The MITRE ATT&CK framework and the Exploit Prediction Scoring System (EPSS) are two pivotal elements in this defence strategy for vulnerability management. Together, they form an essential duo for cybersecurity professionals worldwide. With Phoenix Security we have been researching long EPSS and today we bring the new research linking EPSS, CVSS, Vulnerability, NVD, and MITRE ATT&CK Framework. This blog post explores these frameworks and highlights the top techniques with high and low exploitation probabilities, underscoring the importance of continuous vulnerability assessment and the vigilance required to thwart attackers.

Caveat this is an initial approach and we will publish more advancement in the coming months.

Previous academic work has lead to some mapping and there is a continuous effort from MITRE to map the CVE to MITRE (official page here). We modelled those efforts so we could map several cve to attack techniques.  An automated proposal that we took in was this academic work to leverage CWE, CAPEC and description of the vulnerability. 

Deciphering the MITRE ATT&CK Framework and EPSS:

The MITRE ATT&CK framework catalogues the tactics and techniques used by cyber adversaries, providing an extensive playbook for understanding and preparing against cyberattacks. On the other hand, EPSS is a predictive model that assesses the likelihood of a given vulnerability being exploited in the wild. By integrating the insights from MITRE ATT&CK with the predictive power of EPSS, organizations can focus their efforts on the most pressing threats.

What is EPSS, and what it expresses

The Exploit Prediction Scoring System (EPSS) is an open source initiative part of FIRST group provides a probabilistic assessment that anticipates the likelihood of a vulnerability being exploited in the wild. We have analysed a lot of datasets leveraging EPSS like Vulnerabilities in the wild, CISA KEV, and more. Focusing on techniques with low EPSS scores offers a glimpse into the strategies that, while still critical, pose a less immediate threat. Let’s unravel the details behind the top three techniques characterized by low exploitation scores, according to MITRE ATT&CK.

A snapshot of EPSS and MITRE & ATTACK in the Vulnerability framework 

Top 10 Attack Techniques by Frequency:

• T1059 (Execution) – 40,949 occurrences
• T1059.007 (JavaScript) – 23,481 occurrences
• T1068 (Exploitation for Privilege Escalation) – 4,808 occurrences
• T1078 (Valid Accounts) – 3,726 occurrences
• T1499 (Endpoint Denial of Service) – 1,794 occurrences
• T1505.003 (Web Shell) – 1,708 occurrences
• T1552 (Unsecured Credentials) – 1,223 occurrences
• T1078.001 (Default Accounts) – 1,015 occurrences
• T1499.004 (Application or System Exploitation) – 528 occurrences
• T1563 (Remote Service Session Hijacking) – 254 occurrences

Top 10 Attack Techniques by High EPSS Count:

• T1059 (Execution) – 818 occurrences
• T1059.007 (JavaScript) – 123 occurrences
• T1190 (Exploit Public-Facing Application) – 62 occurrences
• T1078.001 (Default Accounts) – 41 occurrences
• T1068 (Exploitation for Privilege Escalation) – 17 occurrences
• T1078 (Valid Accounts) – 17 occurrences
• T1499 (Endpoint Denial of Service) – 10 occurrences
• T1552 (Unsecured Credentials) – 10 occurrences
• T1499.004 (Application or System Exploitation) – 5 occurrences
• T1574; T1499.004 (Hijack Execution Flow; Application or System Exploitation) – 2 occurrences

Analysing the vulnerability that has high epss and the related techniques from MITRE & ATTACK

The techniques with a high number of EPSS are the ones that require immediate attention. They represent vulnerabilities with a greater chance of being exploited, often due to their ease of execution, high impact, or recent discovery.

T1059: Execution

Frequency: 40,949

High EPSS Count: 818

At the apex of our list is Technique T1059, classified under the ‘Execution’ tactic. This technique represents an adversary’s attempt to execute arbitrary code through various means such as command-line interfaces, scripts, or malicious binaries. The prevalence of this technique underscores the criticality of monitoring and controlling execution paths in your environment.

Key defenses include strict execution policies, robust endpoint protection, and vigilant monitoring of common scripting environments like PowerShell and WMI. Organizations should ensure that they have the capacity to detect unusual command-line arguments or scripts that could indicate malicious activity.

2. T1059.007: JavaScript

Frequency: 23,481

High EPSS Count: 123

The runner-up is a subset of the Execution technique, T1059.007, which involves the use of JavaScript for execution. JavaScript, widely used for legitimate purposes, can also be a potent tool for attackers to execute malicious code on a victim’s system or within a browser.

The subtlety of JavaScript-based attacks calls for web browsers and email clients to be configured to disable or prompt before executing JavaScript, particularly when originating from untrusted sources. Additionally, employing content-disarming and reconstruction (CDR) technology can neutralize potential threats in web traffic.

