At its highest level, MAEC is a domain-specific language for non-signature based malware characterization. Because MAEC provides a common vocabulary and grammar for the malware domain, it follows that most use cases for MAEC are motivated by the unambiguous and accurate communication of malware attributes enabled by MAEC.
Malware analysis-related use cases demonstrate how MAEC can be used to effectively capture the data obtained from malware analysis. As we illustrate in the first use case, a malware instance is analyzed automatically or manually using either dynamic or static methods, the results are then captured in a MAEC Package.
MAEC can also be used to help with visualization, to capture data for storage in analysis-oriented repositories, and as a means for standardizing tool output.
Cyber threat analysis-related use cases demonstrate how capturing cyber threat analysis information in MAEC will result in a threat being more readily understood and evaluated because the information will be more consistent across analysts and incidents. Furthermore, MAEC's standardized encoding of the Capabilities exhibited by a malware instance will allow for the accurate discernment of the threat that the malware poses to an organization and its infrastructure.
Incident management-related use cases describe how a uniform malware reporting format, standardized malware repositories, and the ability to verify remediation procedures—all based on the MAEC data model—greatly enhance malware-related incident management efforts.