Tag Tenable.io Assets by MITRE ATT&CK impact.
Anyone fighting to reduce risk in their environment is undoubtedly trying to sift through mounds of data and decide what to do next. I refer to it as “Vulnerability fatigue” in Exposure management or it’s predecessor Vulnerability Management.
What “finding”, vulnerability or threat, should I focus on and why?
I hear the newest to this painful necessity claim: “..the asset itself should drive the behavior…”; inferring that only important assets need Exposure management.
However, experts know that breaches can and do occur on almost any device found in a corporate network. Which then requires one to look at the exposure findings across a much larger attach surface. However, this still begs the question:
“What exposures do I focus on? and How do I justify It?
Unfortunately, there is no silver bullet to that question. The answer is almost always: “It depends”. However, what I hope to do today is provide an easy way to decorate your Asset data with import MITRE ATT&CK mappings. If you are unfamiliar with MITRE, below is a snippet from their website; I encourage you to learn more.
From the MITRE ATT&CK website:
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.
Tagging by MITRE Impact
In my research to find a mapping to MITRE techniques to CVE that I could easily read from, I came across the below github. It has the MITRE mapping with Primary impact, secondary impact and exploit technique on a per CVE basis:
The Tagging Solution
The solution is quite simple thanks the built in tagging by CVE function in navi. If you are not familiar with this solution it is a single command shown below:
navi tag -- "Tag by CVE Example" --v "CVE-ID" --cve "{CVE-123-4567}"In the dockerized solution below, I read and parse the CSV from the “attack_to_cve” github and pump the results into a for loop iterating over the above command. In the process I create three tags per CVE to align with the project above:
- Mitre : Primary Impact {Impact IDs}
- Mitre : Secondary Impact {Impact IDs}
- Mitre : Exploit Technique { Exploit technique IDs}
The results
When the script is finished you have three important tactics to help strategize the use of the data.
First, navigate to the Tags section in settings and get a global view of what techniques, shown below. From here, you can navigate directly to the assets in question.
Second, use the Asset and Vulnerability filters to drive further awareness of the assets in question.
Third, but not the last of what is possible, is the asset record itself. Now, while other remediators are working on their asset exposures they can have visibility into the assets greater risk; something they likely had no visibility into:
Make it happen
To start tagging your assets you need to have docker installed and run a simple command:
docker run -d -e access_key="your Access Key" -e secret_key="your secret Key" packetchaos/mitre_tagsThe docker container will take anywhere from 30 minutes to a few hours to complete tagging all of your assets. The length of time depends on the amount of data you have in navi.
The Code
from os import system as cmd
import sys
import time
import requests
import pandas as pd
import io
start = time.time()
access_key = str(sys.argv[1])
secret_key = str(sys.argv[2])
url = "https://cloud.tenable.com"
# Supporting Document: https://github.com/center-for-threat-informed-defense/attack_to_cve
csv_url = 'https://raw.githubusercontent.com/center-for-threat-informed-defense/attack_to_cve/master/Att%26ckToCveMappings.csv'
download = requests.get(csv_url).content
data = pd.read_csv(io.StringIO(download.decode('utf-8')))
# Replace 'access_key and secret_key with your keys
cmd('navi keys --a "{}" --s "{}"'.format(access_key, secret_key))
# Update the navi database for tagging on vulns
cmd('navi update full')
def grab_headers():
return {'Content-type': 'application/json', 'user-agent': 'Navi-SS-mitre_tags',
'X-ApiKeys': 'accessKey=' + access_key + ';secretKey=' + secret_key}
for row in data.values:
cveid = row[0]
primary_impact = str(row[1])
secondary_impact = str(row[2])
exploit_technique = str(row[3])
if "nan" not in primary_impact:
print("Tagging assets based on CVE: {} and impact: {} ".format(cveid, primary_impact))
cmd('navi tag --c "Mitre" --v "Primary Impact: {}" --cve "{}"'.format(primary_impact, cveid))
if "nan" not in secondary_impact:
print("v assets based on CVE: {} and impact: {} ".format(cveid, secondary_impact))
cmd('navi tag --c "Mitre" --v "Secondary Impact: {}" --cve "{}"'.format(secondary_impact, cveid))
if "nan" not in exploit_technique:
print("v assets based on CVE: {} and impact: {} ".format(cveid, exploit_technique))
cmd('navi tag --c "Mitre" --v "Exploit Technique: {}" --cve "{}"'.format(exploit_technique, cveid))
finish = time.time()
total = finish - start
mins = total / 60
print("The Script took {} seconds or {} minutes".format(total, mins))I hope this little PoC helps provider greater risk insights to your data!
