In our last article, we discussed why one would want to align CVEs with ATT&CK techniques. In today’s blog, we list three aspects of alignment that security teams must consider.
- Not all MITRE ATT&CK techniques should align to CVEs Most MITRE ATT&CK techniques will have nothing to do with software vulnerabilities, and this is perfectly all right. At CYR3CON, we estimate the number of ATT&CK techniques associated with vulnerabilities to be in the range of 20-30%. However, as techniques can be chained together, it is possible to disrupt attacks involving non-vulnerability-related techniques through remediation of CVEs. So, while most techniques will not be directly related to vulnerabilities, they remain relevant to the overall analysis.
- NIST/MITRE information about CVEs is not sufficient to align with ATT&CK. While the CVE standard contains many important pieces of metadata about the vulnerabilities, such as what software they are relevant to, what type of privileges it can be used to obtain, etc. it does not contain all the information needed to provide the greatest insight into the relationship. An easy example of this is the availability of exploit – which can directly provide an intuition as to if the attacker can leverage the vulnerability in an attack. Another example is that often the CVE number for the vulnerability will be registered, but the standard information from NIST will not be available. Further, a third is that in many cases vulnerabilities allow for the execution of unique techniques that are not enumerated in the CVE system but are classified in ATT&CK. In all these cases, the use of multi-sourced intelligence becomes an important data source to provide a useful alignment.
- Manual analysis for alignment will not scale. We routinely see vulnerability scans with tens of thousands of vulnerabilities, and each of these vulnerabilities can map to several of the hundreds of ATT&CK techniques. With thousands of new vulnerability disclosures each month, manual methods for alignment are simply a non-starter. Data science and machine learning methods become very important in such alignments as a result.
CYR3CON helps teams prioritize vulnerabilities and prevent breaches. Contact us today to learn how we have become the most accurate, peer-reviewed, predictor of weaponized exploits.