In this webinar we’ll discuss how you can map CVE records with the MITRE ATT&CK framework to enhance vulnerability management process and achieve better risk management.
2. Agenda
2
• What is the Mitre Att&ck framework
• Threat intelligence and the Mitre Att&ck framework
• Mapping vulnerabilities to the Mitre Att&ck framework
• Putting it all together
4. Company milestone
2020 2021
RBVM
Launch Farsight
vulnerability
prioritization
technology
Development
Open Scandinavian
Software Parkin
Vietnamto increase
product innovation
Funding
Secure a 💰 SEK 200
millionnewfunding
round to accelerate
growth
Leadership
Karl Thedeen
appointedas newCEO
+ new boardmembers
from Northvolt
Handelsbankenand
Svea Solar
Acquisition
Acquires threat
intelligence solution
Blueliv to add hacker
contextto security
assessment
Continue to
advanceour
full stack
productvision
4
To become one
of the biggest
cybersecurity
provider
5. What is the MITRE ATT&CK framework
5
“MITRE ATT&CK® is a globally-accessibleknowledgebase of adversary tactics and techniques based
on real-world observations.”
• First att&ck model was proposed in 2013 and publiclyreleased in 2015
• It’s been gathering momentum over the last couple of years.
7. 7
• A Knowledgebase of adversarial
tactics
• Contains
• 14 tactics
• With over 500 associated
techniques
• Based on observed incidents
The Att&ckframework in a nutshell
8. 8
• Build specific threat models
• Based on tactics of concern
• Create defensive strategies
• Incident response
• Tools and processes
• All with an aim to secure an organisation
against possible breach
Organizations use it to ..
11. 11
• Good threat intel allows you to
understand
• Threat actor behavior
• Campaigns
• Targets
• Or in other words : observable
intelligence on bad guy activity
Threat Intel
12. Mitre Att&ck & threat intel
• Since Att&ck is based on observable real-world incidents
• Threat intel lends itself to being mapped
• Campaigns
• Can be mapped based on the behaviors seen
• Built up over time to get a full picture of all the potential tactics and techniques being
used
• Threat Actors
• Can be tied to campaigns
• And so can map threat actors to Tactics and techniques based on the observed
campaigns they have been responsible for
12
14. TI & Att&ck response
• Identify Threat Actors of most concern to your organization
• Campaign, region, specific target (business sector)
• Map those to the Att&ck framework
• Plan defense strategies accordingly
• Monitor Logs and SIEM for patterns
• Compare to monitored Threat Attackers & their tactics / techniques
• But where do vulnerabilities fit into all this?
14
16. 16
• A CVE is allocated to the
vulnerability
• Another Mitre framework
• And then it's given a CVSS Score
• Via the NVD (National vulnerability
database)
• And this is used to prioritize
you’re remediation plan
• Critical, highs, mediums etc.
Traditional vulnerability management
17. 17
• Risk Based vulnerability management
• Maps threat intelligence information to a vulnerability
• Does it have an exploit
• Has it been exploited recently
• Are threat actors trading information on the
vulnerability
• What is the targets criticality
• To create a risk score (out of 100, 38.46, grade A – D, F
etc)
• Some approaches also included future prediction of
exploit risk
• Whats the likelihood of a futureexploit happening with
this vulnerability
Sheer number of vulnerabilities requires a
new approach
18. Vulnerabilities vs Att&ck framework
• Vulnerabilities are not strictly speaking ‘adversarial tactics’
• But they are used in Malware, ransomware etc
• Considerations when trying to map to the Att&ck framework
• CVE’s won’t map to all the att&ck tactics or techniques*
• NIST/Mitre information on a vulnerability isn’t enough to map to the Att&ck
framework*
• Manual analysis of over 130,000 vulnerability and growing simply cannot
scale*
• So, can it be done?
*for more information see https://info.cyr3con.ai/hubfs/Mapping%20CVE%20Records%20to%20the%20ATT%26CK%20Framework.pdf by Cyr3con
18
19. Can you map a Vulnerability to the Att&ck framework?
• In short : Yes – using AI / ML
• Mapping to Att&ck
• Shows what techniques a vulnerability could utilize
• Allows for an understanding of how remediation of a vulnerability can disrupt
the attack chain
• For example: CVE-2019-5591 (Fortinet FortiOS vulnerability)
• 1124-System Time Discovery, 1033-System Owner/User Discovery, 1120-Peripheral Device Discovery, 1057-Process Discovery, 1016-System Network
Configuration Discovery, 1087-Account Discovery, 1595-Active Scanning, 1083-File and Directory Discovery, 1046-Network Service Scanning, 1007-System
Service Discovery, 1018-Remote System Discovery, 1069-Permission Groups Discovery, 1082-System Information Discovery, 18-Credential/Session Prediction,
1135-Network Share Discovery, 1217-Browser Bookmark Discovery, 45-Fingerprinting]
• Addressing this vulnerability would disrupt all these Att&ck techniques, making it harder to use this vulnerability as
part of an attempt to compromise. (NB this vuln was never used ina campaign, butwas directly exploited–seeSans Top25vulns)
19
21. Where do you start with a VM program
• Asset Centric view?
• Asset centric with Threat Intel?
• Threat vector view?
• Let’s dig into these options
21
22. Evolution of VM w/ Threat Intel
22
Discover
assets
Assess for
vulns
Prioritize by
severity
Remediate
The “Find and Fix” game
Appropriate method for
• small estates
• slowly changing estates
Answers the question “where can I be attacked?”
23. Evolution of VM w/ Threat Intel
23
Discover
assets
Assess for
vulns
Prioritize by
likelihood
Remediate
The “Vulnerability Risk” game
Really good when remediation is overwhelming
Appropriate method for
• large estates
• rapidly changing estates
• Answers the questions “where am I mostlikely to be attacked?”
24. Evolution of VM w/ Threat Intel
24
Evaluate
Threat
actors
Determine
TTPs
Assess for
vulns
Remediate
The “threat vector” game
Really good when evaluating full stack
Starts with attacker, pivot to vulnerabilities
Assumes you have discovered all assets
25. An example – Wannacry
25
CVE-2017-0147
1124-System Time Discovery,
1033-System Owner/User Discovery,
1120-Peripheral Device Discovery,
1057-Process Discovery,
1016-System Network Configuration Discovery,
1087-Account Discovery,
1595-Active Scanning,
1083-File and Directory Discovery,
1046-Network Service Scanning,
1007-System Service Discovery,
1018-Remote System Discovery,
1069-Permission Groups Discovery,
1082-System Information Discovery,
1135-Network Share Discovery,
1217-Browser Bookmark Discovery
26. Summary
• Using the Mitre Att&ck framework can provide organizations great
insights into how to protect against threat actors
• Mapping vulnerabilities to Att&ck has its own challenges. But done
properly can help breaking attack chains
• But adopting a model that supports both threat vector and risk-based
approaches gives organizations the ability to assess their attack
surface from all angles
26