Vulnerability reporters should start using MITRE ATT&CK technique references to describe what the attacker is trying to achieve by exploiting a given CVE-numbered vulnerability, the MITRE Engenuity team urges.
“Using ATT&CK facilitates making descriptions of impacts and exploitation methods consistent across reports. When used in a vulnerability report, ATT&CK’s tactics and techniques enable defenders to quickly understand how a vulnerability can impact them, helping defenders integrate vulnerability information into their risk models and identify appropriate compensating security controls,” they say.
The CVE + MITRE ATT&CK methodology
To help vulnerability reporters – researchers as well as product vendors – MITRE Engenuity’s Center for Threat Informed Defense created a mapping methodology that can be applied, as well as a guide on how to get started.
They’ve also created a CVE JSON schema extension is scheduled to be should be integrate into the official CVE JSON Schema in November 2021 and, once that happens, they plant to add the mappings from several hundred CVEs to ATT&CK they already created to the official CVE List.
Their efforts will be in vain, though, if the methodology isn’t used. The team calls on vulnerability reporters to review it and apply it to help build the corpus of vulnerability reports with ATT&CK references, and defenders to review it and push vendors to include ATT&CK references in their vulnerability reports.
“Historically, vulnerability management and threat management have been separate disciplines, but in a risk-focused world, they need to be brought together,” the team added.
“This methodology aims to establish a critical connection between vulnerability management, threat modeling, and compensating controls. CVEs linked to ATT&CK techniques can empower defenders to better assess the true risk posed by specific vulnerabilities in their environment.”