MITRE Mapping of CISA KEVs and its Challenges
Posted on Jun 29, 2022 | By CSW Research Team
MITRE ATT&CK is a knowledge base that documents adversarial tactics, techniques, and procedures (TTP) and provides an evolving list of behaviors that attackers employ to compromise enterprises. By mapping the vulnerabilities to TTP, we learn how attackers exploited them and what they gained through this exploitation. This provides the security teams and researchers with a simulation of tactics used by adversaries and helps them prioritize the vulnerabilities for remediation.
In this blog, we have documented how CSW’s security researchers performed the MITRE’s mapping of the CISA KEV catalog and have spotlighted the challenges they overcame to complete the exercise.
Inadequacies of CISA KEVs
CISA released a catalog called Known Exploited Vulnerabilities (KEV) on November 3, 2021, with a directive for federal agencies to identify and remediate oft-exploited vulnerabilities.
While the goal of this directive was to kick-start risk based vulnerability management and remediation in the public sector, we found that security teams are finding it challenging to prioritize these vulnerabilities due to the lack of context and multiple inadequacies in the data.
The CISA KEV at present is merely a ‘table of CVEs’ with hard deadlines to patch.
There is no threat context attached to this information that can be used to prioritize them.
CVSS scores for many CVEs are missing, and over 11% have medium scores, which are unreliable because these are oft-exploited vulnerabilities.
The CISA KEV also has a few CVEs not yet listed in the NVD.
Around 50 CISA KEVs cannot be detected using popular scanners (Nessus, Nexpose, or Qualys) as the scanner plugins are missing.
Several of the CVEs that are linked to known Ransomware gangs and Threat groups are listed as a part of the KEVs.
In the vulnerability prioritization process, the entire list of the KEV catalog will need to be prioritized and remediated, but CISA has been updating it continuously, adding hundreds of vulnerabilities every month. For enterprises and organizations, the challenge is to identify what to remediate first.
To exploit a vulnerability, a threat actor performs a set of actions to achieve their goal; if we can identify the attacker’s behavior in the course of exploitation, it could be used to prioritize the vulnerability.
Therefore, our researchers undertook an exercise to complete the MITRE mapping of all vulnerabilities in the CISA KEV, only to encounter the following challenges:
Missing key data
Wrong and misleading information
Need for multiple resources to complete data gaps
MITRE ATT&CK’s Data Inconsistencies and Gaps
Firstly, most researchers refer to four different (the NVD, CWE, CAPEC, and ATT&CK) databases to map the techniques, tactics, and procedures for vulnerabilities. Each source has gaps and inconsistencies, as depicted in the following image.
The CVE to MITRE ATT&CK mapping is based on the relationship defined by MITRE: CVE->CWE->CAPEC->ATT&CK.
The cause of each vulnerability is a weakness (flaws, bugs, errors in software or hardware implementation, code design, or architecture that is left unaddressed). categorized under Common Weakness Enumeration (CWE) resulting in systems, networks, or hardware being vulnerable to attacks.
The exploitation of the flaw by a malicious actor has an attack pattern associated with it, defined by MITRE in the CAPEC dictionary.
The implementation of an attack pattern calls for the use of various tactics, techniques, and procedures (TTPs) by the attacker—collected and defined in the ATT&CK database.
The following are the inconsistencies and gaps that we noticed in the MITRE resources while mapping:
How Did We Map Missing CWEs?
We found that 132 CVEs were not mapped to their corresponding CWEs. Our experts had to refer to reliable sources outside the NVD to fix this gap to identify associated weaknesses.
In a few cases where CWE information could not be found across all sources, we assessed the historical context of the KEVs and mapped them to similar weaknesses, taking their CWEs into account.
For example, CVE-2022-0609, a use-after-free vulnerability in Chrome animation, remains unmapped to a weakness category. However, CVE-2021-4102, a similar use-after-free vulnerability in Chrome V8, has been mapped to CWE-416 (use-after-free category). Logically, CVE-2022-0609 can then also be mapped to CWE-416.
Deprecated CWE IDs
We found 34 vulnerabilities from the KEV catalog mapped to obsolete and deprecated CWE IDs. Inaccurate mapping contributes to data inaccuracies and prevents security researchers from understanding attack techniques and tactics.
To get around this challenge, we replaced CWE IDs with membership IDs to ensure that vulnerabilities were mapped to the correct weakness enumeration.
