CVE + MITRE ATT&CK® to Understand Vulnerability Impact
Written by Jonathan Evans, Jon Baker, and Richard Struse.
Historically, vulnerability management and threat management have been separate disciplines, but in a risk-focused world, they need to be brought together. Defenders struggle to integrate vulnerability and threat information and lack a consistent view of how adversaries use vulnerabilities to achieve their goals. Without this context, it is difficult to appropriately prioritize vulnerabilities.
To bridge vulnerability management and threat management, the Center for Threat-Informed Defense, with support from participants including AttackIQ and JP Morgan Chase, developed a methodology to use the adversary behaviors described in MITRE ATT&CK® to characterize the impact of vulnerabilities from CVE®. Vulnerability reporters and researchers can use the methodology to describe the impact of vulnerabilities more clearly and consistently. When used in a vulnerability report, ATT&CK’s tactics and techniques enable defenders to quickly understand how a vulnerability can impact them, helping defenders integrate vulnerability information into their risk models and identify appropriate compensating security controls.
This methodology aims to establish a critical connection between vulnerability management, threat modeling, and compensating controls. CVEs linked to ATT&CK techniques can empower defenders to better assess the true risk posed by specific vulnerabilities in their environment. We have applied the methodology and mapped several hundred CVEs to ATT&CK to validate the model and demonstrated its value. To fully realize our goal, we need community support to apply the methodology at scale.
Mapping CVE-2018–17900
ATT&CK is used in threat reports to describe the technical goals of an adversary and the steps they take to achieve those goals during an attack. In many cases, the same reports document vulnerabilities exploited by the attackers. While this is useful for reports detailing incidents that have already occurred, vulnerability and risk management teams also want to know what techniques an adversary might use to exploit a vulnerability before they do and thereby anticipate which defenses need to be in place. In the example below, we will review CVE-2018–17900 and enhance its description to use ATT&CK technique references to bring clarity and consistency to how an attacker might exploit this vulnerability and what the attacker might gain.
The description says that the problem is “improperly protects credentials” which can then allow “access to controllers.” The T1552 (Unsecured Credentials) technique is behavior enabled by, “Improperly protects credentials” and the T1078 (Valid Accounts) technique maps to “access to controllers.” As you can see, CVE records already capture technique information, but they are missing the standardization that ATT&CK provides.
In many cases, ATT&CK can also be used to describe the steps that an attacker would take to exploit a vulnerability. For CVE-2018–17900, the entry point is the web application, which makes T1190 (Exploit Public-Facing Application) the exploitation technique for the vulnerability.
The description for CVE-2018–17900 can now be rewritten as:
Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, have Unsecured Credentials which could allow an attacker to gain access to Valid Accounts by Exploiting the Public-Facing Application.
How does this help vulnerability report authors?
For those who create vulnerability reports, including vulnerability researchers and product vendors, this methodology creates a clear, consistent approach to describing the impacts and exploitation methods of vulnerabilities. Using ATT&CK allows vulnerability reports to tell the story of what the attacker is trying to achieve by exploiting a given vulnerability. Many vulnerability reports focus on the technical details of exploitation and impact but ignore the higher-level goal the malicious actor is trying to achieve. ATT&CK bridges that gap and allows users to understand where the vulnerability fits within an attack scenario and their environment.
Using ATT&CK facilitates making descriptions of impacts and exploitation methods consistent across reports. While many reporters use the same language within their reports, different reporters often describe the same impact differently. For example, one reporter might describe T1499.004 (Endpoint Denial of Service: Application or System Exploitation) as a blue screen of death (BSOD), while another might describe it as a kernel panic. Either way, if they both reference T1499.004, the reader knows what they are talking about. This consistency makes it easier for readers to process the reports and act on the information.
How does this help defenders?
Vulnerability reports that include ATT&CK technique references allow defenders to rapidly assess the risk of and create a mitigation plan for a new vulnerability. Techniques in ATT&CK include detection and mitigation information, which can be used to investigate whether the mitigations they have in place are adequate for addressing the vulnerability or if additional mitigations are needed. For example, if the exploitation technique is T1190 (Exploit Public-Facing Application), the defender should monitor incoming traffic and block malicious requests. If the defender decides additional mitigations are needed, they can use the mappings from ATT&CK to other resources like NIST 800–53 or the MITRE Cyber Analytics Repository to decide which actions to take.
A call to action
We created a methodology that allows vulnerability reporters to use ATT&CK to create richer, more consistent vulnerability reports that help defenders rapidly assess the risk of a vulnerability and leverage the full range of resources linked to ATT&CK. Now we need the community’s help to apply the methodology at scale.
To support widespread adoption of this methodology, the following next steps are underway:
- CVE JSON Schema Enhancement: Our proposed CVE JSON schema extension should be integrated into the official CVE JSON Schema in November 2021.
- Integrate CVE Mappings: With adoption of our proposed JSON schema changes, we aim to add our initial mappings to the official CVE List.
With an established foundation in place for the community to build upon, broad community engagement is our next focus. We need ongoing engagement with the CVE CNA community, threat intel teams, and end users to make the case for adoption and to collect feedback.
Defenders can help by reviewing the methodology and the set of CVEs that we mapped and let us know what you think. Be an advocate and ask your vendors to include ATT&CK references in their vulnerability reports.
Vulnerability reporters are critical to realizing our goal of connecting threat and vulnerability management. You can help by reviewing the methodology and applying it in your vulnerability reports. Help build the corpus of vulnerability reports with ATT&CK references.
You can help make the case for change and we welcome your feedback. You can contact us at ctid@mitre-engenuity.org or simply file issues on our GitHub repository.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2021 MITRE Engenuity. Approved for Public Release. Document number CT0018.