Open OzRex08 opened 4 years ago
Yeah maybe it's not a bad idea. !
I also propose this :
Import the CPE dictionnary inside openCTI. The goal behind is to map your internal assets to be proactive in case of new vulnerability and create alert in your SIEM for example.
Create a Connector able to :
Map your internal Assets with Infrastructure object:
@SamuelHassine any thoughts on that?
+1
Create a new SDO "Exploit" to be displayed in the "Arsenal" section:
Exploit attributes:
Relationships:
Exploit => targets => Vulnerability Threats => uses => Exploit Malware => uses => Exploit Exploit => uses => Attack Pattern
I have a project similar to this issue, so I was wondering if someone had started working on it?
@Jipegien concerning the marking of exploited vulnerabilities the entity seems to be the way to go. Any ETA?
Hello @iFrozenPhoenix! Currently we are using Malware entity and the malware_type open vocab to identify "Exploits". We do not plan to develop a specific Exploit entity anytime soon. Is it not enough to cover your use case?
Problem to Solve
PoCs and Exploits, once developed and published can significantly change Vulnerability Assessments. There appears to be no dedicated area withing CVE 'Knowledge' to add information regarding a PoC or exploit (usually found as Python script).
Current Workaround
Added in Notes section of CVE, and Tagged as PoC or Exploit
Proposed Solution
Create an Entity type as PoC or Exploit and allow relationships with CVE's
Additional Information
The PoC/Exploit could be sourced from www.exploit-db.com (or elsewhere) as a Connector, or manually added. It could have the following properties: