Mapping CVE Records to the ATT&CK Framework

CYR3CON and the team at Tag Cyber have published a new report outlining the enterprise security benefit of mapping common vulnerabilities and exposures (CVEs) to the offensive tactics included in the MITRE ATT&CK framework. Watch the introductory video and then download the full report.

The enterprise security benefit of mapping common vulnerabilities and exposures (CVEs) to the offensive tactics included in the MITRE ATT&CK framework is explained. On-going mapping work at CYR3CON is used to exemplify the process and its usefulness for cyber practitioners.

Mapping CVE Records to the ATT&CK Framework


INTRODUCTION

One of the most useful methods in modern cybersecurity risk management involves keeping an accurate and detailed record of the threats, vulnerabilities, and attack methods that are applicable to the enterprise application, computing, and networking environments. Within an organization, this is performed in the context of a vulnerability management (VM) program, usually in conjunction with a locally supported cyber risk registry.

To assist with this important security task, which is especially challenging if only because of the enormous number of potential vulnerabilities and attack methods, research teams have tried to create frameworks and public repositories that can serve as a base for enterprise protection efforts. The MITRE organization has been particularly helpful in this regard, publishing useful models that are applied in practice today around the world.
Two especially meaningful such resources from the MITRE team are the Common Vulnerabilities and Exposures (CVE) list of known vulnerabilities,1 and the MITRE ATT&CK framework,2 which lists and organizes known tactics and techniques used by offensive cyber attackers. Both of these frameworks are well-known globally and are used frequently by cybersecurity practitioners and commercial vendors to help guide their day-to-day work.

The relationship between the CVE list and the ATT&CK framework is less well-known, however, which is unfortunate since the two resources can and should be used in coordination.

In this report, we outline how such a mapping might be done by practitioners and vendors. We also offer a case study from CYR3CON3, a commercial security vendor, which uses this type of mapping to help prioritize which vulnerabilities should be addressed in a given security program.

Download the full report to understand the benefits of mapping CVEs to the offensive tactics explained in the MITRE ATT&CK framework.