Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/jrdepriest/statuses/114353958561538449">J. R. DePriest :verified_trans: :donor: :Moopsy: :EA DATA. SF: (jrdepriest@infosec.exchange)'s status on Friday, 18-Apr-2025 00:21:24 JST</a><a href="https://infosec.exchange/@jrdepriest" title="jrdepriest@infosec.exchange"><img src="https://gnusocial.jp/avatar/71923-48-20231120201500.webp" width="48" height="48" alt="J. R. DePriest :verified_trans: :donor: :Moopsy: :EA DATA. SF:" style="position: absolute; left: 0; top: 0;">J. R. DePriest :verified_trans: :donor: :Moopsy: :EA DATA. SF:</a><div><ul><li></ul></div></section><article><p><a href="https://cyberplace.social/@GossiTheDog" rel="nofollow">@GossiTheDog</a> </p><p>Thinking about CVEs.<br>We don't need CVEs to detect or manage vulnerabilities. We have plugin IDs. We have TTPs. We have flashy vulnerabilities that get their own marketing websites. We have MITRE ATT&amp;CK.<br>Our threat intel feeds give us TTPs which may include CVEs, but do not rely on them by any means. <br>Our threat hunting is more concerned with TTPs and MITRE ATT&amp;CK.<br>When we set up officially supported orchestration between systems, they typically have the logic needed to understand each other.<br>The main way we use CVEs is as shorthand or a shortcut. It's super simple to determine which tools can detect a certain CVE. It's convenient to have a single database to look up details about almost any vulnerability. It also gives us a simple way to discuss the vulnerability.<br>It's important but not critical.<br>The last minute rescue is less about CVEs and more about this administration's haphazard and thoughtless treatment of... well, of everything. If CVSS and CVE, two things that are considered bedrocks of worldwide cyber security, are treated this poorly, what does that mean for the less visible projects? Just how truly fucked is our national cyber security?</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4907723#notice-9617935">In conversation</a><time datetime="2025-04-18T00:21:24+09:00" title="Friday, 18-Apr-2025 00:21:24 JST">about 2 months ago</time> <span>from <span><a href="https://infosec.exchange/@jrdepriest/114353958561538449" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@jrdepriest/114353958561538449">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
J. R. DePriest :verified_trans: :donor: :Moopsy: :EA DATA. SF: (jrdepriest@infosec.exchange)'s status on Friday, 18-Apr-2025 00:21:24 JSTJ. R. DePriest :verified_trans: :donor: :Moopsy: :EA DATA. SF:
- Kevin Beaumont
@GossiTheDog
Thinking about CVEs.
We don't need CVEs to detect or manage vulnerabilities. We have plugin IDs. We have TTPs. We have flashy vulnerabilities that get their own marketing websites. We have MITRE ATT&CK.
Our threat intel feeds give us TTPs which may include CVEs, but do not rely on them by any means.
Our threat hunting is more concerned with TTPs and MITRE ATT&CK.
When we set up officially supported orchestration between systems, they typically have the logic needed to understand each other.
The main way we use CVEs is as shorthand or a shortcut. It's super simple to determine which tools can detect a certain CVE. It's convenient to have a single database to look up details about almost any vulnerability. It also gives us a simple way to discuss the vulnerability.
It's important but not critical.
The last minute rescue is less about CVEs and more about this administration's haphazard and thoughtless treatment of... well, of everything. If CVSS and CVE, two things that are considered bedrocks of worldwide cyber security, are treated this poorly, what does that mean for the less visible projects? Just how truly fucked is our national cyber security?
In conversationabout 2 months ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice