www.securin.io
Open in
urlscan Pro
13.227.254.41
Public Scan
URL:
https://www.securin.io/mitre-mapping-of-cisa-kevs-and-its-challenges/
Submission: On September 28 via manual from SG — Scanned from SG
Submission: On September 28 via manual from SG — Scanned from SG
Form analysis 0 forms found in the DOM
Text Content
CYBER SECURITY WORKS INC. HAS REBRANDED AS SECURIN INC.
*
*
*
*
*
* Products
* Attack Surface Management
* Vulnerability Intelligence
ATTACK SURFACE MANAGEMENT
Our ASM platform discovers, analyzes, prioritizes, & offers remediation plans
for exposures in your known & unknown assets.
SIGN-UP FOR ASM
VULNERABILITY INTELLIGENCE
Our VI platform delivers threat intelligence & context on the latest cyber
threats providing you with actionable insights for remediation.
REQUEST A DEMO
* Services
* Vulnerability Management
* Penetration Testing
VULNERABILITY MANAGEMENT
Our vulnerability management continually detects, prioritizes, & plans
remediation to protect your entire IT landscape.
PENETRATION TESTING
Our penetration testing simulates a real-world attack on your digital assets
to determine the strength of your security & defenses.
* Use Cases
* Attack Surface Management
* Continuous Attack Surface Reduction
* Discovery of Known & Unknown Assets
* Assets with Known Ransomware & Exploitable Vulnerabilities
* Non-Production Systems Exposed to the Public
* Monitor Subsidiaries & Acquisitions
* Vulnerability Intelligence
* Early Warning Risk Alerts
* Vulnerability Prioritization
* Tech Stack Alerting
* Actionable Threat Intelligence
* Penetration Testing
* Network & Infrastructure Penetration Testing
* Meet your Compliance Requirements
* Test Your Security Resilience
* Protect Intellectual Property
* Vulnerability Management
* Manage Vulnerabilities & Exposures
* Network & Application Vulnerability Management
* Threat & Vulnerability Advisories
* Vulnerability Validation & False Positive Elimination
ATTACK SURFACE MANAGEMENT
Continuous Attack Surface Reduction
Discovery of Known & Unknown Assets
Assets with Known Ransomware & Exploitable Vulnerabilities
Non-Production Systems Exposed to the Public
Monitor Subsidiaries & Acquisitions
VULNERABILITY MANAGEMENT
Manage Vulnerabilities & Exposures
Network & Application Vulnerability Management
Threat & Vulnerability Advisories
Vulnerability Validation & False Positive Elimination
VULNERABILITY INTELLIGENCE
Early Warning Risk Alerts
Vulnerability Prioritization
Tech Stack Alerting
Actionable Threat Intelligence
PENETRATION TESTING
Network & Infrastructure Penetration Testing
Meet your Compliance Requirements
Test Your Security Resilience
Protect Intellectual Property
* Resources
* Ransomware
* Zero Days
* Articles
* Patch Watch
* Media Coverage
* Glossary
RESOURCES
Ransomware
Zero Days
Articles
Patch Watch
Media Coverage
Glossary
* Partners
* Partner Program
* Become a Partner
* Register a Deal
PARTNERS
As a partner led organization, we are committed to working with our partners
to deliver world-class early warning security intelligence solutions that
eliminate the adversary advantage & deliver superior security outcomes for
your clients.
Partner Program
Become a Partner
Register a Deal
* About
* Overview
* Careers USA
WHO WE ARE
Overview
CAREERS
USA OPPORTUNITIES
X
Get Started!
CYBER SECURITY WORKS INC. HAS REBRANDED AS SECURIN INC.
*
*
*
*
*
* Products
* Attack Surface Management
* Vulnerability Intelligence
ATTACK SURFACE MANAGEMENT
Our ASM platform discovers, analyzes, prioritizes, & offers remediation plans
for exposures in your known & unknown assets.
SIGN-UP FOR ASM
VULNERABILITY INTELLIGENCE
Our VI platform delivers threat intelligence & context on the latest cyber
threats providing you with actionable insights for remediation.
REQUEST A DEMO
* Services
* Vulnerability Management
* Penetration Testing
VULNERABILITY MANAGEMENT
Our vulnerability management continually detects, prioritizes, & plans
remediation to protect your entire IT landscape.
PENETRATION TESTING
Our penetration testing simulates a real-world attack on your digital assets
to determine the strength of your security & defenses.
* Use Cases
* Attack Surface Management
* Continuous Attack Surface Reduction
* Discovery of Known & Unknown Assets
* Assets with Known Ransomware & Exploitable Vulnerabilities
* Non-Production Systems Exposed to the Public
* Monitor Subsidiaries & Acquisitions
* Vulnerability Intelligence
* Early Warning Risk Alerts
* Vulnerability Prioritization
* Tech Stack Alerting
* Actionable Threat Intelligence
* Penetration Testing
* Network & Infrastructure Penetration Testing
* Meet your Compliance Requirements
* Test Your Security Resilience
* Protect Intellectual Property
* Vulnerability Management
* Manage Vulnerabilities & Exposures
* Network & Application Vulnerability Management
* Threat & Vulnerability Advisories
* Vulnerability Validation & False Positive Elimination
ATTACK SURFACE MANAGEMENT
Continuous Attack Surface Reduction
Discovery of Known & Unknown Assets
Assets with Known Ransomware & Exploitable Vulnerabilities
Non-Production Systems Exposed to the Public
Monitor Subsidiaries & Acquisitions
VULNERABILITY MANAGEMENT
Manage Vulnerabilities & Exposures
Network & Application Vulnerability Management
Threat & Vulnerability Advisories
Vulnerability Validation & False Positive Elimination
VULNERABILITY INTELLIGENCE
Early Warning Risk Alerts
Vulnerability Prioritization
Tech Stack Alerting
Actionable Threat Intelligence
PENETRATION TESTING
Network & Infrastructure Penetration Testing
Meet your Compliance Requirements
Test Your Security Resilience
Protect Intellectual Property
* Resources
* Ransomware
* Zero Days
* Articles
* Patch Watch
* Media Coverage
* Glossary
RESOURCES
Ransomware
Zero Days
Articles
Patch Watch
Media Coverage
Glossary
* Partners
* Partner Program
* Become a Partner
* Register a Deal
PARTNERS
As a partner led organization, we are committed to working with our partners
to deliver world-class early warning security intelligence solutions that
eliminate the adversary advantage & deliver superior security outcomes for
your clients.
Partner Program
Become a Partner
Register a Deal
* About
* Overview
* Careers USA
WHO WE ARE
Overview
CAREERS
USA OPPORTUNITIES
X
Get Started!
MITRE MAPPING OF CISA KEVS AND ITS CHALLENGES
* APT Groups, CISA KEVs, MITRE, MITRE ATT&CK, patch deadline, ransomware,
scanners missed, vulnerabilities
* Jun 29, 2022
MITRE ATT&CK is a knowledge base that documents adversarial tactics, techniques,
and procedures (TTP) and provides an evolving list of behaviors that attackers
employ to compromise enterprises. By mapping the vulnerabilities to TTP, we
learn how attackers exploited them and what they gained through this
exploitation. This provides the security teams and researchers with a simulation
of tactics used by adversaries and helps them prioritize the vulnerabilities for
remediation.
In this blog, we have documented how CSW’s security researchers performed the
MITRE’s mapping of the CISA KEV catalog and have spotlighted the challenges they
overcame to complete the exercise.
INADEQUACIES OF CISA KEVS
CISA released a catalog called Known Exploited Vulnerabilities (KEV) on November
3, 2021, with a directive for federal agencies to identify and remediate
oft-exploited vulnerabilities.
While the goal of this directive was to kick-start risk based vulnerability
management and remediation in the public sector, we found that security teams
are finding it challenging to prioritize these vulnerabilities due to the lack
of context and multiple inadequacies in the data.
The CISA KEV at present is merely a ‘table of CVEs’ with hard deadlines to
patch.
1. There is no threat context attached to this information that can be used to
prioritize them.
2. CVSS scores for many CVEs are missing, and over 11% have medium scores,
which are unreliable because these are oft-exploited vulnerabilities.
3. The CISA KEV also has a few CVEs not yet listed in the NVD.
4. Around 50 CISA KEVs cannot be detected using popular scanners (Nessus,
Nexpose, or Qualys) as the scanner plugins are missing.
5. Several of the CVEs that are linked to known Ransomware gangs and Threat
groups are listed as a part of the KEVs.
In the vulnerability prioritization process, the entire list of the KEV catalog
will need to be prioritized and remediated, but CISA has been updating it
continuously, adding hundreds of vulnerabilities every month. For enterprises
and organizations, the challenge is to identify what to remediate first.
To exploit a vulnerability, a threat actor performs a set of actions to achieve
their goal; if we can identify the attacker’s behavior in the course of
exploitation, it could be used to prioritize the vulnerability.
Therefore, our researchers undertook an exercise to complete the MITRE mapping
of all vulnerabilities in the CISA KEV, only to encounter the following
challenges:
* Missing key data
* Inaccurate data
* Wrong and misleading information
* Need for multiple resources to complete data gaps
MITRE ATT&CK’S DATA INCONSISTENCIES AND GAPS
Firstly, most researchers refer to four different (the NVD, CWE, CAPEC, and
ATT&CK) databases to map the techniques, tactics, and procedures for
vulnerabilities. Each source has gaps and inconsistencies, as depicted in the
following image.
The CVE to MITRE ATT&CK mapping is based on the relationship defined by MITRE:
CVE->CWE->CAPEC->ATT&CK.
The cause of each vulnerability is a weakness (flaws, bugs, errors in software
or hardware implementation, code design, or architecture that is left
unaddressed). categorized under Common Weakness Enumeration (CWE) resulting in
systems, networks, or hardware being vulnerable to attacks.
The exploitation of the flaw by a malicious actor has an attack pattern
associated with it, defined by MITRE in the CAPEC dictionary.
The implementation of an attack pattern calls for the use of various tactics,
techniques, and procedures (TTPs) by the attacker—collected and defined in the
ATT&CK database.
The following are the inconsistencies and gaps that we noticed in the MITRE
resources while mapping:
HOW DID WE MAP MISSING CWES?
We found that 132 CVEs were not mapped to their corresponding CWEs. Our experts
had to refer to reliable sources outside the NVD to fix this gap to identify
associated weaknesses.
In a few cases where CWE information could not be found across all sources, we
assessed the historical context of the KEVs and mapped them to similar
weaknesses, taking their CWEs into account.
For example, CVE-2022-0609, a use-after-free vulnerability in Chrome animation,
remains unmapped to a weakness category. However, CVE-2021-4102, a similar
use-after-free vulnerability in Chrome V8, has been mapped to CWE-416
(use-after-free category). Logically, CVE-2022-0609 can then also be mapped to
CWE-416.
DEPRECATED CWE IDS
We found 34 vulnerabilities from the KEV catalog mapped to obsolete and
deprecated CWE IDs. Inaccurate mapping contributes to data inaccuracies and
prevents security researchers from understanding attack techniques and tactics.
To get around this challenge, we replaced CWE IDs with membership IDs to ensure
that vulnerabilities were mapped to the correct weakness enumeration.
For example, CVE-2021-31207, categorized under CWE-254, could be replaced by
CWE-284, a part of category ID 254.
CAPEC MAPPING
The number of KEVs with missing CAPEC IDs is 121. We found that replacing
deprecated or obsolete CWEs with appropriate CWE IDs for a vulnerability fixes
the CWE–CAPEC gaps.
For example, CVE-2015-1130 was assigned to a deprecated CWE category ID of 254
(termed 7PK), which did not have a CAPEC ID or MITRE ATT&CK mapping. We analyzed
the CVE description that stated “allows local users to obtain admin privileges
via unspecified vectors” and tied it to the appropriate CWE-284: Improper Access
Control. We also linked it to the child node weakness category of CWE 269:
Improper Privilege Management. This enabled us to add the corresponding CAPEC ID
58|122|233 and complete the MITRE ATT&CK mapping to its respective technique
-T1548 – Abuse Elevation Control Mechanism.
Our researchers broadened their analytical scope and checked for taxonomy
mappings for parent/child CAPEC IDs and adopted child mapping for missing parent
IDs.
