MITRE CAPEC (Common Attack Pattern Enumeration and Classification) is a publicly accessible and community-driven catalog of common attack patterns. Its primary purpose is to provide a standardized language and structure for describing how adversaries exploit weaknesses in applications and other cyber-enabled capabilities. Security engineers use CAPEC during threat modeling to systematically identify and evaluate potential attack vectors that could be used against the system being designed, ensuring a more comprehensive security analysis.

A. Cisco SAFE: This is a security reference architecture that provides design guidance and best practices for building secure networks, not a catalog of specific attack patterns for threat modeling.

B. GDPR: The General Data Protection Regulation is a legal framework for data protection and privacy in the European Union. It is a compliance requirement, not a technical attack framework.

D. SOC2: Service Organization Control 2 is an auditing framework that reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.

---

1. MITRE Corporation. (n.d.). About CAPEC. CAPEC™. Retrieved from https://capec.mitre.org/about/index.html.

Reference Specifics: The "About CAPEC" page states, "CAPEC is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses." This directly aligns with the question's need for a framework of attack patterns.

2. Cisco. (2022). Cisco DevSecOps Validated Design Guide. Cisco.

Reference Specifics: Chapter 3, "Threat Modeling," discusses the importance of identifying threats during the design phase. It states, "Threat modeling is a process by which potential threats...can be identified, enumerated, and prioritized." While this guide focuses on methodologies like STRIDE, it establishes the practice of using structured frameworks, for which CAPEC is a prime example for attack patterns.

3. Barnum, S., & Gegick, M. (2005). Common Attack Pattern Enumeration and Classification (CAPEC). MITRE Corporation.

Reference Specifics: Section 1, "Introduction," describes the motivation for CAPEC: "The goal of CAPEC is to provide a publicly available catalog of attack patterns along with a comprehensive schema and classification taxonomy." This document is one of the foundational papers explaining the purpose and structure of the framework.