For example, CVE-2021-31207, categorized under CWE-254, could be replaced by CWE-284, a part of category ID 254.
The number of KEVs with missing CAPEC IDs is 121. We found that replacing deprecated or obsolete CWEs with appropriate CWE IDs for a vulnerability fixes the CWE–CAPEC gaps.
For example, CVE-2015-1130 was assigned to a deprecated CWE category ID of 254 (termed 7PK), which did not have a CAPEC ID or MITRE ATT&CK mapping. We analyzed the CVE description that stated "allows local users to obtain admin privileges via unspecified vectors” and tied it to the appropriate CWE-284: Improper Access Control. We also linked it to the child node weakness category of CWE 269: Improper Privilege Management. This enabled us to add the corresponding CAPEC ID 58|122|233 and complete the MITRE ATT&CK mapping to its respective technique -T1548 - Abuse Elevation Control Mechanism.
Our researchers broadened their analytical scope and checked for taxonomy mappings for parent/child CAPEC IDs and adopted child mapping for missing parent IDs.
For instance, CAPEC-112 has no associated MITRE ATT&CK mapping but is used for brute-force attacks. However, CAPEC-49, a similar password brute-forcing child category of CAPEC-112, has been mapped to the MITRE technique: T1110 - Brute Force. Therefore, we mapped CAPEC-112 to MITRE T1110 - Brute Force.
For other vulnerabilities without taxonomy mappings, we used the Natural Language Processing (NLP)–based association method. We created a keyword dictionary for each MITRE technique and sub-technique using the description, procedures, and platform fields where TF-IDF vectorization can be implemented to obtain a filtered set of keywords for each entity. These were then used to map the CAPEC descriptions.
Here is an example of how we did it:
For CAPEC-ID 66 (SQL injection), the attack exploits software that constructs SQL statements based on the user input. Attacker-crafted input strings force the software to construct SQL statements that perform malicious actions instead. The SQL injection results from the failure of the application to validate the input appropriately.
The MITRE ATT&CK technique T1190: Exploit Public-Facing Application is used to target websites and databases that include SQL databases. Therefore, keywords such as [ “T1190” ] = [ “Public-facing,” “SMB,” “SQL,” “SQL Injection,” …] were searched for, resulting in the mapping of CAPEC-66 to T1190.
Why Is MITRE Mapping of CISA KEVs Important?
Understanding how the adversary operates is essential to effective cybersecurity. Attackers exploit each vulnerability for a purpose. It could be to gain initial access, escalate privileges, or merely conduct reconnaissance.
By mapping each vulnerability to the MITRE ATT&CK framework, researchers learn the purpose and impact of its exploitation within the environment, allowing them to aggregate the risk the vulnerability poses. It helps them prioritize high-impact vulnerabilities above others.
For example, a researcher will always prioritize a CVE that can be exploited against public-facing applications over a vulnerability exploited for data collection. From a prioritization perspective, researchers would focus on remediating vulnerabilities that attackers could potentially exploit to gain an initial foothold in the system. The first step would always be to deny access to malicious actors. This additional layer of understanding provides researchers with the context that allows them to prioritize vulnerabilities.
However, the knowledge gaps in MITRE’s sources, such as the NVD, CWE, CAPEC, and ATT&CK, are a serious handicap to security teams. The impact of these handicaps results in an inability to protect and defend networks against insidious attacks.
What can MITRE do to address these gaps?
The most efficient method to reduce gaps is to automate the vulnerability mapping process of the attack patterns. Developing an automatic mapping process of MITRE ATT&CK to your vulnerabilities increases your ability to measure the impact of the CVEs. This would give security teams an accurate context of adversary behaviors and how they may attack your network.
Additionally, this mapping should be extended to ransomware, APT groups, and threat actors. This enables better prioritization of network vulnerabilities or general exposures from an audit perspective.
Through this research, we have highlighted the vast information gaps in vulnerability databases that give attackers a window of opportunity to stage a cyberattack. These gaps inhibit security teams from making informed decisions about prioritizing and patching critical vulnerabilities that are attractive targets for attackers.
Most organizations are not currently investing in the resources or have the time or the expertise required to assess over 17 database resources and find the accurate information to map the attack patterns of each vulnerability.
Our team continuously analyzes and fills the gaps in information every time CISA updates the KEVs. We have been able to help many of our customers in the public sector by highlighting these weaknesses and prioritizing them appropriately.
We can help you prioritize CISA KEVs. Talk to us now!
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!