View More guides on Cyber Threat Intelligence
Posted on: May 28, 2019
Why should you care about Malware Attribute Enumeration and Characterization (MAEC)?
Why should you care about MAEC?
The absence of any widely accepted standard for characterizing malware means that there is no precise technique for communicating the particular malware attributes, nor for enumerating its fundamental makeup. MAEC framework solves these problems, as the characterization of malware using abstract patterns offers a wide range of benefits over the use of physical signatures. It allows accurate encoding of how the malware operates and the particular actions that it performs. Such information can be used for malware detection, but also for assessing the malware’s end-goal. Overall, it provides a set of modern tools and techniques for combating and detecting malware.
What is the MAEC Community?
MAEC is a community-developed project, which involves representatives from antivirus, operating system, and software vendors, security services providers, IT users, and others from across the international cybersecurity communities.
The members of MAEC can discuss the latest versions of MAEC specifications and other stuff via MAEC Community Discussion Lists. Members can leverage the Encyclopedia of Malware Attributes to collaborate on building semantic MediaWiki of malware. Members can also use MAECProject GitHub Tools & Utilities to make contributions to open-source MAEC development.
What are the benefits of MAEC?
By adopting MAEC for encoding malware-related information in a structured way, organizations can eliminate the ambiguity and inaccuracy in malware descriptions, and improve the general awareness of malware. This can also help in reducing the duplication of malware analysis efforts, and decrease the overall response time to malware threats. In this community-developed project, the information is shared based on attributes such as artifacts, behaviors, and relationships between malware samples. MAEC enables faster development of countermeasures and provides the ability to leverage responses to previously observed malware instances.
What is the relationship between MAEC and TAXII?
TAXII (Trusted Automated eXchange of Indicator Information) uses STIX (Structured Threat Information eXpression) to constitute cyber threat information. Where STIX characterizes ‘what’ is being shared, the TAXII defines ‘how’ the STIX payload is shared. However, it is also feasible that TAXII could use MAEC as its payload instead of STIX. MAEC provides a comprehensive, structured way of capturing detailed information about malware, targeting malware analysts, while STIX targets a more diverse audience by capturing a broad spectrum of cyber-threat related information, including basic malware information.
Share Blog post