ATT&CK and Vulnerability Management Part 2: Why align ATT&CK with CVEs?

 

In today’s blog, we take a quick look at the relationship between the MITRE ATT&CK framework and the Common Vulnerability Enumeration (CVE) system.  First, we will start off by defining these two taxonomies. 

 

ATT&CK + Vulnerability Management Part 2 Why align ATT&CK with CVEs?

As mentioned in our previous post, ATT&CK “is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.”  It is typically used by cyber threat intelligence analysts within the SOC.  There are over 500 techniques identified in this system. 

The CVE system, on the other hand, was created to “identify, define, and catalog publicly disclosed cybersecurity vulnerabilities” according to MITRE.  As of the time of this writing, there are over 150,000 CVE’s each associated with one or more pieces of software enumerated by a related taxonomy called the Common Platform Enumeration (CPE) system.  In Q1 of 2021, there were about 4,419 published CVE’s and an additional 9,455 reserved CVE’s. 

Today, there has been much work to map patterns of behavior from system logs and network traffic to the MITRE ATT&CK framework.  Additionally, we are seeing an increasing number of reports written about attacks that will directly reference ATT&CK technique numbers.  This is a very good trend for defenders – as the more we can work to agree upon a common taxonomy to discuss adversary actions, the better we can analyze them using a range of automated techniques – spanning from visualization to database queries, to advanced artificial intelligence and machine learning.  Today, we take for granted the accepted standardization the CVE system provides to vulnerability management – which started in the 1990s.  As time progresses, many believe that ATT&CK will reach a similar level of acceptance. 

But, as we discussed last time, mapping system log data and network traffic data to ATT&CK techniques will only cover a subset of the techniques.  We pointed out in the previous article that ATT&CK technique T1200, Hardware Additions.  There are other techniques that are not readily associated with patterns observed, but rather an exploitation of software vulnerabilities.  For example, T1588.005 deals with an attacker obtaining an exploit – which occurs prior to even launching an attack.  Note that T1588.005 cannot be directly associated with observables in system logs or network traffic.  However, despite that, for many exploits there are actions defenders can take to disrupt attacks involving this technique. 

Additionally, certain vulnerabilities can also enable various techniques.  MITRE identifies many techniques as requiring privilege escalation in the ATT&CK framework and also identifies privilege escalation provided by certain vulnerabilities in the CVE framework.  But there are other examples of techniques that can be directly enabled by vulnerabilities as well such as T1498 (Network Denial of Service) and T1212 (Exploitation for Credential Access).  By understanding these associations, vulnerability management teams can now provide recommendations that can more directly disrupt sequences of adversary actions.