For instance, CAPEC-112 has no associated MITRE ATT&CK mapping but is used for
brute-force attacks. However, CAPEC-49, a similar password brute-forcing child
category of CAPEC-112, has been mapped to the MITRE technique: T1110 – Brute
Force. Therefore, we mapped CAPEC-112 to MITRE T1110 – Brute Force.
For other vulnerabilities without taxonomy mappings, we used the Natural
Language Processing (NLP)–based association method. We created a keyword
dictionary for each MITRE technique and sub-technique using the description,
procedures, and platform fields where TF-IDF vectorization can be implemented to
obtain a filtered set of keywords for each entity. These were then used to map
the CAPEC descriptions.
Here is an example of how we did it:
For CAPEC-ID 66 (SQL injection), the attack exploits software that constructs
SQL statements based on the user input. Attacker-crafted input strings force the
software to construct SQL statements that perform malicious actions instead. The
SQL injection results from the failure of the application to validate the input
appropriately.
The MITRE ATT&CK technique T1190: Exploit Public-Facing Application is used to
target websites and databases that include SQL databases. Therefore, keywords
such as [ “T1190” ] = [ “Public-facing,” “SMB,” “SQL,” “SQL Injection,” …] were
searched for, resulting in the mapping of CAPEC-66 to T1190.
WHY IS MITRE MAPPING OF CISA KEVS IMPORTANT?
Understanding how the adversary operates is essential to effective
cybersecurity. Attackers exploit each vulnerability for a purpose. It could be
to gain initial access, escalate privileges, or merely conduct reconnaissance.
By mapping each vulnerability to the MITRE ATT&CK framework, researchers learn
the purpose and impact of its exploitation within the environment, allowing them
to aggregate the risk the vulnerability poses. It helps them prioritize
high-impact vulnerabilities above others.
> For example, a researcher will always prioritize a CVE that can be exploited
> against public-facing applications over a vulnerability exploited for data
> collection. From a prioritization perspective, researchers would focus on
> remediating vulnerabilities that attackers could potentially exploit to gain
> an initial foothold in the system. The first step would always be to deny
> access to malicious actors. This additional layer of understanding provides
> researchers with the context that allows them to prioritize vulnerabilities.
However, the knowledge gaps in MITRE’s sources, such as the NVD, CWE, CAPEC, and
ATT&CK, are a serious handicap to security teams. The impact of these handicaps
results in an inability to protect and defend networks against insidious
attacks.
WHAT CAN MITRE DO TO ADDRESS THESE GAPS?
1. The most efficient method to reduce gaps is to automate the vulnerability
mapping process of the attack patterns. Developing an automatic mapping
process of MITRE ATT&CK to your vulnerabilities increases your ability to
measure the impact of the CVEs. This would give security teams an accurate
context of adversary behaviors and how they may attack your network.
2. Additionally, this mapping should be extended to ransomware, APT groups, and
threat actors. This enables better prioritization of network vulnerabilities
or general exposures from an audit perspective.
> Through this research, we have highlighted the vast information gaps in
> vulnerability databases that give attackers a window of opportunity to stage a
> cyberattack. These gaps inhibit security teams from making informed decisions
> about prioritizing and patching critical vulnerabilities that are attractive
> targets for attackers.
Most organizations are not currently investing in the resources or have the time
or the expertise required to assess over 17 database resources and find the
accurate information to map the attack patterns of each vulnerability.
Our team continuously analyzes and fills the gaps in information every time CISA
updates the KEVs. We have been able to help many of our customers in the public
sector by highlighting these weaknesses and prioritizing them appropriately.
We can help you prioritize CISA KEVs. Talk to us now!
SHARE THIS POST ON
Securin helps leaders continuously improve their security posture. We work as an
extension of your team to better protect your organization.
* Privacy Policy | Customer Agreements
CONTACT
* 2440 Louisiana Blvd NE #560, Albuquerque, NM 87110
* 505-302-1113
* info@securin.io
SECURITY SOLUTIONS
* Attack Surface Management
* Vulnerability Intelligence
* Vulnerability Management
* Penetration Testing
RESOURCE CENTER
* Ransomware
* Zero Days
* Articles
* Patch Watch
*
*
*
*
*
© Copyright 2023 Securin All Rights Reserved
7366