CVE and ATT&CK - Question

[ahadda5]

I would like to understand the relationship/link between both especially that they are both owned by MITRE. Is it safe to assume that CVE is more of an initial log open to the cyber security community at large, where as STIX-formatted ATT&CK is more of a standard form of sharing info, in particular this json here be it enterprise, mobile or ics ?

How do you reconcile both or do you treat them as two separate datasets?

[seansica]

Your understanding sounds correct.

CVE is a knowledge-base that aggregates known vulnerabilities. It serves as a historical reference and as a source of truth for vulnerabilities.

ATT&CK is a vendor-agnostic framework that can characterize vulnerabilities to help defenders analyze or break down the methodologies behind the vulnerability.

STIX is a common format by which cyber threat intelligence (CTI) information can be exchanged. ATT&CK is represented in STIX.

This article discusses how CVE and ATT&CK can be used in parallel to assess vulnerability impacts.

[adampennin]

ATT&CK and CVE are also managed by completely separate organizations within MITRE, with no overlap in staff. ATT&CK describes behaviors that real-world adversaries have performed in the wild, which often don't involve vulnerabilities (most of ATT&CK is adversaries leveraging intentional features). MITRE has quite a few different frameworks beyond ATT&CK and CVE, if you wanted to look at a more closely aligned set you could check out CVE, CWE, and CAPEC.