-
Notifications
You must be signed in to change notification settings - Fork 16
Proposal: Refactor Behaviors
Status:
Comment Period Closes:
Affects Backwards Compatibility: Yes
In MAEC, Behaviors serve to capture the purpose behind a particular snippet of code as executed by a malware instance, and therefore have an important role in accurately characterizing the operations of malware at a middle level of abstraction, between Capabilities and Actions. Up to this point, their implementation in MAEC has purposefully remained rather abstract while we iterated and worked on some of the other components such as Capabilities and Actions. However, we feel that it is now appropriate to work on refactoring Behaviors for cohesiveness with respect to the other MAEC components, especially in the wake of the proposed changes around Capabilities.
This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Actions,-Behaviors,-and-Capabilities-Top-Level-Entities https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-a-concept-and-output-format) https://github.com/MAECProject/schemas/wiki/Proposal:-Refactor-Capabilities
There are two driving forces behind the changes with regards to the implementation of Behaviors in the MAEC schema:
- Based on the associated changes outlined in the proposal on refactoring Capabilities, the majority of existing Capability Objectives (from MAEC v4.1) will now be recast as Behaviors, necessitating a corresponding change to the
BehaviorType
and also the creation of new vocabularies around Behaviors. - Simplification; as one of the primary drivers of change in MAEC 5.0, we feel that the existing implementation of Behaviors can be simplified to coincide with related changes.
Accordingly, this entails that the refactored BehaviorType
, found in the MAEC Core (formerly MAEC Bundle) schema, should have the following fields:
Field | Type | Multiplicity | Description |
---|---|---|---|
@id | xs:QName |
1 | The required id field specifies a unique id for this Behavior. |
Name | cyboxCommon:ControlledVocabularyStringType |
1 | The required Name field captures the name of the Behavior. The default vocabulary for this field is the BehaviorNameVocab from the MAEC Default Vocabularies schema. |
Description | cyboxCommon:StructuredTextType |
0-1 | The Description field contains a basic textual description of the Behavior. |
Property | maecCore:BehaviorPropertyType |
0-N | The Property field permits the capture of a single property of the Behavior, as a key/value pair. More than one property can be specified via multiple occurrences of this field. |
Action_Reference | maecCore:BehavioralActionReferenceType |
0-N | The Action_Reference field specifies a reference to a single Action that serves as the underlying implementation of the Behavior. More than one such Action can be referenced via multiple occurrences of this field. |
Note that the new Property
field replaces the previous Purpose
field. The primary intent of the Purpose
field was to identify any vulnerabilities exploited by the Behavior, which can now be stated as a property (see below for example).
The new BehaviorPropertyType
is very similar to the CapabilityPropertyType
and therefore should have the following fields:
Field | Type | Multiplicity | Description |
---|---|---|---|
Name | cyboxCommon:ControlledVocabularyStringType |
0-1 | The Name field specifies the name of the Behavioral property being captured. The name can be either free form text or a standardized value from a vocabulary included in the MAEC Default Vocabularies schema. The default vocabulary for this field is the BehaviorPropertyVocab from the MAEC Default Vocabularies schema. |
Value | xs:string |
0-1 | The Value field specifies the value of the Behavioral property being captured. |
Based on the above changes, the following types found in the MAEC Core (formerly MAEC Bundle) schema would be deprecated:
BehavioralActionType
BehavioralActionEquivalenceReferenceType
BehavioralActionsType
BehaviorPurposeType
ExploitType
CVEVulnerabilityType
PlatformListType
The following existing types found in the MAEC Core (formerly MAEC Bundle) schema would be deprecated:
CapabilityObjectiveType
CapabilityObjectiveReferenceType
The following vocabulary related changes will be made:
- A new
CapabilityNameVocab-1.0
will be created, along with a corresponding enumeration, theCapabilityNameEnum-1.0
. - The existing
MalwareCapabilityEnum-1.0
enumeration will be deprecated. - The existing vocabularies around Strategic and Tactical Objectives will be deprecated, including the
AntiCodeAnalysisStrategicObjectivesVocab-1.0
,AntiCodeAnalysisTacticalObjectivesVocab-1.0
,AntiDetectionStrategicObjectivesVocab-1.0
,AntiDetectionTacticalObjectivesVocab-1.0
,AntiRemovalStrategicObjectivesVocab-1.0
,AntiRemovalTacticalObjectivesVocab-1.0
,CapabilityObjectiveRelationshipTypeVocab-1.0
,CommandandControlStrategicObjectivesVocab-1.0
,CommandandControlTacticalObjectivesVocab-1.0
,DataExfiltrationStrategicObjectivesVocab-1.0
,DataExfiltrationTacticalObjectivesVocab-1.0
,DestructionStrategicObjectivesVocab-1.0
,DestructionTacticalObjectivesVocab-1.0
,FraudStrategicObjectivesVocab-1.0
,FraudTacticalObjectivesVocab-1.0
,InfectionPropagationStrategicObjectivesVocab-1.0
,InfectionPropagationTacticalObjectivesVocab-1.0
,IntegrityViolationStrategicObjectivesVocab-1.0
,IntegrityViolationTacticalObjectivesVocab-1.0
,MachineAccessControlStrategicObjectivesVocab-1.0
,MachineAccessControlTacticalObjectivesVocab-1.0
,PersistenceStrategicObjectivesVocab-1.0
,PersistenceTacticalObjectivesVocab-1.0
,PrivilegeEscalationStrategicObjectivesVocab-1.0
,PrivilegeEscalationTacticalObjectivesVocab-1.0
,ProbingStrategicObjectivesVocab-1.0
,ProbingTacticalObjectivesVocab-1.0
,RemoteMachineManipulationStrategicObjectivesVocab-1.0
,RemoteMachineManipulationTacticalObjectivesVocab-1.0
,SecondaryOperationStrategicObjectivesVocab-1.0
,SecondaryOperationTacticalObjectivesVocab-1.0
,SecurityDegradationStrategicObjectivesVocab-1.0
,SecurityDegradationTacticalObjectivesVocab-1.0
,SpyingStrategicObjectivesVocab-1.0
,SpyingTacticalObjectivesVocab-1.0
.- These vocabularies will be replaced with the new Behavior vocabularies - for more information see Proposal:Refactor Behaviors.
The new CapabilityNameEnum-1.0
will have the following values:
Value | Description |
---|---|
anti-behavioral analysis | The 'anti-behavioral analysis' Capability indicates that the malware instance is able to prevent behavioral analysis or make it more difficult. |
anti-code analysis | The 'anti-code analysis' Capability indicates that the malware instance is able to prevent code analysis or make it more difficult. |
anti-detection | The 'anti-detection' Capability indicates that the malware instance is able to prevent itself and its components from being detected on a system. |
anti-removal | The 'anti-removal' Capability indicates that the malware instance is able to prevent itself and its components from being removed from a system. |
availability violation | The 'availability violation' Capability indicates that the malware instance is able to compromise the availability of a system or some aspect of the system. |
command and control | The 'command and control' (C2) Capability indicates that the malware instance is able to receive and/or execute remotely submitted commands. |
data exfiltration | The 'data exfiltration' Capability indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data. |
data theft | The 'data theft' Capability indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser. |
destruction | The 'destruction' Capability indicates that the malware instance is able to destroy some aspect of a system. |
fraud | The 'fraud' Capability indicates that the malware instance is able to defraud a user or a system. |
infection/propagation | The 'infection/propagation' Capability indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system. The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email). This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself. |
integrity violation | The 'integrity violation' Capability indicates that the malware instance is able to compromise the integrity of a system. |
machine access/control | The 'machine access/control' Capability indicates that the malware instance is able to access or control one or more remote machines and/or the machine on which it is executing. |
persistence | The 'persistence' Capability indicates that the malware instance is able to persist and remain on a system regardless of system events. |
privilege escalation | The 'privilege escalation' Capability indicates that the malware instance is able to elevate the privileges under which it executes. |
probing | The 'probing' Capability indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives. |
secondary operation | The 'secondary operation' Capability indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives. |
security degradation | The 'security degradation' Capability indicates that the malware instance is able to bypass or disable security features and/or controls. |
spying | The 'spying' Capability indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices). |
OS security feature degradation | The ‘OS security feature degradation’ Subcapability indicates that the malware instance is able to bypass or disable operating system (OS) security mechanisms. |
access control degradation | The ‘access control degradation’ Subcapability indicates that the malware instance is able to bypass or disable access control mechanisms designed to prevent unauthorized or unprivileged use or execution of applications or files. |
anti-VM | The 'anti-VM' Subcapability indicates that the malware instance is able to prevent virtual machine (VM) based behavioral analysis or make it more difficult. |
