CVEs mapped in both Phase 2 and Phase 1

[anderhos]

I have found some CVEs in Att&ckToCveMappings.csv mapped in both Phase 2 and Phase 1, but I am unsure how to interpret them:

CVE-2018-11049

• In Phase 2, T1574 has the Primary Impact label
• In Phase 1, T1574.008 has the Uncategorized label

CVE-2019-10980

• In Phase 2, T1574 and T1499.004 have the Primary Impact label
• In Phase 1, T873 and T1203 have the Uncategorized label

CVE-2019-13541

• In Phase 2, T1575 has the Primary Impact label
• In Phase 1, T1204.002 and T1203 have the Uncategorized label

Are the original labels from Phase 1 above considered incorrect and then corrected in Phase 2? In general, can the Uncategorized techniques from Phase 1 be considered to belong to any of the three Phase 2 categories (Primary Impact, Secondary Impact, or Exploit)?

[tiffb]

Hi anderhos, Thank you for reaching out to us about this work. While both Phase 1 and Phase 2 mappings use ATT&CK to tell the story of what the attacker is trying to achieve by exploiting a given vulnerability, Phase 2 mappings break that down into the methods adversaries use to exploit a vulnerability (Phase 1) and what adversaries may achieve by exploiting the vulnerability (Phase 2). The Phase 2 mappings were created with the intent of bringing more clarity to the entry point and follow on impacts of exploitation. In Phase, 1 you'll find a lot of mappings associated with execution methods (e.g., T1203), but there are also mappings to impacts (e.g., T1574.008). Does that help answer your questions?

[anderhos]

Hi @tiffb,

Thank you for your response. Your answer helped me better understand the phases. However, CVE-2019-13541 has phase 2 labeled T1575 as the primary impact, but T1575 is not mentioned in the methodology document. Is this an incorrect label?

T1575 is also used a couple more times for other CVEs in the dataset.