Security News > 2021 > November > Mapping ATT&CK techniques to CVEs should make risk assessment easier

Mapping ATT&CK techniques to CVEs should make risk assessment easier
2021-11-03 06:00

Vulnerability reporters should start using MITRE ATT&CK technique references to describe what the attacker is trying to achieve by exploiting a given CVE-numbered vulnerability, the MITRE Engenuity team urges.

"Using ATT&CK facilitates making descriptions of impacts and exploitation methods consistent across reports. When used in a vulnerability report, ATT&CK's tactics and techniques enable defenders to quickly understand how a vulnerability can impact them, helping defenders integrate vulnerability information into their risk models and identify appropriate compensating security controls," they say.

To help vulnerability reporters - researchers as well as product vendors - MITRE Engenuity's Center for Threat Informed Defense created a mapping methodology that can be applied, as well as a guide on how to get started.

The team calls on vulnerability reporters to review it and apply it to help build the corpus of vulnerability reports with ATT&CK references, and defenders to review it and push vendors to include ATT&CK references in their vulnerability reports.

"Historically, vulnerability management and threat management have been separate disciplines, but in a risk-focused world, they need to be brought together," the team added.

"This methodology aims to establish a critical connection between vulnerability management, threat modeling, and compensating controls. CVEs linked to ATT&CK techniques can empower defenders to better assess the true risk posed by specific vulnerabilities in their environment."


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/HwDB5DJtCp0/