capa: improve usability and performance

[acelynnzhang]

Hi @mandiant/flare-gsoc,

I'm interested in working on the capa: improve usability and performance project and I wanted to ask some clarifying questions.

1. As a new user, I didn't find the ATT&CK and MBC tables particularly helpful and I saw that Feature/sarif output capa#2036 is adding support for another output format. What does a malware analyst typically do with the ATT&CK and MBC outputs on the CLI? I've seen TTPs included in threat intel reports, but I'm not sure how it's used in the analysis process. It seems like a lot of the information is also rehashed and easier to understand in the Capabilities table.

2. What counts as an output mode? Options like -v, -vv or -j?

3. I saw some issues that are relevant to improving the performance like performance issues with some samples capa#1989 and dynamic model fails on CAPE sample capa#1994. They contain files that I can't find in the capa-testfiles repo and I also don't have an account on VT that can download those samples. Is there another place I can find them?

4. I've noticed that most of the time is spent analyzing the binary using vivisect and some failures are also linked to it. Are changes to it in-scope for this project or should most of the changes be on the capa side?

I'm also looking at potential starter issues and I'll submit my proposal soon. Thanks!

[mr-tz]

Hey, these are great questions.

1. agreed that these may not be relevant to all users and could be displayed accordingly
2. correct
3. you can check other malware databases or create a free VT account to download the samples
4. some changes to it are in scope, but we only have limited control over the library (although the developers are generally responsive and easy to work with)

[acelynnzhang]

Sounds good, thanks!