Upgrade Your Cybersecurity Program to a Threat-Informed Defense Approach With Qualys

Upgrade Your Cybersecurity Program to a Threat-Informed Defense Approach With Qualys

Qualys Security Blog [[{„value“:“

In recent years, the MITRE ATT&CK framework has emerged as an essential instrument for contextualizing risks identified by various cybersecurity tools. It provides a detailed matrix of tactics, techniques, and procedures (TTPs) employed by adversaries, empowering organizations to predict and recognize potential attack vectors. This knowledge is crucial for cybersecurity experts, especially in managing cyber risk.

Organizations can strategically prioritize their remediation efforts and implement the Threat-Informed Defense Approach by mapping identified vulnerabilities, misconfigurations, and suspicious events to the specific tactics and techniques detailed in the framework. This alignment ensures that responses are tailored to realistic attack scenarios, enhancing the effectiveness and relevance of cybersecurity measures.

The MITRE ATT&CK Framework

The MITRE ATT&CK framework is organized into two core elements: Tactics and Techniques. Tactics refer to broad categories that characterize the objectives behind cyber attacks, serving as a guide to the ‘why’ behind an adversary’s actions. Techniques, by contrast, provide a detailed ‘how,’ specifying the exact methods attackers employ to accomplish their tactical aims. When necessary, techniques are broken down into sub-techniques, offering an even more refined view of the attacker’s arsenal.  

Traditionally, the MITRE ATT&CK Framework has primarily been used by security teams for better detection, investigation, and response in EDR or XDR product lines. More and more security risk teams are looking to use this knowledge of adversaries’ intentions and tactics more broadly as a way to evaluate their cybersecurity defense and prioritize risk, making better investment decisions to prevent attacks from happening. The problem is that risk teams often lack the insights they need as legacy (or traditional) vulnerability or configuration or attack surface management tools do not help visualize these missing risks in terms of the MITRE tactics and techniques, or they need to use multiple siloed tools and stitch together the context of the risk of the attacks to understand the overall efficacy of their risk management program.

Organizations now need a Threat-Informed Defense Approach, which, in addition to ATT&CK, includes other threat information, such as vulnerabilities, misconfigurations, software EOS/EOL, etc., that helps them to be one step ahead of attackers.

Proactively monitoring attackers’ behavior is crucial for defenders to safeguard key assets. Utilizing the MITRE ATT&CK framework with a Threat-Informed Defense Approach enables organizations to predict and identify potential threats in advance. This proactive approach empowers organizations to make informed decisions, address threats promptly, and stay ahead of potential attackers.

Insights From the Qualys Threat Research Unit

The Qualys Threat Research Unit has dedicated significant effort to mapping vulnerabilities and misconfigurations to the MITRE ATT&CK Framework tactics and techniques to help you get the attacker views. We have analyzed the data and found the top three tactics and techniques leveraged by high-risk vulnerabilities.

Top MITRE Tactics Leveraged By High-Risk Vulnerabilities

The top three tactics leveraged by high-risk vulnerabilities are Initial Access, Lateral Movement, and Privilege Escalation. Attackers exploit vulnerabilities for initial access, then escalate privileges and move laterally within systems.

Top MITRE Techniques Based on High-Risk Vulnerabilities

A similar pattern emerges when we delve into the techniques associated with such vulnerabilities. The top techniques observed are the Exploitation of Remote Services, Public-Facing Applications, and even Privilege Escalation. Attackers breach networks via public-facing apps and use remote service exploits for lateral movement.

Top MITRE Tactics Based on Misconfigurations

The top three tactics leveraged by high-risk configurations are Defense-Evasion, Lateral Movement, and Credential Access.

Top MITRE Techniques Based on Misconfigurations

The top three techniques leveraged by high-risk configurations are File and Directory Permissions Modification, Exploitation of Remote Services, and Indicator Removal.

How to Leverage MITRE ATT&CK Context to Reduce Risk

The MITRE ATT&CK Framework serves as a common language to showcase the threat landscape and helps organizations to effectively explain the threat at all levels of their cybersecurity program.

Qualys now extends the power of the MITRE framework for proactive defense, enabling risk teams to continuously visualize the efficacy and TruRisk of their cyber defense against over 86% of attack techniques in real time. This provides a consolidated view of associated vulnerabilities, misconfigurations from CIS/DISA, and external asset surface exposures impacting business-critical assets. It assists security teams in prioritizing security risks, detecting missing patches, and facilitating remediation efforts. With Qualys EPP, EDR, and FIM already enabling customers to detect and investigate incidents for better analysis and response using the MITRE framework, Qualys stands out as the only enterprise-scale solution that helps organizations manage cybersecurity risks proactively and enhances detection and response on a single platform.

