Solving the CVE puzzle with MITRE ATT&CK and threat intel
To threat actors, infiltrating an organisation’s infrastructure is like a cryptic puzzle they must solve as they seek out vulnerabilities to exploit. By evolving their tactics and techniques, completing the puzzle becomes easier and so does finding common vulnerabilities and exposures (CVEs) to target. As a result, there is a greater call for security teams to go the extra mile with vulnerability remediation efforts by combining threat intelligence with CVE findings and the guidance provided by the MITRE ATT&CK framework to zoom in on the riskiest vulnerabilities. For those unaware, MITRE ATT&CK is an encyclopaedia of threat actors, their tactics and techniques that have been seen in real-word scenarios. The framework analyses each attack group and the known platforms they target thus providing much needed information to security teams who traditionally struggle with understanding their entire attack surface and with identifying attack methods targeting their business.
In addition to this, the ATT&CK framework helps direct security teams along the path of the most effective defence measures to reduce overall risk. By adding threat intelligence security teams can expand on the information gained, utilizing real-time and actionable intelligence for faster and focussed decision-making.
For instance, security teams can seek out direction on the adversaries that are targeting them via the framework using a search criterion known as Tactics, Techniques, and Procedures (TTPs), which will provide a level of security recommendations. From here, a list of detection and preventative measures can be implemented. This is where threat intelligence can prove defining in adding a deeper level of information on the specific threat actors, their attack patterns, and behaviours, which can be leveraged to further strengthen the overall defensive strategy.
To get the most out of the intelligence gathered, security departments can look to simultaneously use threat intelligence to elevate vulnerability management when tackling the issue of CVEs. To understand why, one must understand the various levels of vulnerability management process and how threat intel can improve it.
Traditional vulnerability management solutions take a ‘find and fix’ approach using a CVSS severity score to determine where to prioritise remediation efforts. However, this takes a static and limited view to CVE remediation and doesn’t take into consideration the external threat context and has no links to critical assets within your business. Essentially meaning you could be wasting time on fixing vulnerabilities that don’t pose a risk in the first place. With a growing number of CVEs to manage and average time to exploit at just 7 days, the traditional approach has become somewhat ineffective.
The next level is risk-based vulnerability management which, while harnessing threat intelligence, can predict the likelihood of a vulnerability being exploited in the wild. Organisations can then proactively prepare remediation against the most dangerous and imminent risks first to aid vulnerability prioritisation and shorten exposure time through prioritisation – key for businesses that struggle to focus attention when remediating a high number of CVEs.
Lastly, there is the third level where the security team combines the security tools available in their arsenal with the information provided by the TTPs and MITRE ATT&CK framework to understand how the threat actors are attacking the vulnerabilities. This advanced approach relies on threat intelligence which will examine the threat actor groups targeting your organisation while cross referencing with the MITRE ATT&CK framework to see where the likelihood of compromise would be and the likely attack path using known CVEs.
Having such detail at your disposal can provide a ‘hacker centric’ view to break down the attacker's routine, giving security teams insights into the CVEs that are most likely to be weaponized and the TTPs. This level of details will supercharge any vulnerability risk management program as it gives security teams the necessary knowledge, from the eye of the attacker, to effectively remediate – before it could become a problem.
Taking a hacker centric approach to vulnerability remediation is a critical step forward to achieve proactive security. Depending on what your organisation’s maturity level, size and risk appetite is, by advancing the tools in use to encompass both risk-based analysis and threat intelligence, security teams will be able to put millions of CVEs into context and create a remediation ‘sweet spot’, which will allow any business to get in front of the cybercriminals.