In cyber threat analysis, it is often useful to characterize the tools, techniques, and procedures used in the attack as being part of a set belonging to a particular attacker. When correlated across multiple attacks, such a connection can be helpful for the purposes of attribution. Accordingly, with malware being one of the most prevalent tools used by attackers, it is useful to characterize specific malware instances as belonging to a set of tools used by specific attackers.

MAEC provides this capability; MAEC’s standard vocabulary and grammar permits the accurate identification of malware attributes observed in previous attacks, thus allowing for the construction of an accurate link between attackers and their malware toolset, based on previously observed and characterized malware.