5.0

<maecCore:Capability id="example:capability-1">
  <maecCore:Name xsi:type="maecVocabs:CapabilityNameVocab-1.0">persistence</Name>
</maecCore:Capability>
<maecCore:Capability id="example:capability-2">
  <maecCore:Name xsi:type="maecVocabs:CapabilityNameVocab-1.0">continuous execution</Name>
</maecCore:Capability>

Impact

This change will not be backward compatible and is one of several revisions planned in new major version.

Requested Feedback

  1. Do the changes to the Capability data model with respect to deprecating Objectives in favor of Behaviors make sense?
  2. Should Capabilities and Subcapabilities be flattened into a single vocabulary, or would it make more sense to split them up?
  3. Do the values in the CapabilityNameEnum-1.0 make sense?
Clone this wiki locally