Malware Attribute Enumeration and Characterization (MAEC) is a structured language used for sharing and encoding of high-fidelity information about malware. MAEC is sponsored by the U.S. Department of Homeland Security (DHS) Office of Cybersecurity and Communications, and it is managed by the MITRE Corporation, which also provides technical guidance to the members of MAEC Community.
The first version of MAEC was released on January 14, 2011; then it was updated to following versions: MAEC 2.0 (April 2012), MAEC 3.0 (April 2013), and MAEC 4.0 (Sept. 2013). The most recent version: MAEC 5.0, was released in Oct. 2017. As in May 2019, MAEC is not pursued in a formal standards body. However, once an appropriate level is achieved on the stability, maturity, and use, international standardization may be sought for MAEC.
What are the key elements of MAEC?
There are two key elements of the MAEC. The first is the Core Specifications
document, that introduces MAEC, and provides high-level use cases, and defines MAEC data types and top-level objects. The second one is the Vocabularies Specifications
document, that provides explicit values for each of the open vocabularies referenced in the core concepts document.
Since MAEC provides a common grammar and vocabulary for the malware domain, it follows that most use cases for MAEC are motivated by the accurate and unambiguous communication of malware attributes enabled by MAEC.
What are the key use cases of MAEC?
One of the important key use cases of MAEC includes a static, dynamic, and visual malware analysis to mitigate the threat with a better understanding of the malware nature and propagation). To perform static analysis, MAEC can be used to capture the detailed attributes of a malware instance, like information about instance packaging, some interesting code snippets obtained using reverse engineering of the malware code, etc.
As for the dynamic analysis, MAEC can help capture details of any particular action or event that occurs when malicious code is executed. With MAEC, this can be done at multiple levels of abstraction. At the lowest level, some form of native system API calls can be captured, while at higher levels, any particular unit of malicious functionality, like keylogging, can be described. Besides these, other common use cases include Cyber Threat Analysis (like Malware Threat Scoring System, Malware Provenance and Attribution), and Incident Management (like having a Uniform Malware Reporting Format, Malware Repositories, and Malware Remediation).
Why should you care about MAEC?
The absence of any widely accepted standard for characterizing malware means that there is no precise technique for communicating the particular malware attributes, nor for enumerating its fundamental makeup. MAEC framework solves these problems, as the characterization of malware using abstract patterns offers a wide range of benefits over the use of physical signatures. It allows accurate encoding of how the malware operates and the particular actions that it performs. Such information can be used for malware detection, but also for assessing the malware’s end-goal. Overall, it provides a set of modern tools and techniques for combating and detecting malware.
What is the MAEC Community?
MAEC is a community-developed project, which involves representatives from antivirus, operating system, and software vendors, security services providers, IT users, and others from across the international cybersecurity communities.
What are the benefits of MAEC?
By adopting MAEC for encoding malware-related information in a structured way, organizations can eliminate the ambiguity and inaccuracy in malware descriptions, and improve the general awareness of malware. This can also help in reducing the duplication of malware analysis efforts, and decrease the overall response time to malware threats. In this community-developed project, the information is shared based on attributes such as artifacts, behaviors, and relationships between malware samples. MAEC enables faster development of countermeasures and provides the ability to leverage responses to previously observed malware instances.
What is the relationship between MAEC and TAXII?
TAXII (Trusted Automated eXchange of Indicator Information) uses STIX (Structured Threat Information eXpression) to constitute cyber threat information. Where STIX characterizes ‘what’ is being shared, the TAXII defines ‘how’ the STIX payload is shared. However, it is also feasible that TAXII could use MAEC as its payload instead of STIX. MAEC provides a comprehensive, structured way of capturing detailed information about malware, targeting malware analysts, while STIX targets a more diverse audience by capturing a broad spectrum of cyber-threat related information, including basic malware information.