The CISO's Guide to Better Vulnerability Management Using MITRE ATT&CK®

The CISO’s Guide to Better Vulnerability Management Using MITRE ATT&CK

Streamline vulnerability and risk management with MITRE ATT&CK and a threat-informed defense

As digitalization of private and public sector organizations continues at pace, the volume of security vulnerabilities increases. The U.S. government recently identified 290 key vulnerabilities in the world that present significant cybersecurity risks to organizations – but large organizations have thousands and thousands of vulnerabilities in their information technology enterprise. No security team can quickly close every vulnerability. Prioritization is the order of the day. 

Chief Information Security Officers (CISOs) need to prioritize which vulnerabilities to fix first. Until now, that prioritization has been difficult to achieve. With no link between vulnerability management and threat management, security teams have lacked a clear, comprehensive means of understanding how adversaries might exploit existing vulnerabilities to achieve their strategic objectives.  

This problem is solved through a new mapping methodology by MITRE Engenuity’s Center for Threat-Informed Defense: Mapping ATT&CK to CVE for Impact. It uses the MITRE ATT&CK framework, which catalogs common attack techniques, to characterize the impact of each of the vulnerabilities described in the MITRE Corporation’s list of Common Vulnerabilities and Exposures (CVE).  

The new CISO’s Guide to Better Vulnerability Management Using MITRE ATT&CK leverages that research and will teach you to: 

• Adopt a threat-informed defense and place the adversary at the center of your defensive planning;
• Prioritize which vulnerabilities to close and which attack tactics and techniques to prepare to defend yourself against; and
• Test yourself against a focused list adversary tactics and techniques using an automated breach and attack simulation (BAS) platform.