Cybercriminals relentlessly pursue vulnerabilities across cyberspace to exploit software, threatening the security of individuals, organizations, and governments. Although security teams strive to establish defense measures to thwart attackers, the complexity of cyber defense and the magnitude of existing threats exceed the capacity of defenders. Therefore, MITRE took the initiative and introduced multiple frameworks to facilitate vital knowledge sharing of vulnerabilities, attack, and defense information. The Common Vulnerabilities and Exposures (CVE) and ATT&CK Matrix are two significant MITRE endeavors. CVE facilitates sharing publicly discovered vulnerabilities while ATT&CK collects and categorizes adversaries’ Tactic, Techniques, and Procedures (TTP) and recommends appropriate countermeasures. As CVE yields a low-level description of the vulnerability, ATT&CK can complement CVE by providing more insights into it from an attacking perspective, aiding defenders to counter any exploitation attempt. Unfortunately, due to the complexity of this mapping and the rapid growth of these frameworks, mapping CVE to ATT&CK is a daunting and time-intensive undertaking that overwhelms even experts. Multiple studies proposed models that automatically achieve this mapping. However, due to their reliance on annotated datasets, these models exhibit limitations in quality and coverage and fail to justify their decisions. To overcome these challenges, we present SMET, a tool that automatically maps CVE entries to ATT&CK techniques based on their textual similarity. SMET achieves this mapping by leveraging ATT&CK BERT, a model that we trained using the SIAMESE network to learn semantic similarity among attack actions. In inference, SMET utilizes semantic extraction, ATT&CK BERT, and a logistic regression model to map CVE entries to ATT&CK techniques. As a result, SMET demonstrated superior performance compared to other state-of-the-art models.
Cybercriminals relentlessly pursue vulnerabilities across cyberspace to exploit software, threatening the security of individuals, organizations, and governments. Although security teams strive to establish defense measures to thwart attackers, the complexity of cyber defense and the magnitude of...
See full abstract
Cybercriminals relentlessly pursue vulnerabilities across cyberspace to exploit software, threatening the security of individuals, organizations, and governments. Although security teams strive to establish defense measures to thwart attackers, the complexity of cyber defense and the magnitude of existing threats exceed the capacity of defenders. Therefore, MITRE took the initiative and introduced multiple frameworks to facilitate vital knowledge sharing of vulnerabilities, attack, and defense information. The Common Vulnerabilities and Exposures (CVE) and ATT&CK Matrix are two significant MITRE endeavors. CVE facilitates sharing publicly discovered vulnerabilities while ATT&CK collects and categorizes adversaries’ Tactic, Techniques, and Procedures (TTP) and recommends appropriate countermeasures. As CVE yields a low-level description of the vulnerability, ATT&CK can complement CVE by providing more insights into it from an attacking perspective, aiding defenders to counter any exploitation attempt. Unfortunately, due to the complexity of this mapping and the rapid growth of these frameworks, mapping CVE to ATT&CK is a daunting and time-intensive undertaking that overwhelms even experts. Multiple studies proposed models that automatically achieve this mapping. However, due to their reliance on annotated datasets, these models exhibit limitations in quality and coverage and fail to justify their decisions. To overcome these challenges, we present SMET, a tool that automatically maps CVE entries to ATT&CK techniques based on their textual similarity. SMET achieves this mapping by leveraging ATT&CK BERT, a model that we trained using the SIAMESE network to learn semantic similarity among attack actions. In inference, SMET utilizes semantic extraction, ATT&CK BERT, and a logistic regression model to map CVE entries to ATT&CK techniques. As a result, SMET demonstrated superior performance compared to other state-of-the-art models.
Hide full abstract
