Dark Web Education Hub

CVE Rating & The Common Vulnerability Scoring System

More resources

Enhance security with intelligence that surpasses a CVE rating

As the exploitation of vulnerabilities has become the dominant cyberattack vector, security teams are looking to CVE ratings to help determine which vulnerabilities to fix first. There are simply too many new vulnerabilities discovered each year – including more than 18,000 in 2021 – for security teams to patch or remediate every vulnerability. CVE ratings theoretically should help teams decide which vulnerabilities to patch first, based on the severity of an exploited vulnerability’s potential impact on the organization.

But the CVE ratings measure only the potential damage of a vulnerability exploitation, not the likelihood that threat actors will deploy it. Consequently, security teams may urgently apply patches to high-severity vulnerabilities that are unlikely to represent a threat, while postponing patches to less severe vulnerabilities that may very well be used in attacks tomorrow.

Cybersixgill offers a better way to manage vulnerability assessment. Our DVE Intelligence solution produces a CVE rating based on the predictability of a vulnerability being exploited in the near future, allowing security teams to make smarter decisions about vulnerability prioritization.

The flaws in the traditional CVE rating system

CVE, or Common Vulnerabilities and Exposures, is a list of publicly disclosed flaws in software and systems that hackers can exploit. CVE ratings are determined by the Common Vulnerability Scoring System (CVSS), which assigns a CVE rating or score between 1 (low) and 10 (high) based on the severity of particular vulnerability. Because the number of new vulnerabilities outpaces the resources of IT teams to patch them, CVE ratings are intended to help identify the vulnerabilities that pose the greatest risk, allowing security teams to address them first.

However, CVE ratings (or CVSS scores), are flawed in three serious ways that prevent security teams from getting an accurate read on which vulnerabilities represent the greatest risk.

A rating lag

While some vulnerabilities receive a CVE rating quickly, others may not be scored for weeks. This prevents security teams from having a complete picture of the risks posed by vulnerabilities.

A static score

Once a CVSS score is assigned, it rarely changes, even when vulnerabilities that were once seldom used become highly popular with attackers.

No recognition of intent

This is the most significant flaw in the traditional CVSS and CVE rating system. Traditional CVE ratings don’t evaluate the probability that threat actors will exploit a given vulnerability. They don’t take into account the way that cyber criminals are talking about vulnerabilities, how often they’re buying and selling tools to exploit them, or the volume of information that’s currently being shared about how to use them in attacks.

As a result of these flaws, traditional CVE ratings can’t provide security teams with the insights they need to make accurate decisions about vulnerability management. That’s where Cybersixgill DVE Intelligence can transform assessment and prioritization efforts.

Prioritizing vulnerabilities with Cybersixgill

Cybersixgill is a cybersecurity platform that continuously exposes the early indications of risk. With the broadest threat intelligence collection capabilities available today, we help organizations capture and block threats as they emerge, before they can be weaponized in an attack. Evaluating vulnerabilities and risks with advanced AI and machine learning algorithms, our technology enables security teams to apply timely, practical and proactive solutions to mitigate attacks before they are launched.

Our Dynamic Vulnerability Exploit Intelligence, or DVE Intelligence, transforms vulnerability prioritization, reducing the reliance on CVE ratings with accurate and actionable insights. To overcome the flaws of the traditional prioritization, DVE Intelligence is based on the likelihood that a threat actor will exploit a vulnerability in the next 90 days. DVE Intelligence is  also assigned instantly and constantly updated with threat data gathered from the clear dark and deep web, providing security teams with the intelligence they need to make better decisions.

With DVE Intelligence, you can:

  • Get real-time predictions of which vulnerabilities are most likely to be exploited in the near future.

  • Prioritize vulnerabilities for remediation and patch them faster, enabling security teams to strengthen security posture.

  • Leverage best-in-class collection capabilities that deliver the most thorough and accurate threat intelligence in real time.

  • Gain unmatched visibility into the landscape of vulnerabilities and the ways that threat actors are planning to exploit them.

Why dark web monitoring is critical to CVE ratings

DVE Intelligence monitors the dark web for one very important reason: it’s the go to channel for threat actors looking to communicate, collaborate, and buy or sell the data and tools they’ll use in their next attack. As a result, it’s common for evidence of planned cybercrimes to appear on the dark web long before they can be found with conventional cyber threat intelligence tools.

To produce CVE ratings based on the probability of an attack, Cybersixgill covertly extracts data from dark web sources such as limited-access dark web forms, invite-only messaging groups, code repositories, paste sites, and illicit underground markets. Our collection and source-infiltration tools are fully automated, and they can scrape data that’s inaccessible to other vendors. Powerful NLP and OCR algorithms process data in all languages and formats. And advanced AI and ML algorithms index, correlate, analyze, tag and filter raw data to enrich each item with context about the nature, source and evolution of each threat.

DVE Intelligence also maintains more than 7 million threat actor profiles that detail the history, arenas of activity, common TTPs, and interests of each individual or group. Our methods of collecting and processing intelligence are highly scalable, allowing us to digest tens of millions of intelligence items per day to ensure that our data is accurate and relevant.

The Cybersixgill difference

Cybersixgill was founded with a single mission: to protect organizations from malicious cyberattacks by giving organizations access to the broadest range of threat intelligence from the clear, deep and dark web.

Our technology provides organizations with exclusive, real-time access to the largest database of deep, dark and clear web threat activity available.

With Cybersixgill, you can:

  • Expose threats. Our fully automated crawlers infiltrate and monitor limited-access sources that are inaccessible to other threat intelligence vendors.

  • Preempt attacks. With Cybersixgill, you can capture and block threats as they emerge, relying on advanced AI and machine learning algorithms to produce and deliver actionable intelligence within minutes.

  • Streamline intelligence. Our solutions seamlessly integrate with your existing technology stack and your unique assets, needs and workflows. Our dedicated integration teams are always available to provide support.

FAQs

What is a CVE?

The CVE definition is twofold. It stands for Common Vulnerabilities and Exposures, a list of publicly disclosed risks and vulnerabilities in software and systems. But CVE can also be used to reference a vulnerability that has been documented and assigned a number within the CVE list.

What is CVE vs CVSS?

CVE stands for Common Vulnerabilities and Exposures, a list of known vulnerabilities in software and systems. CVSS is the Common Vulnerability Scoring System, an open framework for determining the severity of vulnerabilities on the CVE list.

What is the highest CVE rating?

CVSS scores, or CVE ratings, range from 1 to 10, with 10 indicating the most severe vulnerabilities. CVE ratings may also include temporal and environmental scores that reveal how available mitigations are for vulnerabilities and how widespread vulnerable systems are within an organization.