Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
0 likes246 views
The document discusses the integration of the MITRE ATT&CK framework with vulnerability management to enhance organizational security. It outlines the utility of ATT&CK in understanding threat actor tactics and techniques, the challenges of mapping vulnerabilities to the framework, and the importance of adopting both threat vector and risk-based approaches for effective risk assessment. Emphasis is placed on using AI/ML for vulnerability mapping to understand attack strategies and improve remediation efforts.
![Can you map a Vulnerability to the Att&ck framework?
• In short : Yes – using AI / ML
• Mapping to Att&ck
• Shows what techniques a vulnerability could utilize
• Allows for an understanding of how remediation of a vulnerability can disrupt
the attack chain
• For example: CVE-2019-5591 (Fortinet FortiOS vulnerability)
• 1124-System Time Discovery, 1033-System Owner/User Discovery, 1120-Peripheral Device Discovery, 1057-Process Discovery, 1016-System Network
Configuration Discovery, 1087-Account Discovery, 1595-Active Scanning, 1083-File and Directory Discovery, 1046-Network Service Scanning, 1007-System
Service Discovery, 1018-Remote System Discovery, 1069-Permission Groups Discovery, 1082-System Information Discovery, 18-Credential/Session Prediction,
1135-Network Share Discovery, 1217-Browser Bookmark Discovery, 45-Fingerprinting]
• Addressing this vulnerability would disrupt all these Att&ck techniques, making it harder to use this vulnerability as
part of an attempt to compromise. (NB this vuln was never used ina campaign, butwas directly exploited–seeSans Top25vulns)
19](https://image.slidesharecdn.com/webinar-mitreattckvulnerabilities-211027134156/85/Outpost24-webinar-Mapping-Vulnerabilities-with-the-MITRE-ATT-CK-Framework-19-320.jpg)
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
- 1. Using Mitre Att&ck with Vulnerability Management Simon Roe October 2021
- 2. Agenda 2 • What is the Mitre Att&ck framework • Threat intelligence and the Mitre Att&ck framework • Mapping vulnerabilities to the Mitre Att&ck framework • Putting it all together
- 4. Company milestone 2020 2021 RBVM Launch Farsight vulnerability prioritization technology Development Open Scandinavian Software Parkin Vietnamto increase product innovation Funding Secure a 💰 SEK 200 millionnewfunding round to accelerate growth Leadership Karl Thedeen appointedas newCEO + new boardmembers from Northvolt Handelsbankenand Svea Solar Acquisition Acquires threat intelligence solution Blueliv to add hacker contextto security assessment Continue to advanceour full stack productvision 4 To become one of the biggest cybersecurity provider
- 5. What is the MITRE ATT&CK framework 5 “MITRE ATT&CK® is a globally-accessibleknowledgebase of adversary tactics and techniques based on real-world observations.” • First att&ck model was proposed in 2013 and publiclyreleased in 2015 • It’s been gathering momentum over the last couple of years.
- 6. Tactics, Technique and Procedures 6
- 7. 7 • A Knowledgebase of adversarial tactics • Contains • 14 tactics • With over 500 associated techniques • Based on observed incidents The Att&ckframework in a nutshell
- 8. 8 • Build specific threat models • Based on tactics of concern • Create defensive strategies • Incident response • Tools and processes • All with an aim to secure an organisation against possible breach Organizations use it to ..