The mapping of the vulnerabilities and misconfigurations with MITRE Tactics and Techniques helps to measure risk and implement the Threat-Informed Defense Approach.

Let’s go through one ransomware attack example to understand how the mapping of vulnerabilities would help you implement the Threat-Informed Defense Approach. Here, we are talking about the attack through the exploitation of critical vulnerabilities in a widely used application – Atlassian Confluence. It is used by almost all organizations and does include the organization’s confidential details. A successful exploit of Atlassian Confluence vulnerability CVE-2023-22515 allows an attacker to get initial access to the network of the public-facing Confluence. This allows the attacker to exploit Microsoft vulnerabilities CVE-2023-28252 to gain the privilege escalation of kernel. That, in turn, enables the attacker to exploit CVE-2023-22518 to gain full administrator access and perform all administrative actions, leading to loss of confidentiality, integrity, and availability.

Using Qualys MITRE ATT&CK Matrix Prioritization

Qualys is excited to provide a MITRE ATT&CK Matrix prioritization that helps you to prioritize the critical risk findings based on the MITRE Tactics and Techniques. Prioritization is not specific to vulnerabilities; it includes misconfigurations and EDR incidents. Qualys MITRE ATT&CK Matrix prioritization helps you to get the holistic MITRE ATT&CK view and communicate the risk across your organization.

Get started with Qualys MITRE ATT&CK Matrix prioritization by selecting the asset tags for which you want to get the MITRE ATT&CK view. Once you select the asset tags, you will get the TruRisk score of the selected asset tags along with the MITRE tactics of the risk findings detected on the selected assets. Here, risk findings include vulnerabilities and misconfiguration.

Now you have identified the top tactics you need to focus on, click on one of the tactics to get the techniques view of that particular tactic. Here, you will view the associated assets and their risk findings, along with the EDR events. Click on the technique to identify the critical assets, internet-facing assets, critical vulnerabilities, misconfiguration, and EDR events that may lead to the attack.

Remediation Strategies

According to Qualys 2023 TruRisk Threat Research Report, the time to weaponized vulnerabilities has been reduced to 19.5 days, and the mean time to remediation (MTTR) is 30.6 days. This means that attackers have 11.1 days of exploitation opportunities.  

Qualys goes beyond identification and aids in risk reduction by providing for the remediation of vulnerabilities and misconfigurations. The MITRE ATT&CK Matrix Prioritization helps you identify the highly impacted tactics and, based on that, identify the techniques. Then, you can identify the vulnerabilities and misconfigurations.

Using Qualys Patch Management with a zero-touch approach automates the patch management process, significantly reducing the MTTR. Additionally, Qualys Policy Management offers provisions to remediate misconfigurations through remediation scripts, mitigating critical risk exposure for assets.

Qualys Policy Management provides provisions to remediate the misconfigurations through remediation scripts. Fixing misconfigurations plays a role in the mitigation of the critical risk exposure for an asset. The remediation of control is supported only on Agent assets. To identify the agent asset, use QQL – asset.trackingMethod:Agent in the Assets dropdown. Along with that, in the Controls dropdown, you can add QQL – posture.status:Fail or can add the specific control IDs.

Qualys EDR provides provision to quarantine assets in case of any malicious event. The Quarantine Asset feature restricts the infected host machine from performing any network communication. You can Quarantine an Asset from the Incidents or Asset tab. Through the Incidents tab, you can quarantine the assets on which critical/malicious incidents are detected.


In conclusion, the MITRE ATT&CK Framework is a pivotal tool in cybersecurity, offering a comprehensive understanding of adversary tactics and techniques. Leveraging the MITRE ATT&CK context, organizations can proactively monitor and prioritize risks. Qualys’ MITRE ATT&CK Matrix prioritization empowers organizations to identify critical risks and remediate them effectively. This holistic approach, involving patch management automation and misconfiguration remediation, is instrumental in reducing the attack surface and enhancing overall cybersecurity resilience.

Try our VMDR & Policy Compliance solutions to see how Qualys can help you create a Threat-Informed Defense Approach today!

„}]] Read More 

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert