A Threat-Informed Approach to Prioritizing Vulnerabilities
Written by Maggie MacAlpine.
Another day, another breaking news update about the latest system vulnerability, adding to the mass of hundreds, if not thousands of vulnerabilities that cybersecurity defenders need to manage and, ideally, patch every day. Given the complexity of modern IT environments, as well as the number and diversity of underlying systems, patching every single vulnerability is impossible. Instead, defenders must identify and prioritize the most critical vulnerabilities for their organizations.
The Center for Threat-Informed Defense (Center) and our participants, like the great people over at FIRST, have considered how to prioritize the overwhelming number of vulnerabilities as part of our mission to make cyber defense more efficient and effective. When it comes to vulnerability management and prioritization, FIRST’s Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS) can be combined to make prioritizing vulnerabilities significantly more manageable. From there, our Mapping ATT&CK to CVE for Impact project can then be used to apply a threat-informed approach to defining the vulnerabilities that remain and are likely to be exploited, all with an eye towards mitigation.
Scoring Metrics with CVSS
When approaching challenges like vulnerability prioritization and management, defenders will likely be familiar with CVSS, which was first published as an international standard in 2005. Its purpose is to capture the principal characteristics of a vulnerability and produce a score to represent the potential severity of the damage to an organization, should it be exploited.
A CVSS score consists of three components:
- Base score, which represents the static characteristics of a vulnerability.
- Temporal aspect, which includes time-dependent factors such as exploitation status and patch availability.
- Environmental component, which reflects organization-specific network properties.
The base score metrics have emerged as the most widely used component of CVSS. This has led to the misconception that base scores encompass the entire risk assessment, despite the base score metrics only addressing some aspects of risk, such as the exploitability of a vulnerability and its severity.
Unfortunately, if you only look at CVSS base scores as a guide to which vulnerabilities to address, you will find a truly overwhelming number of “critical” vulnerabilities. Of the 2,213 published in the last 30 days, 1,167 or just over half were rated as 7 or above out of 9 according to CVE Details. That leaves defenders with the question, “How can I possibly manage this many critical vulnerabilities?”
Predicting Exploit
When defenders prioritize vulnerabilities using only the base score, they may neglect other significant factors, as it is not necessarily an accurate predictor of actual threats. Other factors need to be considered when determining which vulnerabilities are most pressing, such as the likelihood of a threat being exploited “in the wild”, which is why FIRST developed EPSS.
EPSS is a vulnerability scoring framework specifically designed to estimate the likelihood of a vulnerability being exploited. To achieve this, EPSS gathers published exploit data from various sources, including IDS/IPS systems, host-based agents, and published exploit code from repositories (like Exploit-DB and Metasploit). It incorporates information like the vulnerability’s characteristics from this data. The results are structured as a table:
- Rows = vulnerabilities
- Columns = relevant attributes, such as exploitation history
Statistical analysis, regression or machine learning techniques can use this information to generate the estimated likelihood of a vulnerability being exploited in the next 30 days. By combining CVSS and EPSS results, defenders can narrow their focus to high severity vulnerabilities that are highly likely to be exploited in the next 30 days. Of the 2,213 CVEs published in the last 30 days, only 32 have an EPSS score of over 1%.
Understanding Impact
Once a defender has reduced the list from potentially thousands of vulnerabilities by prioritizing with CVSS, and then further trimmed it down by prioritizing by EPSS score, the result is far more manageable. The next step is to establish the potential impacts of the exploited vulnerability.
A threat-informed approach to evaluating impact provides defenders with information they can use to answer the question, “What can an adversary do once they have exploited this vulnerability?” MITRE ATT&CK®, a knowledge base of known adversary tactics and techniques based on threat intelligence, is used widely used as a common vocabulary for describing adversary behaviors and enabling coordinated defensive strategies based on those specific behaviors. If a vulnerability is exploited, ATT&CK can help defenders understand the specific adversary behaviors (described as “ATT&CK techniques”) that the adversary might use next. Not only does it offer deep understanding of the techniques, but it also links those techniques to mitigations that can assist a defense in depth approach.
Bridging the Gap between CVEs and ATT&CK
The Mapping ATT&CK to CVE for Impact project defines a methodology for using ATT&CK to characterize the potential impacts of vulnerabilities, allowing defenders to connect techniques and properties modeled in ATT&CK with vulnerabilities listed in CVE. This mapping enables security professionals to better understand the potential threat landscape associated with specific vulnerabilities and helps inform mitigation strategies. With a systematic and standardized approach, the project enhances overall understanding of how vulnerabilities connect to the adversary tactics and techniques documented in ATT&CK.
Yet applying this methodology to understand the impact of a vulnerability takes valuable analyst time, which is why it is best to focus on higher severity vulnerabilities that are most likely to be exploited based on CVSS and EPSS scores.
Imagine, for example, that a new zero-day vulnerability is announced. It has a high CVSS score and a high EPSS score. There is no patch, and it is likely that adversaries will use the vulnerability in the near term. Fortunately, there is the good news mixed in with the bad news:
- Mapping the vulnerability to ATT&CK reveals that, if exploited, the vulnerability might allow the adversary to make a valid account (T1136) within the system.
- Examining T1136 shows several possible mitigations that might limit an adversary’s ability to successfully create an account and ensure robust monitoring of new accounts.
- T1136 also references approaches to detecting potentially malicious activity.
Armed with this information, defenders can take informed action in response to the vulnerability or simply move on to the next because they already have mitigations in place that will address the vulnerability until a patch is available.
The Center recently updated the ATT&CK to CVE methodology to support the most recent version of ATT&CK, and make the methodology easier to understand and apply. This further supports our goal of enabling the community to create and share their own mappings. We plan to expand the corpus of example CVE to ATT&CK mappings and continue to refine the methodology.
A Call to Action
The Mapping ATT&CK to CVE for Impact project includes an example set of approximately 800 CVEs mapped to ATT&CK. We aim to contribute these mappings to the official CVE corpus to make the mappings more readily accessible to the CVE community.
We need your help to expand the set of CVEs mapped to ATT&CK and welcome contributions to our GitHub. Similarly, EPSS is driven by exploit data and needs community contribution to drive scoring. Contact the FIRST EPSS chairs to learn how to contribute.
Be an advocate and ask your vendors to include ATT&CK references in their vulnerability reports and support EPSS.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2023 MITRE Engenuity. Approved for Public Release. Document number CT0081.
