Over the previous five posts in this series, we looked at both the MITRE ATT&CK and CVE frameworks, discussed how CVE’s could map to ATT&CK techniques, as well as how attacker sequences could be derived and how such sequences can inform a vulnerability management program to strategically remediate CVE’s to disrupt attacker activities.
However, the disruption of attacker sequences can depend more on vulnerability remediation – and this is really the great thing about the ATT&CK taxonomy and the fact we can map CVE’s along with operational data to ATT&CK techniques. By looking at what is available to an attacker, security teams can examine a variety of options to disrupt a given attack sequence.
For example, let us suppose that there is a geopolitical event, and hackers from a country such as Iran or China are suspected to start launching attacks against an American or European enterprise. Using ATT&CK, we can map out all sequences of techniques known to be used by these attackers (as per part IV of this series). We can look at how to disrupt the sequences based on our full arsenal of security tools. Perhaps patching certain vulnerabilities denies a portion of these sequences, but not all. Perhaps some vulnerabilities cannot be remediated due to dependencies with legacy software. In these systems, we can resort to disrupting different portions of the attack sequence, such as taking steps to avoid privilege escalation through additional authentication techniques, blocking ports, or even isolating systems.
The key here is that ultimately the goal is to stop the attacker before the attack starts. Whether the action deals with patching vulnerabilities or taking a more SOC-oriented action becomes a secondary concern – as either way the threat is blocked. This leads to a better unity of effort across security, and a more proactive, threat-centric yet automated approach.
CYR3CON helps teams prioritize vulnerabilities and prevent breaches. Contact us today to learn why we have become the most accurate, peer-reviewed, predictor of weaponized exploits.