Blog HackRTU

‹ Regresar

CAPEC, FROM CATALOG TO INDUSTRY APPLICATION

 

CNA

 

 

CAPEC, or Common Attack Pattern Enumeration and Classification, is a catalogue describing attack patterns. Thanks to these descriptions, CAPEC provides a structured and standardised language for describing these patterns, making it easier for researchers to analyse and mitigate them. Above all, CAPEC enables the mapping and development of threat models (attack patterns).

Attack patterns are descriptions of the common attributes and approaches that adversaries use to exploit known weaknesses in different assets at the logical level. Attack patterns define, so to speak, the puzzles that adversaries face in each attack and how they tackle them to achieve their goal.

To ground these analyses, the CAPEC catalogue has views. A view is a grouping of patterns under a specific classification, such as that found in CAPEC-703 Industrial Control Systems. Doesn't this concept sound familiar from the CWE lists :P? In the following sections, we will take an in-depth look at the entire CAPEC structure.

Throughout the article, you will see how this catalogue allows industrial organisations to strengthen their defences by knowing their attackers. As they say, sometimes a good defence is the best offence.

 

HISTORY OF CAPEC

CAPEC was created by the U.S. Department of Homeland Security as part of the strategic Software Assurance (SwA) initiative of the Office of Cybersecurity and Communications (CS&C). Published in 2007 as an initial threat catalogue, CAPEC was born out of the need to categorise attack patterns and standardise the way they are referred to. This allows different technical communities around the world to use a ‘common language’ for threat modelling.

Following the launch of the initial catalogue in 2007, different versions were released up to version 1.5 in 2010, which included 24 new patterns, 34 modified patterns, 1 obsolete pattern, new CAPEC↔CWE mappings, and a new view (‘WASC Threat Classification 2.0). This version stands out for the incorporation of a new view.

After version 1.5, different versions were released that incorporated new patterns, modifications to existing ones, discontinued obsolete patterns, added new mappings between CAPEC and CWE, and finally added more views for threat modelling. These changes can be consulted in the CAPEC historical archive.

In version 3.9 (the most recent version of CAPEC), which is the one that interests us most for the purposes of this article, the CAPEC-703 Industrial Control System (ICS) Patterns view has been added. This explicit view (Explicit Slice) is a grouping of attack patterns related to industrial environments, as its name suggests. This approach allows patterns from other environments to be filtered out, facilitating the construction of attack models and enabling the use of current downloadable formats (CSV/XML) for the automation of technical tools.

 

UNDERSTANDING CAPEC PATTERNS

CAPEC is very similar to CWE in terms of categorisation and relationships between views. In this case, each CAPEC pattern belongs to a type of attack pattern, called Attack Pattern Type, which defines its level of abstraction and its function within the entire CAPEC structure.

Let's look at the three main types, plus the view that organises them. We will apply the examples with the CAPEC-703 Industrial Control System (ICS) Patterns view.

• Meta Attack Pattern

It is an attack pattern that serves as a parent category from which more specific patterns are derived. This meta level describes a generic methodology that encompasses several related techniques.

For example, the CAPEC-607: Obstruction within the ICS view would be the meta-pattern for Physical Destruction of Device or Component, Jamming, Blockage and Route Disabling,. At the relationship level, as we saw in CWE, this means that CAPEC-607: Obstruction is ParentOf Physical Destruction of Device or Component, Jamming, Blockage, and Route Disabling, and they in turn are ChildOf Obstruction.

• Standard Attack Pattern

This pattern defines a specific technique used in an attack. It contains detailed technical information on how a specific attack works, is executed, and is mitigated.

For example, in the image above we have Passive OS Fingerprinting (CAPEC-313), which explains how an attacker could use passive techniques to obtain information about versions such as the operating system to refine their attacks. Since we are already talking about a more specific pattern, logic dictated that it should be ChildOf at the Fingerprinting (CAPEC-224) relationship level. Fingerprinting techniques, as they are more general, are classified in a meta-pattern.

• Detailed Attack Pattern

This is the most concrete and specific level that describes a particular case inherited from a standard pattern. Its description includes very specific details of the attack and allows for refinement within an attack model, including details such as tools or techniques used.

An example of this specific pattern is USB Memory Attacks (CAPEC-457), which describes how an adversary can use an external USB memory stick to infect any system to which the device is connected. We would swear that this is not new in industrial environments. Which piece of malware classified as a cyber weapon used this attack pattern to start an infection? We don't remember because no one talks about it anymore :P. By the way, if you want to review a document that was recently released by NIST discussing this issue, you can find it here: ‘REDUCING THE CYBERSECURITY RISKS OF PORTABLE STORAGE MEDIA IN OT ENVIRONMENTS’.