3. T1068: Exploitation for Privilege Escalation

Frequency: 4,808

High EPSS Count: 17

Technique T1068 involves attackers exploiting software vulnerabilities to gain higher-level permissions on a system or network. The frequency of this technique is a stark reminder of the importance of keeping systems patched and up-to-date.

Preventative measures include rigorous patch management policies, vulnerability scanning, and the principle of least privilege—ensuring users have only the access necessary to perform their duties. Employing behavioral analytics can also help in detecting abnormal access patterns that may indicate attempted privilege escalation.

Analysing the vulnerability that has low epss and the related techniques from MITRE & ATTACK

Conversely, techniques with a low number of EPSS should not be overlooked. They offer a snapshot of the threat landscape’s evolution, where once-prevalent vulnerabilities have become less of a target, possibly due to widespread remediation or the introduction of robust security controls.

The fluctuating nature of EPSS scores serves as a reminder that vulnerabilities are dynamic. What may be a secure fortress today could turn into a weak link tomorrow. This dynamic underscores the critical need for ongoing vulnerability assessment and management. Proactive scanning, timely patching, and continuous monitoring are recommended practices and necessary rituals in the cybersecurity realm.

1. T1059: Command and Scripting Interpreter

• Frequency: 16,648
• Low EPSS: Signifying a lower chance of exploitation

T1059 is a technique that involves the use of command and scripting interpreters to execute commands, scripts, or binary executables. Despite its high occurrence, its current low EPSS suggests that adequate defensive measures, such as script execution restrictions, user awareness training, and stringent access controls, are commonly in place, reducing its immediate exploitation risk.

2. T1068: Exploitation for Privilege Escalation

• Frequency: 4,788
• Low EPSS: Indicating a lower likelihood of being exploited

Privilege escalation remains a pivotal step in many cyberattacks, allowing threat actors to gain elevated access and control over systems. Technique T1068 encompasses the exploitation of system weaknesses to gain higher-level privileges. The low EPSS score can often be attributed to the widespread awareness of this technique, the prevalence of security updates, and the adoption of privilege management solutions that mitigate this risk.

3. T1499.004: Application or System Exploitation

• Frequency: 483
• Low EPSS: Reflecting a lesser exploitation probability

This sub-technique of T1499 involves leveraging software vulnerabilities to cause a denial of service. While disruptive, the lower exploitation score may reflect effective patch management policies, the deployment of intrusion prevention systems, and other proactive security measures that organizations have put in place, diminishing the exploitability of known vulnerabilities.

Further Work: A Deeper Dive into Cybersecurity Analysis

The journey doesn’t end here. The cybersecurity landscape demands a proactive stance, and at Phoenix, our path forward includes a deeper analysis of other techniques outlined in the MITRE ATT&CK framework. By examining the interplay between EPSS scores, CVE vulnerabilities, and the real-world applications of these techniques, we aim to refine our defensive tactics and enhance our threat intelligence.

With each step, we strive to advance our understanding of adversarial strategies, improve our defensive capabilities, and contribute to the broader cybersecurity community’s knowledge. Stay tuned for our ongoing analysis, insights, and updates as we continue to navigate the complexities of cybersecurity.

Staying one step ahead of cyber attackers is an ongoing challenge. The combined insights from the MITRE ATT&CK framework and EPSS provide a strategic advantage in this endeavor. However, it’s the commitment to regular vulnerability assessment and the agility to adapt to emerging techniques that ultimately empower organizations to defend against the unknown. By staying alert and informed, we can ensure our digital assets remain under vigilant guard in an ever-shifting threat landscape.

How Phoenix Security Can Help

Phoenix Security helps organizations identify and trace which systems have vulnerabilities, understanding the relation between code and cloud. One of the significant challenges in securing applications is knowing where and how frameworks like Struts are used. ASPM tools can scan the application portfolio to identify instances of Struts, mapping out where it is deployed across the organization. This information is crucial for targeted security measures and efficient patch management. Phoenix Security’s robust Application Security Posture Management (ASPM) system is adept at not just managing, but preempting the exploitation of vulnerabilities through its automated identification system. This system prioritises critical vulnerabilities, ensuring that teams can address the most pressing threats first, optimising resource allocation and remediation efforts.

The Role of Application Security Posture Management (ASPM):

ASPM plays a vital role in managing and securing applications like those built with Apache Struts. It involves continuous assessment, monitoring, and improvement of the security posture of applications. ASPM tools can:

1. Identify and Track Struts Components: Locate where Struts is implemented within the application infrastructure.
2. Vulnerability Management: Detect known vulnerabilities in Struts and prioritize them for remediation.
3. Configuration Monitoring: Ensure Struts configurations adhere to best security practices.
4. Compliance: Check if the usage of Struts aligns with relevant cybersecurity regulations and standards.

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.