R&D

AI to Map Software Vulnerabilities to Cyberattack Techniques

Identifying vulnerabilities that are actively exploited by the attackers, and understanding how a vulnerability can enable the attacker at each stage of the attack life cycle is critical for vulnerability assessments.

The MITRE Corporation, a nonprofit organization, has made significant contributions to developing and maintaining cybersecurity knowledge bases that the community has widely adopted. One of its most prominent efforts is ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge), a widely accepted taxonomy that catalogs the behaviors of threat actors. At the core of the ATT&CK model are technique-specific actions that adversaries use to achieve their objectives, which are organized under broader tactical objectives. The primary purpose of ATT&CK is to classify adversary behavior, thereby improving the ability to detect advanced intrusions after compromise.

Software vulnerabilities (CVEs) play a critical role in facilitating cyber intrusions. Identifying vulnerabilities actively exploited by attackers and understanding their role in enabling adversaries at various stages of the attack path is essential for effective cyber risk management.

CVE stands for Common Vulnerabilities and Exposures. Owned and maintained by the MITRE organization, the CVE database is a collection of records detailing each of those vulnerabilities.

Vulnerabilities can allow attackers to gain direct access to a system or network, execute code, install malware, and access internal systems to steal, destroy, or modify sensitive data. If undetected, an attacker could pose as a superuser or system administrator with full access privileges.

The classification of a CVE in the ATT&CK taxonomy is low, while the volume of disclosed vulnerabilities is not decreasing. In this context, organizations lack a concrete approach to prioritize CVEs based on their role in the attack chain and the financial losses they can cause if an attack is successful (reaching the impact phase).

DICYME aims to represent the practical exploitation of vulnerabilities, linking specific software vulnerabilities (CVE entries) to known adversary behaviors. This information is important, as it bridges the gap between vulnerabilities in software and how attackers might exploit them in real-world scenarios.

DICYMECVE2TTs

A Two-Layer Neural Network model is proposed to automatically map CVE's to Mitre ATT&CK techniques. We address the problem of lack of labels for this task, by leveraging the available information for the Enterprise matrix, in combination with subject matter expert knowledge for the ICS matrix. We evaluate the approach with the dataset containing the full list of CVEs. Using the proposed model, we mapped all the CVE records to all the ATT&CK techniques from both matrices Enterprise and ICS.

The main output of this work is a system that leverages deep learning algorithms that use vulnerability descriptions, vulnerability types, and MITRE technique descriptions to link CVEs to MITRE techniques in both matrices, Enterprise and ICS.

The system retrieves information from public databases, regularly and retrains the algorithms to update the mapping tool.

dicyme_cve