Mapping CVEs and ATT&CK Framework TTPs: An Empirical Approach

Categorizing and classifying vulnerabilities and attacks is important to understand how a vulnerability is exploited and how a breach unfolds through different steps including reconnaissance,  vulnerability detection, exploitation, privilege escalation, lateral movement, and exfiltration.

This blog post focuses on how to create a bridge / correlation between CVE, CAPEC, CWE and ATT&CK vulnerability and attack taxonomies for the purpose of better understanding attack vectors and methods.

Mapping CVEs and ATT&CK Frameworks TTPs: Establishing the Baseline

The CVE Taxonomy

The most important and recognized vulnerability categorization and taxonomy is the CVE Program — Common Vulnerability and Exposures, which is defined as:

“The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.”

The CVE is a glossary that classifies vulnerabilities. The glossary analyzes vulnerabilities and then uses the Common Vulnerability Scoring System (CVSS) to evaluate the threat level of a vulnerability, mostly from the technical standpoint.

The CVSS Framework

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores for vulnerability prioritization. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

The NVD supports both Common Vulnerability Scoring System (CVSS) v2.0 and v3.X standards. The NVD provides CVSS “base scores” which represent the innate characteristics of each vulnerability. The NVD does not currently provide “temporal scores” (metrics that change over time due to events external to the vulnerability) or “environmental scores” (scores customized to reflect the impact of the vulnerability on your organization). However, the NVD does supply a CVSS calculator for both CVSS v2 and v3 to allow you to add temporal and environmental score data, but reliance on CVSS alone is not enough. 

In CVSS score 3.1, these are the components of a score’s Base score:

Source: First.Org, Common Vulnerability Scoring System v3.1: Specification Document

The Base metric group represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It is composed of two sets of metrics: the Exploitability metrics and the Impact metrics.

The Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. That is, they represent characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

The Impact metrics reflect the direct consequence of a successful exploit, and represent the consequence to the thing that suffers the impact, which we refer to formally as the impacted component.

While the vulnerable component is typically a software application, module, driver, etc. (or possibly a hardware device), the impacted component could be a software application, a hardware device, or a network resource. This property is captured by the Scope metric, which reflects whether a vulnerability in one component can impact resources in components beyond itself.

The Temporal metric group reflects the characteristics of a vulnerability that may change over time but not across user environments. For example, the presence of a simple-to-use exploit kit would increase the CVSS score, while the creation of an official patch would decrease it.

The Environmental metric group represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment. Considerations include the presence of security controls which may mitigate some or all consequences of a successful attack, and the relative importance of a vulnerable system within a technology infrastructure.

MITRE CAPEC Catalog

MITRE CAPEC is a comprehensive dictionary of known attack patterns adversaries exploit weaknesses in software applications, hardware appliances, and IoT devices. The US Department of Homeland Security initially released it in 2007 to improve software assurance through security awareness at the development stage. The current version as of 2021 is version 3.7, which has 546 attack patterns. CAPEC attack patterns are classified into 6 “Domains” and 9 “Mechanisms” of Attack.

Domains of Attack:

• Software
• Hardware
• Communication
• Supply Chain
• Social Engineering
• Physical Security

Mechanisms of Attack:

• Engage in Deceptive Interactions
• Abuse Existing Functionality
• Manipulate Data Structures
• Manipulate System Resources
• Inject Unexpected Items
• Employ Probabilistic Techniques
• Manipulate Timing and State
• Collect and Analyze Information
• Subvert Access Control

The information in a CAPEC profile is extensive. For example, CAPECs include an ID for tracking and correlation, attack name, high-level description, attack execution procedure, attack prerequisites, severity scope and score, attacker skill requirements, attack success rates, and mapping to CWE (Common Weakness Enumeration).

The CAPEC taxonomy contains for  each attack pattern a comprehensive mapping to related CWEs, which in turn can be mapped to CVEs, but it also contains direct mapping to ATT&CK TTPs. This is a clear example of this detailed mapping between CAPECs, CWEs, and ATT&CK TTPs: https://capec.mitre.org/data/definitions/636.html

Mapping to CWE dramatically expands the capabilities of CAPEC because CWE can be correlated from a CVE product vulnerability back to a high-level attack pattern.

The traversal between high-level attack information and specific product vulnerabilities enhances threat intelligence and mitigation efforts. An extensive MIT white paper provides a detailed description of stitching CAPECs to MITRE ATT&CK and CWE, CVE, CVSS, and CPE data.

