In our last post, we showed how CYR3CON mapped relationships among ATT&CK techniques using tools from data science. This allowed us to understand, based on historical reporting, which ATT&CK techniques normally proceeded each other and/or used in tandem with each other. The resulting construct is what data scientists refer to as a “graph” – not the type that shows the relationship between an X and Y variable, but rather a depiction of relationships.
One useful thing about such a graph is that the relationships can be “unrolled” meaning we can then observe potential attacker patterns in an automated way. With this level of understanding, we can then look at how such patterns can be disrupted.
Further, by mapping CVE’s to ATT&CK techniques, we can then understand which CVE’s can play a potential role in an ATT&CK chain. In a recent experiment, we unrolled attacker sequences and then looked at which vulnerabilities can be remediated to disrupt such attach chains. The below figure shows an example from our experiment:
Note that the attacker had multiple sequences available to him - in this case, that could potentially involve exploitation of the above-named CVE. A defender, for example, can also identify all potential attacker sequences available based on a vulnerability scan and work to remediate vulnerabilities that are involved with attack sequences they wish to disrupt. Using techniques like identification of predicted exploits can narrow such a list further.
CYR3CON helps teams prioritize vulnerabilities and prevent breaches. Contact us today to learn how we have become the most accurate, peer-reviewed, predictor of weaponized exploits.