What is MAEC?
Malware Attribute Enumeration and Characterization (MAEC) is a structured language used for sharing and encoding of high-fidelity information about malware. MAEC is sponsored by the U.S. Department of Homeland Security (DHS) Office of Cybersecurity and Communications, and it is managed by the MITRE Corporation, which also provides technical guidance to the members of MAEC Community.
The first version of MAEC was released on January 14, 2011; then it was updated to following versions: MAEC 2.0 (April 2012), MAEC 3.0 (April 2013), and MAEC 4.0 (Sept. 2013). The most recent version: MAEC 5.0, was released in Oct. 2017. As in May 2019, MAEC is not pursued in a formal standards body. However, once an appropriate level is achieved on the stability, maturity, and use, international standardization may be sought for MAEC.
What are the key elements of MAEC?
There are two key elements of the MAEC. The first is the Core Specifications
document, that introduces MAEC, and provides high-level use cases, and defines MAEC data types and top-level objects. The second one is the Vocabularies Specifications
document, that provides explicit values for each of the open vocabularies referenced in the core concepts document.
Since MAEC provides a common grammar and vocabulary for the malware domain, it follows that most use cases for MAEC are motivated by the accurate and unambiguous communication of malware attributes enabled by MAEC.
What are the key use cases of MAEC?
One of the important key use cases of MAEC includes a static, dynamic, and visual malware analysis to mitigate the threat with a better understanding of the malware nature and propagation). To perform static analysis, MAEC can be used to capture the detailed attributes of a malware instance, like information about instance packaging, some interesting code snippets obtained using reverse engineering of the malware code, etc.
As for the dynamic analysis, MAEC can help capture details of any particular action or event that occurs when malicious code is executed. With MAEC, this can be done at multiple levels of abstraction. At the lowest level, some form of native system API calls can be captured, while at higher levels, any particular unit of malicious functionality, like keylogging, can be described. Besides these, other common use cases include Cyber Threat Analysis (like Malware Threat Scoring System, Malware Provenance and Attribution), and Incident Management (like having a Uniform Malware Reporting Format, Malware Repositories, and Malware Remediation).