Update June 2022: The Vulcan Cyber research team, aka “Voyager18” has worked on mapping CVEs to relevant tactics and techniques from the MITRE ATT&CK matrix. Visit the dedicated site here.
While vulnerability management isn’t natively mapped to the MITRE ATT&CK framework by default, using cyber knowledge, data science, machine learning and artificial intelligence, CVEs can be efficiently integrated with ATT&CK in a way that delivers distinct advantages to security and IT operations teams. This blog post provides an overview of MITRE ATT&CK and outlines benefits that can be gained by integrating MITRE ATT&CK with vulnerability management to deliver increased security hygiene, risk reduction, threat mitigation, and security insights.
What is MITRE ATT&CK?
MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is often used as a foundation for the creation of threat models and methodologies in the private and public sectors and by cybersecurity product and services companies.
With the creation of ATT&CK, MITRE is working to promote a safer world by bringing cyber communities together to instill more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.
MITRE ATT&CK was introduced in 2013 and since then many companies in the cyber security industry adapted it as a de-facto standard for cyber-attacks tactics and techniques used in various ways from investigating incidents to building better controls to defend against adversaries.
MITRE ATT&CK is segmented into a few different matrices, specifically: Enterprise, Mobile, and PRE-ATT&CK. Each of these matrices contains various tactics and techniques with differentiated subject matter.
The Enterprise matrix is made of techniques and tactics that apply to Windows, Linux, and/or MacOS systems. Mobile contains tactics and techniques that apply to mobile devices. PRE-ATT&CK contains tactics and techniques related to what attackers do before they try to exploit a target network or system.
MITRE ATT&CK: Tactics and techniques
ATT&CK tactics are essentially categories of techniques. Tactics are “what” attackers are trying to achieve, whereas the individual techniques are “how” they accomplish those objectives.
In the screenshot below you can see tactics and techniques that comprise the MITRE ATT&CK® Enterprise Matrix. The Matrix contains information for the following platforms: Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS.
As an example attackers will use one or more of techniques listed in the privilege escalation column in order to achieve privilege escalation in a network. (source: https://attack.mitre.org/matrices/enterprise/)
A technique is a specific behavior to achieve a goal and is often a single step in a string of activities employed to complete the attacker’s overall mission. ATT&CK provides many details about each technique including a description, examples, references, and suggestions for mitigation and detection.
In this screenshot we learn hooking tactics that can be used for persistence, privilege escalation and credential access.
As an example of how tactics and techniques work in ATT&CK, an attacker may wish to gain access into a network and install cryptocurrency mining software on as many systems as possible inside that network. In order to accomplish this overall goal the attacker needs to successfully perform several intermediate steps.
First they must gain access to the network – possibly through a spear phishing link. Next, they may need to escalate privilege through process injection. Now they can get other credentials from the system through credential dumping and then establish persistence by setting the mining script to run as a scheduled task. With this accomplished, the attacker may be able to move laterally across the network with pass the hash and spread their coin miner software on as many systems as possible.
In this example, the attacker had to successfully execute five steps, each representing a specific tactic or stage of the overall attack:
They used specific techniques within these tactics to accomplish each stage of their attack, techniques such as spear phishing, process injection, credential dumping, etc.
Using MITRE ATT&CK
ATT&CK is valuable in support of any defensive activities that protect against attackers and their behaviors. But beyond offering a common lexicon for cyber defenders, ATT&CK also provides a foundation for penetration testing and red teaming. This provides defenders and the red team a common language when referring to adversarial behaviors.
Examples where applying the ATT&CK taxonomy can be useful:
- Mapping defensive controls: Defensive controls can carry well-understood meaning when referenced against the ATT&CK tactics and techniques they apply to.
- Threat hunting: Mapping defenses to ATT&CK yields a roadmap of defensive gaps that provide threat hunters the perfect places to find missed attacker activity.
- Detections and investigations: The security operations center (SOC) and incident response team can reference ATT&CK techniques and tactics that have been detected or uncovered. This aids in identifying defensive strengths and weaknesses and validates mitigation and detection controls. It can also uncover misconfigurations and other operational issues.
- Referencing actors: Actors and groups can be associated with specific, definable behaviors.
Vulnerability management and MITRE ATT&CK
While there have always been threats to network security, the problem has grown worse due to the advancement and unimpeded growth of digital infrastructure we’ve witnessed during in recent years. In the 1990s and early 2000s, there were relatively few vulnerabilities and each company IT security team took care of its own.
With the emergence of cloud computing and changes in enterprise infrastructure, company networks became more exposed to external threats. Companies began using AWS, Azure, and Google Cloud Platform en masse while deploying extremely complex business intelligence software, ERP systems, and open-source software, all of which effectively exposes networks to hackers and other malicious actors.
The massive growth in the number of technology vendors and multi-platform solutions has also forced companies to expose their networks to more users. While user authorization solutions have generally kept pace with increased exposure, these changes have resulted in businesses facing greater risks from the additional network complexity.
Adding fuel to the fire, the switch to agile development has increased risk through rapid releases and more software entering the public arena without being adequately tested.
Vulnerability disclosures have sky-rocketed while average time to exploit has dropped substantially, creating an ominous scenario for security and IT teams without much margin for error.
