MAPPING ATT&CK TO CVE FOR IMPACT

Project Summary

Published : Oct 21, 2021

This research defines a methodology for using MITRE ATT&CK® to characterize the potential impacts of vulnerabilities. ATT&CK’s tactics and techniques enable defenders to quickly understand how a vulnerability can impact them.  Vulnerability reporters and researchers use the methodology to describe the impact of vulnerabilities, enabling defenders to easily integrate vulnerability information into their risk models and identify appropriate compensating security controls. This methodology aims to establish a critical connection between vulnerability management, threat modeling, and compensating controls.

Problem

Defenders struggle to integrate vulnerability and threat information and lack a consistent view of how adversaries use vulnerabilities to achieve their goals. Without this context, it is difficult to appropriately prioritize vulnerabilities.

SOLUTION

Develop a methodology to use the adversary behaviors described in ATT&CK to characterize the impact of CVEs, providing much-needed context.

IMPACT

CVEs linked to ATT&CK techniques form a crucial contextual bridge between vulnerability management, threat modeling, and compensating controls, empowering defenders to better assess the true risk posed by specific vulnerabilities in their environment.

funding Research Participants

Leadership Spotlight: 
Collaborative Leadership Driving Innovation

 

Hear directly from research participants about this project and why it matters. Learn how these leaders are changing the game on the adversary.

Adoption Spotlights: Center R&D in Action

Adoption Spotlights showcase the Center’s R&D in action to help the community adopt threat-informed defense. Learn how these organizations are leveraging Center R&D to change the game on the adversary.

  • New call-to-action
  • New call-to-action

Share This Project

Stay Informed

Stay informed about new releases of R&D projects and other exciting updates from the Center for Threat-Informed Defense.