- 10. How Threat Intel & Att&ck mesh 10
- 11. 11 • Good threat intel allows you to understand • Threat actor behavior • Campaigns • Targets • Or in other words : observable intelligence on bad guy activity Threat Intel
- 12. Mitre Att&ck & threat intel • Since Att&ck is based on observable real-world incidents • Threat intel lends itself to being mapped • Campaigns • Can be mapped based on the behaviors seen • Built up over time to get a full picture of all the potential tactics and techniques being used • Threat Actors • Can be tied to campaigns • And so can map threat actors to Tactics and techniques based on the observed campaigns they have been responsible for 12
- 13. 13
- 14. TI & Att&ck response • Identify Threat Actors of most concern to your organization • Campaign, region, specific target (business sector) • Map those to the Att&ck framework • Plan defense strategies accordingly • Monitor Logs and SIEM for patterns • Compare to monitored Threat Attackers & their tactics / techniques • But where do vulnerabilities fit into all this? 14
- 15. Vulnerability Management and Att&ck 15
- 16. 16 • A CVE is allocated to the vulnerability • Another Mitre framework • And then it's given a CVSS Score • Via the NVD (National vulnerability database) • And this is used to prioritize you’re remediation plan • Critical, highs, mediums etc. Traditional vulnerability management
- 17. 17 • Risk Based vulnerability management • Maps threat intelligence information to a vulnerability • Does it have an exploit • Has it been exploited recently • Are threat actors trading information on the vulnerability • What is the targets criticality • To create a risk score (out of 100, 38.46, grade A – D, F etc) • Some approaches also included future prediction of exploit risk • Whats the likelihood of a futureexploit happening with this vulnerability Sheer number of vulnerabilities requires a new approach
- 18. Vulnerabilities vs Att&ck framework • Vulnerabilities are not strictly speaking ‘adversarial tactics’ • But they are used in Malware, ransomware etc • Considerations when trying to map to the Att&ck framework • CVE’s won’t map to all the att&ck tactics or techniques* • NIST/Mitre information on a vulnerability isn’t enough to map to the Att&ck framework* • Manual analysis of over 130,000 vulnerability and growing simply cannot scale* • So, can it be done? *for more information see https://info.cyr3con.ai/hubfs/Mapping%20CVE%20Records%20to%20the%20ATT%26CK%20Framework.pdf by Cyr3con 18
- 19. Can you map a Vulnerability to the Att&ck framework? • In short : Yes – using AI / ML • Mapping to Att&ck • Shows what techniques a vulnerability could utilize • Allows for an understanding of how remediation of a vulnerability can disrupt the attack chain • For example: CVE-2019-5591 (Fortinet FortiOS vulnerability) • 1124-System Time Discovery, 1033-System Owner/User Discovery, 1120-Peripheral Device Discovery, 1057-Process Discovery, 1016-System Network Configuration Discovery, 1087-Account Discovery, 1595-Active Scanning, 1083-File and Directory Discovery, 1046-Network Service Scanning, 1007-System Service Discovery, 1018-Remote System Discovery, 1069-Permission Groups Discovery, 1082-System Information Discovery, 18-Credential/Session Prediction, 1135-Network Share Discovery, 1217-Browser Bookmark Discovery, 45-Fingerprinting] • Addressing this vulnerability would disrupt all these Att&ck techniques, making it harder to use this vulnerability as part of an attempt to compromise. (NB this vuln was never used ina campaign, butwas directly exploited–seeSans Top25vulns) 19
- 21. Where do you start with a VM program • Asset Centric view? • Asset centric with Threat Intel? • Threat vector view? • Let’s dig into these options 21
- 22. Evolution of VM w/ Threat Intel 22 Discover assets Assess for vulns Prioritize by severity Remediate The “Find and Fix” game Appropriate method for • small estates • slowly changing estates Answers the question “where can I be attacked?”
- 23. Evolution of VM w/ Threat Intel 23 Discover assets Assess for vulns Prioritize by likelihood Remediate The “Vulnerability Risk” game Really good when remediation is overwhelming Appropriate method for • large estates • rapidly changing estates • Answers the questions “where am I mostlikely to be attacked?”
- 24. Evolution of VM w/ Threat Intel 24 Evaluate Threat actors Determine TTPs Assess for vulns Remediate The “threat vector” game Really good when evaluating full stack Starts with attacker, pivot to vulnerabilities Assumes you have discovered all assets
- 25. An example – Wannacry 25 CVE-2017-0147 1124-System Time Discovery, 1033-System Owner/User Discovery, 1120-Peripheral Device Discovery, 1057-Process Discovery, 1016-System Network Configuration Discovery, 1087-Account Discovery, 1595-Active Scanning, 1083-File and Directory Discovery, 1046-Network Service Scanning, 1007-System Service Discovery, 1018-Remote System Discovery, 1069-Permission Groups Discovery, 1082-System Information Discovery, 1135-Network Share Discovery, 1217-Browser Bookmark Discovery
- 26. Summary • Using the Mitre Att&ck framework can provide organizations great insights into how to protect against threat actors • Mapping vulnerabilities to Att&ck has its own challenges. But done properly can help breaking attack chains • But adopting a model that supports both threat vector and risk-based approaches gives organizations the ability to assess their attack surface from all angles 26