{"id":7366,"date":"2022-06-29T08:31:51","date_gmt":"2022-06-29T15:31:51","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7366"},"modified":"2023-04-05T12:32:42","modified_gmt":"2023-04-05T19:32:42","slug":"mitre-mapping-of-cisa-kevs-and-its-challenges","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/mitre-mapping-of-cisa-kevs-and-its-challenges\/","title":{"rendered":"MITRE Mapping of CISA KEVs and its Challenges"},"content":{"rendered":"

MITRE ATT&CK is a knowledge base that documents adversarial tactics, techniques, and procedures (TTP) and provides an evolving list of behaviors that attackers employ to compromise enterprises. By mapping the vulnerabilities to TTP, we learn how attackers exploited them and what they gained through this exploitation. This provides the security teams and researchers with a simulation of tactics used by adversaries and helps them prioritize the vulnerabilities for remediation.<\/p>\n

In this blog, we have documented how CSW\u2019s security researchers performed the MITRE\u2019s mapping of the CISA KEV catalog and have spotlighted the challenges they overcame to complete the exercise.\u00a0<\/strong><\/p>\n

\u00a0 \u00a0\"\"<\/strong><\/p>\n

Inadequacies of CISA KEVs<\/h2>\n

CISA released a catalog called Known Exploited Vulnerabilities (KEV) on November 3, 2021, with a directive for federal agencies to identify and remediate oft-exploited vulnerabilities.<\/p>\n

While the goal of this directive was to kick-start risk based vulnerability management and remediation in the public sector, we found that security teams are finding it challenging to prioritize these vulnerabilities due to the lack of context and multiple inadequacies in the data.<\/p>\n

The CISA KEV at present is merely a \u2018table of CVEs\u2019 with hard deadlines to patch.<\/p>\n

    \n
  1. \n

    There is no threat context attached to this information that can be used to prioritize them.<\/p>\n<\/li>\n

  2. \n

    CVSS scores for many CVEs are missing, and over 11% have medium scores, which are unreliable because these are oft-exploited vulnerabilities.<\/p>\n<\/li>\n

  3. \n

    The CISA KEV also has a few CVEs not yet listed in the NVD.<\/p>\n<\/li>\n

  4. \n

    Around 50 CISA KEVs cannot be detected using popular scanners (Nessus, Nexpose, or Qualys) as the scanner plugins are missing.<\/p>\n<\/li>\n

  5. \n

    Several of the CVEs that are linked to known Ransomware gangs and Threat groups are listed as a part of the KEVs.<\/p>\n<\/li>\n<\/ol>\n

    In the vulnerability prioritization process, the entire list of the KEV catalog will need to be prioritized and remediated, but CISA has been updating it continuously, adding hundreds of vulnerabilities every month. For enterprises and organizations, the challenge is to identify what to remediate first.<\/p>\n

    To exploit a vulnerability, a threat actor performs a set of actions to achieve their goal; if we can identify the attacker\u2019s behavior in the course of exploitation, it could be used to prioritize the vulnerability.<\/p>\n

    Therefore, our researchers undertook an exercise to complete the MITRE mapping of all vulnerabilities in the CISA KEV, only to encounter the following challenges:<\/p>\n