What is the differences between MITRE ATT&CK and MITRE CAPEC?

I am new to CAPEC, but it looks useful, though I am a little confused.

For example, take CAPEC-98: Phishing

It has a direct link to T1566: Phishing in ATT&CK.

image1475×490 31.3 KB

There are a lot of similarities like this. So my question is; why would I ever choose CAPEC?

MITRE CAPEC and MITRE ATT&CK are both frameworks from MITRE, but they focus on different levels of attacker behaviour and are used at different stages of security analysis.

MITRE CAPEC (Common Attack Pattern Enumeration and Classification)

Think of CAPEC as: Abstract playbooks of how attacks work.

What it is

• A catalog of high-level attack patterns
• Describes how attacks are generally carried out, independent of specific tools or campaigns

Focus

• Attacker methods and techniques at a conceptual level
• Rooted in software and system weaknesses

Typical questions it answers

• “What kinds of attack patterns exist?”
• “How could this type of vulnerability be exploited?”

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)

Think of ATT&CK as: A map of real attacker behaviour during an intrusion.

What it is

• A behavioural model of real-world adversaries
• Based on observed attacks in the wild
  • Part of ATT&CK is dedicated to representing real-world Malware, Campaigns, etc all of which are not included in CAPEC

Focus

• What attackers actually do during intrusions
• Organised by Tactics (goals) and Techniques (how goals are achieved)

Typical questions it answers

• “What is the attacker doing right now?”
• “What techniques should my SOC detect?”
• “What comes next in the kill chain?”

In summary

tl;dr: they complement each other:

• CAPEC helps you understand how an attack could be built
• ATT&CK helps you understand how an attack is actually executed

A simple rule of thumb:

• Designing secure systems? → CAPEC
• Detecting and responding to attackers? → ATT&CK