mitre-attack / attack-stix-data

STIX data representing MITRE ATT&CK
https://attack.mitre.org/
Other
348 stars 87 forks source link

CVE and ATT&CK - Question #28

Closed ahadda5 closed 2 years ago

ahadda5 commented 2 years ago

I would like to understand the relationship/link between both especially that they are both owned by MITRE. Is it safe to assume that CVE is more of an initial log open to the cyber security community at large, where as STIX-formatted ATT&CK is more of a standard form of sharing info, in particular this json here be it enterprise, mobile or ics ?

How do you reconcile both or do you treat them as two separate datasets?

seansica commented 2 years ago

Your understanding sounds correct.

CVE is a knowledge-base that aggregates known vulnerabilities. It serves as a historical reference and as a source of truth for vulnerabilities.

ATT&CK is a vendor-agnostic framework that can characterize vulnerabilities to help defenders analyze or break down the methodologies behind the vulnerability.

STIX is a common format by which cyber threat intelligence (CTI) information can be exchanged. ATT&CK is represented in STIX.

This article discusses how CVE and ATT&CK can be used in parallel to assess vulnerability impacts.

adampennin commented 2 years ago

ATT&CK and CVE are also managed by completely separate organizations within MITRE, with no overlap in staff. ATT&CK describes behaviors that real-world adversaries have performed in the wild, which often don't involve vulnerabilities (most of ATT&CK is adversaries leveraging intentional features). MITRE has quite a few different frameworks beyond ATT&CK and CVE, if you wanted to look at a more closely aligned set you could check out CVE, CWE, and CAPEC.