DISC InfoSec blog

The MITRE shared the list of the 2022 top 25 most common and dangerous weaknesses, it could help organizations to assess internal infrastructure and determine their surface of attack.

The presence of these vulnerabilities within the infrastructure of an organization could potentially expose it to a broad range of attacks.

“Welcome to the 2022 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses list (CWE™ Top 25). This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.” reads the announcement published by Mitre.

“Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs).”

Mitre created the 2022 CWE Top 25 list leveraging Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores associated with each vulnerability. The organization also used CVE Records from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog and applied a formula to score each weakness based on prevalence and severity.

The dataset analyzed by Mitre researchers to calculate the 2022 Top 25 contained a total of 37,899 CVE Records from the previous two calendar years.

Below is a list of the weaknesses in the 2022 CWE Top 25:

RANK	ID	NAME	SCORE	KEV COUNT (CVES)	RANK CHANGE VS. 2021
1	CWE-787	Out-of-bounds Write	64.20	62	0
2	CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	45.97	2	0
3	CWE-89	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	22.11	7	+3
4	CWE-20	Improper Input Validation	20.63	20	0
5	CWE-125	Out-of-bounds Read	17.67	1	-2
6	CWE-78	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)	17.53	32	-1
7	CWE-416	Use After Free	15.50	28	0
8	CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	14.08	19	0
9	CWE-352	Cross-Site Request Forgery (CSRF)	11.53	1	0
10	CWE-434	Unrestricted Upload of File with Dangerous Type	9.56	6	0
11	CWE-476	NULL Pointer Dereference	7.15	0	+4
12	CWE-502	Deserialization of Untrusted Data	6.68	7	+1
13	CWE-190	Integer Overflow or Wraparound	6.53	2	-1
14	CWE-287	Improper Authentication	6.35	4	0
15	CWE-798	Use of Hard-coded Credentials	5.66	0	+1
16	CWE-862	Missing Authorization	5.53	1	+2
17	CWE-77	Improper Neutralization of Special Elements used in a Command (‘Command Injection’)	5.42	5	+8
18	CWE-306	Missing Authentication for Critical Function	5.15	6	-7
19	CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	4.85	6	-2
20	CWE-276	Incorrect Default Permissions	4.84	0	-1
21	CWE-918	Server-Side Request Forgery (SSRF)	4.27	8	+3
22	CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)	3.57	6	+11
23	CWE-400	Uncontrolled Resource Consumption	3.56	2	+4
24	CWE-611	Improper Restriction of XML External Entity Reference	3.38	0	-1
25	CWE-94	Improper Control of Generation of Code (‘Code Injection’)	3.32	4	+3

Mitre also shared trends Year-over-Year: 2019 to 2022 Lists; the first trend is a significant changes from the 2019 Top 25 to the 2022 Top 25. Drops in high-level classes such as CWE-119 and CWE-200 are steep, while the shift and increase to Base-level weaknesses is most apparent for weaknesses such as CWE-787 and CWE-502.

The second trend in year-over-year changes from 2019 to 2022 is a relative ve stability in the top 10 from 2021 to 2022, along with the steady rise of CWE-502: “Deserialization of Untrusted Data” over all four years.

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Tags: MITRE Att&CK Framework

We all know that cyberthreats have become more frequent, stealthier and more sophisticated. What’s more, the traditional, reactive approach to detecting threats by hunting indicators of compromise (IoCs) using markers like IP addresses, domains and file hashes is quickly becoming outdated—threats are only detected once a compromise is achieved and attackers are readily able to alter these markers to evade detection.

To overcome this issue, the cybersecurity community came up with the concept of anomaly-based detection, a technique that leverages statistical analysis, big data and machine learning to detect atypical events. However, this approach often results in a high rate of false positives. What is considered normal versus what is anomalous is not always precise. To identify malicious trends and patterns, vast amounts of data must be captured from sources across the entire computing environment, requiring large-scale investments in data collection and processing.

TTPs: Behavior-Based Detection

The concept of TTPs (tactics, techniques and procedures) was popularized by David Bianco’s The Pyramid Of Pain. Bianco stressed that threat hunters must move away from static IoCs like domains and IPs, as those are difficult to keep up with. For example, attackers can easily use a domain generation algorithm (DGA) to generate fake domain names and IP addresses to evade detection. Additionally, the cybersecurity industry also must shift from signature-based malware detection, as today’s malware is polymorphic; which means the same malware is capable of creating different signatures with each infection. Therefore, the focus should be on the TTPs of attackers because these are difficult to change quickly.

What is the MITRE ATT&CK Framework?

Researchers at MITRE Corporation and security vendors noted that, unlike IoCs, adversary techniques do not change frequently because of the limitations of targeted technologies (e.g., Windows, macOS, mobile devices), and are common across multiple adversaries. That’s why in 2013, they created the MITRE ATT&CK framework. ATT&CK stands for adversarial tactics, techniques and common knowledge—one of the industry’s most curated and globally-accessible knowledge bases of common adversary behavior. The sole aim of the project is to map typical adversary TTPs so that there is a common language for both red and blue teams while proactively hunting for cybersecurity threats.

The framework consists of 14 different tactics along with several techniques attackers use to achieve those tactics. A tactic refers to a general goal the adversary is trying to establish while the technique refers to the means the adversary will adopt to accomplish the tactic. Tactics explain the “why” while techniques explain the “how.” Each technique is further divided into sub-techniques that explain in greater detail how an adversary executes a specific technique.

Tactics listed in the ATT&CK matrix are presented in a linear format, starting from the time an adversary conducts reconnaissance to the point when they achieve their final goal— exfiltration or impact. ATT&CK not only provides appropriate categorization for adversary actions but also details recommendations on how organizations can defend against them.

Why is ATT&CK Important?

The MITRE ATT&CK framework can be used worldwide across multiple security disciplines such as intrusion detection, threat hunting and intelligence, security engineering and risk management. Some key benefits or use cases for the ATT&CK framework can include:

• Attacker emulation: Simulates attack scenarios to test security solutions and verify defense capabilities.
• Penetration testing: Acts as a frame of reference when conducting red team or purple team exercises and studying or mapping adversarial behaviors.
• Forensics and investigations: Aids Incident Response teams in finding missing attacker activity.
• Behavioral analytics: Provides contextual, behavioral information that security teams and vendors can use to identify hidden, unrelated anomalies and patterns.
• Security maturity and gap assessments: Helps determine what parts of the enterprise lack defenses against adversary behaviors and what parts of the organization need prioritized investments.
• Product evaluations: Helps evaluate a security tool’s detection capabilities and breadth of detection coverage.
• The standard for technology integrations: Serves as a common standard that helps connect and communicate disparate security tools, leading to an integrated defense approach.

ATT&CK is truly a gold mine of resources when it comes to adversary techniques and MITRE welcomes contributions from the cybersecurity industry to keep the framework updated with the latest TTPs (ATT&CK just announced their latest version, v11, in April 2022).

That said, ATT&CK isn’t perfect. MITRE acknowledges that sometimes biases exist in the minds of security analysts. That’s why in addition to ATT&CK, it is recommended that you leverage other threat intelligence reports as well as tools that allow full visibility into the network and security posture of your organization.

Regardless of where you are in your cybersecurity maturity journey, it is never too late to realign your security, redefine your security processes and rethink your security metrics in terms of the MITRE ATT&CK framework.

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Tags: MITRE Att&CK Framework