anti-debugging | The 'anti-debugging' Subcapability indicates that the malware instance is able to prevent itself from being debugged and/or from being run in a debugger or is able to make debugging more difficult. |
anti-disassembly | The 'anti-disassembly' Subcapability indicates that the malware instance is able to prevent itself from being disassembled or make disassembly more difficult. |
anti-memory forensics | The 'anti-memory forensics' Subcapability indicates that the malware instance is able to prevent or make memory forensics more difficult. |
anti-sandbox | The 'anti-sandbox' Subcapability specifies that the malware instance is able to prevent sandbox-based behavioral analysis or make it more difficult. |
authentication credentials theft | The 'authentication credentials theft' Subcapability indicates that the malware instance is able to steal authentication credentials. |
clean traces of infection | The 'clean traces of infection' Subcapability indicates that the malware instance is able to clean traces of its infection (e.g., file system artifacts) from a system. |
compromise data availability | The 'compromise data availability' Subcapability indicates that the malware instance is able to compromise the availability of data on the local system on which it is executing and/or one or more remote systems. |
compromise system availability | The 'compromise system availability' Subcapability indicates that the malware instance is able to compromise the availability of the local system on which it is executing and/or one or more remote systems. |
continuous execution | The 'continuous execution' Subcapability indicates that the malware instance is able to continue to execute on a system after significant system events, such as a system reboot. |
data integrity violation | The 'data integrity violation' Subcapability indicates that the malware instance is able to compromise the integrity of some data that resides on (e.g., in the case of files) or is received/transmitted (e.g., in the case of network traffic) by the system on which it is executing. |
data obfuscation | The 'data obfuscation' Subcapability indicates that the malware is able to obfuscate data that will be exfiltrated. |
data staging | The 'data staging' Subcapability indicates that the malware instance is able to gather, prepare, and stage data for exfiltration. |
determine c2 server | The 'determine c2 server' Subcapability indicates that the malware instance is able to identify one or more command and control (C2) servers with which to communicate.. |
email spam | The 'email spam' Subcapability indicates that the malware instance is able to send spam email messages. |
ensure compatibility | The 'ensure compatibility' Subcapability indicates that the malware instance is able to manipulate or modify the system on which it executes to ensure that it is able to continue executing. |
environment awareness | The 'environment awareness' Subcapability indicates that the malware instance can fingerprint or otherwise identify the environment in which it is executing, for the purpose of altering its behavior based on this environment. |
file infection | The 'file infection' Subcapability indicates that the malware instance is able to infect one or more files. |
hide artifacts | The 'hide artifacts' Behavior indicates that the malware instance is able to hide its artifacts, such as files and open ports. |
hide executing code | The 'hide executing code' Subcapability indicates that the malware instance is able to hide its executing code. |
host configuration probing | The 'host configuration probing' Subcapability indicates that the malware instance is able to probe the configuration of the host system on which it executes. |
information gathering for improvement | The 'information gathering for improvement' Subcapability indicates that the malware instance is able to gather information from its environment to make itself less likely to be detected. |
input peripheral capture | The 'input peripheral capture' Subcapability indicates that the malware instance is able to capture data from a system's input peripheral devices, such as a keyboard or mouse. |
install other components | The 'install other components' Subcapability indicates that the malware instance is able to install additional components. This encompasses the dropping/downloading of other malicious components such as libraries, other malware, and tools. |
local machine control | The 'local machine control' Subcapability indicates that the malware instance is able to control the machine on which it is executing. |
network environment probing | The 'network environment probing' Subcapability indicates that the malware instance is able to probe the properties of its network environment, e.g. to determine whether it funnels traffic through a proxy. |
capture system output peripheral data | The 'capture system output peripheral data' Behavior captures data sent to a system's output peripherals, such as a display. |
