Looking Beyond CVSS Scores for Effective Vulnerability Management
It’s not hard to see why vulnerability management is such an important aspect of cybersecurity. The pace with which vulnerabilities are discovered and publicized – along with the patches designed to fix them – can easily overwhelm even the most mature security programs. Since companies can’t close every loophole, the thinking goes, they need to focus on the vulnerabilities that present the greatest risk.
Sounds like a rational solution to a challenging problem, right? Just one flaw: As practical as the idea of focusing on the most pressing vulnerabilities is, the conventional approach is decidedly impractical.
Rather than prioritizing vulnerabilities based on the real-world likelihood that they will be exploited, this approach focuses on the theoretical damage that they could cause if – hypothetically – they were exploited.
As this post will explain, that approach to vulnerability management might be easier than one that focuses on the chances of a given vulnerability being exploited in the near future – but it doesn’t do as much to help companies and organizations protect themselves. To really meet the vulnerability management needs of today, we need to start by examining the conventional approach, the questions that it is designed to address, and the effectiveness with which it answers those questions.
How does the conventional approach work?
The conventional strategies cybersecurity teams use for prioritizing their vulnerabilities are based largely on Common Vulnerability Scoring System (CVSS) scores. The CVSS framework is designed to evaluate the damage that could be done by a given vulnerability if that vulnerability were exploited. These scores are typically assigned for vulnerabilities that have already been added (as CVEs) to the National Vulnerability Database (NVD).
But while many CVSS scores are assigned rapidly, some cases can take far longer to evaluate – sometimes a number of years. A study published in 2019 found that the NVD included CVE entries for 2,218 vulnerabilities that had yet to receive CVSS scores. It also found that while half of the NVD’s vulnerabilities were assigned their CVSS scores within a day, others took as long as 18 years (a maximum of 6,788 days) to receive their scores.
Moreover, once a vulnerability receives a score, the information reflected in that score is likely to get stale without being updated. The end result is that CVSS scores are not always correlated with the probability that a given vulnerability will be exploited. For example, the CVE-2018-20250 vulnerability listed in the NVD has a CVSS 2.0 score of 6.8, meaning it is considered to have a moderate level of severity – and yet it was one of the 10 most exploited vulnerabilities in 2019. Any cybersecurity team relying solely on CVSS scores would probably not prioritize this vulnerability, likely putting their company (needlessly) at risk of being targeted by a cyberattack exploiting it.
There is a certain logic to the approach of prioritizing vulnerabilities based on the level of damage they could theoretically cause – especially because the chance of a given vulnerability being exploited in the near future varies widely over time. If you wanted to prioritize vulnerabilities based on their actual chances of leading to a cyberattack in the short term, you’d need to continually evaluate and reevaluate those chances. And that kind of real-time approach would require both comprehensive cyber threat intelligence and an automated approach to analyzing that intelligence.
How can a more useful alternative work?
Answering the question of how to offer an alternative with more real-world effectiveness is not just a theoretical matter. It’s exactly what we at Cybersixgill did when we developed our Dynamic Vulnerability Exploit (DVE) Score.
While the artificial intelligence behind our DVE Score technology is anything but simple, the question that it is designed to answer is quite straightforward: What is the likelihood that a given vulnerability will be exploited in the next 90 days?
At the heart of the DVE Score’s strategy for answering this question is our unmatched collection of cyber threat intelligence from the deep and dark web, which our scoring algorithm analyzes automatically and continually. This real-time and automated approach to threat analysis allows our technology to assign scores instantly – avoiding the significant delays that often undermine the usefulness of CVSS scores.
In addition to offering a number reflecting this threat intelligence, our DVE Score provides an audit trail detailing the information on which that score is based. That way, cybersecurity teams can utilize the same threat intelligence that our scoring algorithm does. This helps these teams both to make collaborative and well-informed choices about which vulnerabilities to prioritize and to guarantee that their decision-making process is as transparent as possible.
When we consider the role of the deep and dark web within the cybercrime ecosystem, we can see why these information sources – what we often call the cybercrime underground – offer the most reliable and up-to-date intelligence on cyber threats that have yet to fully materialize. That makes these sources a gold mine of insights into threat actors’ future plans, including which vulnerabilities they’re actively looking to exploit.
Why the deep and dark web?
As our team explained in a recent blog post, the dark web is threat actors’ go-to channel when they want to communicate anonymously. Not only do they often communicate there about matters relating to their future plans, but they often buy and sell goods and services there. Some of the things that are bought and sold on the dark web are the result of previous cyberattacks (such as credentials for a variety of online platforms), while others are tools that could be used in future attacks (such as crimeware). Still other items bought and sold on the dark web are products of previous cyberattacks that are also bound to be used for future attacks, such as access to a compromised server.
The result is that various threat actors can effectively work together to carry out cyberattacks more sophisticated than what any one of them could pull off on their own. And because these communications and transactions often take place on the dark web before a cyberattack, they offer unique insight into which vulnerabilities are most likely to be used for an attack in the near future.
Does a dark web-focused approach to vulnerability management make the job easy?
Not if you consider patching to be hard work. After all, the whole point of this approach is to tell you exactly what to patch as soon as possible.
But what this approach does accomplish is to make vulnerability management more effective.
Rather than setting your priorities based on theoretical analysis, it gives you the latest real-world intelligence you need to zero in on imminent risks before it’s too late.
That way, when you actually do the legwork of patching vulnerabilities, you can be confident that you’re applying the patches that are most urgent – not as of the time they were assigned a CVSS score, but as of right now.
How does the Cybersixgill DVE Score work, and how does it offer you a more effective approach to cybersecurity vulnerability management?
For a closer look, download our whitepaper, Fixing the Broken Middle: How the Cybersixgill DVE Score Helps Prioritize Vulnerabilities.