The Figure below visualizes how CAPEC’s extension extends from high to low-level information.

Source: fnCyber, “CAPEC – Common Attack Patterns Enumeration and Classification”

For example, let us look at CVE-2020-16875 found in 2020. 

The NIST enriched CVE details include the “Weakness Enumeration” field denoting the related CWE category and other valuable information such as vendor advisories and remediation information, CVSS (Common Vulnerability Scoring System), and CPE (Common Platform Enumeration) mapping the vulnerability to a specific product(s). 

In this case, the CVE represents a severity score of 7.2 and affects Microsoft Exchange Server software versions between 2013 and 2019 with cumulative updates. The CWE categories listed are CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component and CWE-269 Improper Privilege Management. 

In addition, following CWE to CAPEC reveals several categories related to improper input handling and CAPEC-233: Privilege Escalation. Complete CAPEC, CWE, and CVE data are publicly available from MITRE, and the extended CVE to CWE and CPE is available from NIST.

MITRE ATT&CK connects the various tactics of a cyber attack campaign with particular techniques and procedures (TPP). The framework allows insight into cyber attack elements chaining to achieve a malicious end goal.

Like ATT&CK, CAPEC approaches attack patterns from a Tactics, Techniques, and Procedures (TTP) perspective. However, 112 out of 546 total CAPECs have been mapped directly to ATT&CK tactics and techniques via the “Relevant to the ATT&CK taxonomy mapping” field available on relevant CAPEC’s 244 courses listed in ATT&CK.

Therefore, using both ATT&CK and CAPEC is required for a comprehensive security perspective.

The Benefits of Combining Both CVEs and ATT&CK Frameworks TTPs: More Proactive Cybersecurity

This mapping bridges the adversarial perspective (external) and the security perspective (internal). When starting from the ATT&CK tactic, mapping ATT&CK to CAPECs enables connecting attacker strategy to existing products through CWE to CVE and CPE specifics and a category of software development vulnerability through CWE classifications.

New software vulnerabilities are disclosed via CVE every day. Patching CVEs is a reactive approach. However, a bullet-proof cyber-defense needs to be proactive. CAPEC provides the Threat Intelligence required for detection and response for security engineering and orchestration addition; in addition, CAPEC attack patterns can be used to build high-level threat perspectives. Correlating CAPEC, CWE, CVE, and CPE data enables traversal between high-level information such as attack patterns and low-level information such as affected products with known information vulnerabilities or vice versa.

Finally, CAPEC includes attack patterns mapped to a CWE classification wherever they are not mapped to a CVE — indicating that some CAPEC attack patterns can only be mitigated through policy or software configurations as they do not represent a vulnerability in software code, but rather a weak implementation or configuration.

This list of CAPEC attack patterns include direct references to ATT&CK TTPs — which in turn can be mapped to CWE and then to CVEs vulnerabilities. 

Automating the mapping of CVEs and ATT&CK framework TTPs enables Vulnerability Managers to focus on remediating vulnerabilities and proactively protect their organization from external and internal threats. NopSec’s Unified VRM provides the vulnerability prioritization using many of these techniques while factoring in the context of your unique environment. 

Strong Vulnerability Risk Management (VRM) Programs require combined approaches like mapping CVEs and ATT&CK framework TTPs for comprehensive cybersecurity coverage. Set the foundation for proactive protection. 

Learn more about building a successful Vulnerability Risk Management Program directly from the experts. Download the free playbook today. 

FAQ

Question #1: What is the CVE Program?

The Common Vulnerability and Exposures (CVE) Program is a glossary that classifies vulnerabilities. The glossary analyzes vulnerabilities and then uses the Common Vulnerability Scoring System (CVSS) to evaluate the threat level of a vulnerability, mostly from the technical standpoint.

Question #2: What is CVSS?

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics.

Question #3: What composes the CVSS base score?

The Base equation is derived from two sub equations: the Exploitability subscore equation, and the Impact subscore equation. The Exploitability subscore equation is derived from the Base Exploitability metrics, while the Impact subscore equation is derived from the Base Impact metrics.

Question #4: What is CAPEC?

MITRE CAPEC is a comprehensive dictionary of known attack patterns adversaries exploit weaknesses in software applications, hardware appliances, and IoT devices. CAPEC attack patterns are classified into 6 “Domains” and 9 “Mechanisms” of Attack.