• Views

Although they are not a type of pattern and can also be seen in CWE, they are a grouping method for the above types.

• Category

As this is another concept shared with CWE and not particularly relevant to CAPEC, we have left this type until last. A category in CAPEC is a collection of attack patterns based on common characteristics, as was the case in CWE. More specifically, it is an aggregation of attack patterns based on effect or intent. Rather, it is a grouping of patterns based on some common criteria.

Now that we have a basic understanding of how CAPEC patterns work, here are some practical recommendations for using them:

• CAPEC allows you to create IDS/IPS rules based on the detection of basic events already stipulated in the pattern used. For example, use CAPEC-272: Protocol Manipulation to detect writes in Modbus TCP (0x05 - Write Single Coil, 0x06 - Write Single Register, 0x0F - Write Multiple Coils, and 0x10 - Write Multiple Registers).

SNORT RULES FOR DETECTING THESE EVENTS

0x05 - Write Single Coil alert tcp any any -> any 502 (msg:"MODBUS TCP - Function Code Write Detected"; flow:to_server,established; content:"|00 00|"; offset:2; depth:2; content:"|05|"; offset:7; depth:1; nocase; sid:1000001; rev:1;) 0x06 - Write Single Register alert tcp any any -> any 502 (msg:"MODBUS TCP - Function Code Write Detected"; flow:to_server,established; content:"|00 00|"; offset:2; depth:2; content:"|06|"; offset:7; depth:1; nocase; sid:1000002; rev:1;) 0x0F - Write Multiple Coils alert tcp any any -> any 502 (msg:"MODBUS TCP - Function Code Write Detected"; flow:to_server,established; content:"|00 00|"; offset:2; depth:2; content:"|0F|"; offset:7; depth:1; nocase; sid:1000003; rev:1;) 0x10 - Write Multiple Registers alert tcp any any -> any 502 (msg:"MODBUS TCP - Function Code Write Detected"; flow:to_server,established; content:"|00 00|"; offset:2; depth:2; content:"|10|"; offset:7; depth:1; nocase; sid:1000004; rev:1;)

 

• Use the MITRE ATT&CK matrix on ICS to enhance and map your organisation's or clients' incident response.
• CAPEC can be used to train response teams and SOC OT in industrial control systems. Using the different catalogues, comprehensive table-top exercises can be created to train staff in industrial cybersecurity.
• CAPEC allows you to provide explanations to clients when performing a pentest exercise in industrial environments. Explanations of services can be based on standardised explanations recognised by all professionals in the sector to use the same language and improve interaction with the customer.
• Use tools such as CVE2CAPEC to visualise the relationship between CVEs associated with certain technologies, CWEs, CAPEC and the tactics and techniques of the MITRE ATT&CK matrix. As you can see, it's a very comprehensive tool 😊. These types of tools make life much easier initially, or, if we want to go to a more Rock&Roll level, we can use AI tools that make very good correlations after fine-tuning.

In the image above, we can see one of the CVE identifiers, specifically CVE-2025-41360, detected by our researchers to begin reviewing relationships with CWE, CAPEC, and the MITRE ATT&CK matrix for ICS.

 

SPECIFIC EXAMPLE OF CAPEC PATTERNS

In this section, we will examine how to apply CAPEC patterns, specifically those from the industrial control system list (CAPEC-703), to classify the vulnerability CVE-2025-41362 based on the attack executed by our researchers. It is worth noting that, much like in real-world scenarios, there are often multiple paths that may lead to the same outcome.

Sometimes, circumstances do not align with expectations, and as a result, no CAPEC identifier related to the industrial control system view was applied in this case, since the attack was instead associated with a web-level code injection. It is important to recall that, even when dealing with industrial devices, attacks may frequently align more closely with IT-oriented classifications.

The critical factor lies in the impact: a code injection in an industrial device, such as an HMI, could allow an attacker to manipulate process visualizations. This, in turn, may lead an operator to take control actions under the false assumption that the displayed data are legitimate. Such a scenario could result in industrial processes being halted or altered based on corrupted readings.

Can one imagine a SCADA system consistently interpreting falsified parameters? Or a company relying on a Historian database populated with erroneous data to guide material distribution? What may appear to be a simple injection seemingly not particularly malicious can, in fact, escalate into a far more dangerous outcome...

At HackRTU, we use CAPEC cataloguing as part of the development of several of our services. Moreover, we do not limit ourselves to its use; whenever possible, we also strive to contribute to enhance projects that are the result of community-driven efforts. We encourage you not only to leverage the CAPEC catalogue but also to take part in this fascinating initiative—one that, like many others, was born from a community of practitioners dedicated to the sharing of knowledge.

 

 

HACKRTU TEAM