physical entity destruction | The 'physical entity destruction' Subcapability indicates that the malware instance is able to destroy physical entities. |
prevent artifact access | The 'prevent artifact access' Subcapability indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being accessed. |
prevent artifact deletion | The 'prevent artifact deletion' Subcapability indicates that the malware instance is able to prevent its artifacts (e.g., files, registry keys, etc.) from being deleted. |
consume system resources | The 'consume system resources' Subcapability indicates that the malware instance is able to consume system resources for its own purposes, such as password cracking. |
receive data from c2 server | The 'receive data from c2 server' Subcapability indicates that the malware instance is able to receive some data from a command and control server. |
remote machine access | The 'remote machine access' Subcapability indicates that the malware instance is able to access one or more remote machines. |
remote machine infection | The 'remote machine infection' Subcapability indicates that the malware instance is able to self-propagate to a remote machine or infect a machine with malware that is different than itself. |
security software degradation | The 'security software degradation' Subcapability indicates that the malware instance is able to bypass or disable security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters. |
security software evasion | The 'security software evasion' Subcapability indicates that the malware instance is able to evade security software (e.g., anti-virus tools). |
self-modification | The 'self-modification' Subcapability indicates that the malware instance is able to modify itself. |
send data to c2 server | The 'send data to c2 server' Subcapability indicates that the malware instance is able to send some data to a command and control server. |
service provider security feature degradation | The ‘service provider security feature degradation’ Subcapability indicates that the malware instance is able to bypass or disable mobile device service provider security features that would otherwise identify or notify users of its presence. |
stored information theft | The 'stored information theft' Subcapability indicates that the malware instance is able to steal information stored on a system (e.g., files). |
system interface data capture | The 'system interface data capture' Subcapability indicates that the malware instance is able to capture data from a system's logical or physical interfaces, such as from a network interface. |
system operation integrity violation | The 'system operational integrity violation' Subcapability indicates that the malware instance is able to compromise the operational integrity of the system on which it is executing and/or one or more remote systems, e.g., by causing them to operate beyond their set of specified operational parameters. |
system re-infection | The 'system re-infection' Subcapability indicates that the malware instance is able to re-infect a system after one or more of its components have been removed. |
system state data capture | The 'system state data capture' Subcapability indicates that the malware instance is able to capture information about a system's state (e.g., data currently in its RAM). |
system update degradation | The 'system update degradation' Subcapability indicates that the malware instance is able to disable the downloading and installation of system updates and patches. |
user data theft | The 'user data theft' Subcapability indicates that the malware instance is able to steal data associated with one or more users (e.g., browser history). |
virtual entity destruction | The 'virtual entity destruction' Subcapability indicates that the malware instance is able to destroy a virtual entity. |
Before this change - MAEC 4.1
<maecBundle:Capability id="example:capability-1" name="persistence">
<maecBundle:Strategic_Objective id="example:objective-1">
<maecBundle:Name xsi:type="maecVocabs:PersistenceStrategicObjectivesVocab-1.0">persist to continuously execute on system</maecBundle:Name>
</maecBundle:Strategic_Objective>
</maecBundle:Capability>
After this change - MAEC 5.0
<maecCore:Capability id="example:capability-1">
<maecCore:Name xsi:type="maecVocabs:CapabilityNameVocab-1.0">persistence</Name>
</maecCore:Capability>
<maecCore:Capability id="example:capability-2">
<maecCore:Name xsi:type="maecVocabs:CapabilityNameVocab-1.0">continuous execution</Name>
</maecCore:Capability>
This change will not be backward compatible and is one of several revisions planned in new major version.
- Do the changes to the Capability data model with respect to deprecating Objectives in favor of Behaviors make sense?
- Should Capabilities and Subcapabilities be flattened into a single vocabulary, or would it make more sense to split them up?
- Do the values in the
CapabilityNameEnum-1.0
make sense?