A dramatic increase in vulnerabilities combined with a rapidly closing security exploit window doesn’t bode well for the security of digital business, unless security and IT operations teams can manage to get ahead of it. It is close to impossible for enterprise businesses to manually manage non-stop vulnerabilities without an efficiently orchestrated and automated vulnerability management program.
Risk-based vulnerability management
While traditional vulnerability management vendors tend to rely on objective factors (such as raw CVSS scores) to prioritize vulnerabilities, it’s crucial to understand that vulnerabilities are forever subjective. Exploiting the same exact vulnerability will have a different impact on different business environments, and as such, should be treated differently. With this in mind security teams ought to prioritize vulnerabilities according to the specific risk they pose to their environment.
The Vulcan vulnerability remediation platform includes a prioritization mechanism focuses on four key metrics:
- Security data – We integrate with existing security tools used today in order to extract security data, creating a clear and cohesive picture of all vulnerabilities in the system. Vulcan integrates via APIs with tools like Qualys, Rapid7, SourceClear and WhiteSource to name a few to provide a full view of the coverage of your environment
- Business data – Different assets play different functions in every system, and therefore cannot be treated alike. When prioritizing vulnerabilities, business needs must be factored accordingly. By connecting to CMDBs and incorporating the Vulcan asset–criticality feature, business relevance is taken into consideration by our prioritization algorithms.
- Asset data – Through integrations across inventories, deployment tools and asset management tools, we’re able to create a clear view of your network, gaining a better understanding of the asset configurations, security posture and status
- Threat intelligence – Vulnerabilities don’t exist in a vacuum. By connecting to over 50 threat intelligence feeds, we can associate whether or not known IOCs are being used to compromise specific vulnerabilities.
Effective vulnerability remediation focuses on actual resolution of threats, aiming to remediate before they cause any harm. A good vulnerability remediation strategy includes a process for prioritizing vulnerabilities and a way to consolidate knowledge about a wide variety of solutions or remedies for rapid and efficient remediation.
Good vulnerability remediation involves multiple corporate teams, including management, developers, IT and security management working cross-functionally to both harden security and to find the most cost-effective way to fix the vulnerabilities in the system. These are not mutually exclusive of course.
Whenever possible, automation is used, not only to save time and money at scale, but also to ensure consistency. Vulnerability remediation is, therefore, the part of vulnerability management where the rubber meets the road and threats are mitigated. Learn more here.
Combining vulnerability management with MITRE ATT&CK
Vulnerabilities are usually managed by CVEs as their identifier. Each vulnerability approved by authorities gets its own CVE identifier, in some cases a vulnerability contains several CVEs connected by the same campaign or patched by the vendor at the same security update.
Mapping CVEs to MITRE ATT&CK
While vulnerabilities don’t get mapped to MITRE ATT&CK by default, using cyber knowledge, data science, machine learning and artificial intelligence, CVEs can be mapped to ATT&CK in an efficient way.
By mapping vulnerabilities to ATT&CK tactics and techniques, different security teams can communicate in a common language. Vulnerability management teams, incident response teams, blue and red teams, DevOps and IT operations teams can prioritize and orchestrate remediation actions across people, process and tools.
ATT&CK vectors can also help organizations extend their risk model for each vulnerability and not just by CVSS score, threat intelligence and business knowledge, but by the tactics and techniques of the attack.
For example, a streaming provider runs a VLAN that contains streaming servers. Availability must be very high (ideally 100%) and the most dangerous ATT&CK tactic would be “Impact” with techniques like network DDOS, disk content wipe, endpoint DOS, service stop and more. In this example the risk score of a vulnerability under the “Impact” tactic should get higher score than “Collection.” On the other hand, the graphic designer’s laptop would have an opposite score.
Reporting by ATT&CK Tactics could help CISOs and managers understand which attack vector they are most exposed to in their organization.
On this hypothetical example, you can see the vulnerabilities by each ATT&CK tactic. As you can see there is a large proportion of “lateral movement” vulnerabilities.
By drilling into “lateral movements” techniques, we can clearly see that most of the vulnerability attack vectors are Windows related. With this clarity the CISO and the management team can start a remediation campaign on Windows vulnerabilities by deploying patches and workarounds, and by applying security best practices and using relevant security products.
ATT&CK also suggests mitigations for attacking techniques. It is recommended to remediate vulnerabilities by patching, configuration changes or workarounds, but in case these options are not possible the ATT&CK mitigation tips could be handy instead.
Continuing the last example, let’s say the security team wants to start mitigating the pass the ticket technique as part of the of Windows lateral movement remediation campaign. Alongside the patches and workarounds for each vulnerability, now the security team will also have ATT&CK mitigations to help enforce security.
A path forward for MITRE ATT&CK and vulnerability management
While both vulnerability management and MITRE ATT&CK approaches grew out of different needs and objectives, they each have massive adoption across the cyber security industry and they can benefit each other in many ways. Ideally when these frameworks are used together they will create better communication between vulnerability management teams and other involved teams. A combined approach will make risk–based vulnerability remediation more effective and make remediation campaigns more orchestrated, focused and efficient.