The challenge of assessing threats on the Common Vulnerabilities and Exposures list
Vulnerability exploitation has become the most common attack vector for cybercriminals. In 2021 alone, more than 18,000 vulnerabilities were added to the Common Vulnerabilities and Exposures list, or CVE. For security teams, this only adds complexity to the challenge of patching and remediating an ever-growing catalogue of vulnerabilities in software and systems.
The challenge in addressing threats on the Common Vulnerabilities and Exposures list is determining which vulnerabilities to address first. Because the total number of known vulnerabilities is nearing 200,000, security teams can’t possibly remediate them all. In some instances, it can take up to 12 days to coordinate and apply a patch across all devices. As a result, vulnerability prioritization is absolutely essential to ensuring that IT systems are protected against the most dangerous and devastating attacks.
To simplify vulnerability management, Cybersixgill offers the Dynamic Vulnerability Exploit Intelligence, or DVE Intelligence. By prioritizing the Common Vulnerabilities and Exposures list by probability of use as well as severity of impact, DVE Intelligence provides security teams with a more efficient and accurate way to prioritize remediation and patches.
Why intent is more important than severity when calculating CVE risk
Traditionally, security teams prioritizing vulnerabilities have relied on information from the Common Vulnerability Scoring System (CVSS). This set of open standards creates a score or CVE rating based on severity – how catastrophic the damage would be if a threat actor exploited a given vulnerability.
While CVSS scores provide a crucial bit of intelligence, they lack one very important data point: how likely each vulnerability is to be exploited by an attacker. After all, a vulnerability with great severity may not pose a serious risk if it’s highly unlikely to ever be exploited. Conversely, vulnerabilities of low to moderate severity can cause extraordinary damage if they are successfully and repeatedly used in attacks.
To further complicate vulnerability assessment, the assignment of CVSS scores may lag far behind the discovery of vulnerabilities. Some vulnerabilities can take weeks to receive a rating. This leaves security teams in the dark about certain vulnerabilities, while threat actors are making plans to exploit them. Despite the Common Vulnerabilities and Exposures list constantly evolving, with some CVEs increasing in risk while others reduce, CVSS scores rarely change, making it impossible for security teams to prioritize remediation based on real-time events.
To gain real-time insight into the vulnerabilities that are most likely to be exploited by threat actors in the near future, security teams need a better way to evaluate items on the Common Vulnerabilities and Exposures list. That’s where Cybersixgill can help.
Prioritizing Common Vulnerabilities and Exposures threats with Cybersixgill
Cybersixgill’s fully automated threat intelligence solutions help organizations fight cybercrime by detecting phishing, data leaks, fraud and vulnerabilities while amplifying incident response in real time. Our DVE intelligence transforms vulnerability prioritization with exceptional accuracy by evaluating vulnerabilities based on their likelihood of being used in an attack in the next 90 days.
To analyze the true risk of each threat on the Common Vulnerabilities and Exposures list, we pull data and intelligence from the clear, deep and dark web – the very place that threat actors go to formulate attack plans, buy and sell tools and data, and communicate with one another anonymously. By automatically monitoring and covertly scraping data from a wide range of deep and dark web sources, DVE Intelligence can predict which CVEs are most likely to be exploited in the near future, allowing security teams to prioritize their remediation.
DVE Intelligence offers:
- Predictive insight. Know which vulnerabilities will be targeted, up to 90 days before they are used in an attack. Get hyper context on threat actors and their objectives. Review predictions based on granular trends and insights.
- Dynamic scores. Prioritize vulnerability remediation with data based on the intent of attackers and the availability of the exploit, with intelligence that is continuously updated with relevant context.
- Robust data. Make decisions based on data pulled from the largest collection of intelligence from closed sources. Review audit trails to fully understand the data driving each score.
- Continuous investigation and protection. Generate fresh intelligence from newly found context. Customize scores for critical assets and get notifications about relevant exploits. Integrate vulnerability scores with threat portals and other existing security infrastructure. Investigate to learn more about any item on the Common Vulnerabilities and Exposures list, with data on popularity, potential exploits, relevant actors, and more.
How a DVE Score is determined
To provide a DVE Score that reflects the likelihood that a vulnerability will be exploited in the next 90 days, Cybersixgill relies on automated data collection from a wide range of sources in the clear, deep and dark web. These include:
- Underground markets. These illicit trading platforms are where threat actors go to buy and sell exploit code kits, the Metasploit framework, and other tools that enable malicious attacks.
- Code repositories. Proof-of-concept (POC) exploit codes are published on code repositories like GitHub, where malicious actors can consume and exploit them.
- Paste sites. These dark web sites are where threat actors share large volumes of text that can be used in vulnerability exploits.
- Limited-access web forums. Dark web forums offer memberships that enable threat actors to anonymously discuss illicit subjects.
- Invite-only instant messaging groups. These are peer-to-peer sites where access is granted only by invitation after establishing trusted relationships.
DVE Intelligence automatically analyzes and gleans intelligence from discourse and chatter on these sites, combining it with intelligence from other sources such as social media and cybersecurity websites. This analysis enables us to produce a score that accurately predicts the probability of vulnerability exploitation over the next 90 days. Each score includes critical insights and attributes as well as comprehensive context around the reputation, profile and history of each threat actor.
Our mission at Cybersixgill is to protect organizations against malicious cyberattacks. Our Investigative Portal enables security teams to conduct real-time threat investigations with contextual and actionable insights. Our Threat Intelligence and DVE Intelligence data feeds harness our unmatched collection capabilities, delivering real-time insight into existing security systems. A growing number of enterprises, financial services, governments, law enforcement entities and MSSPs rely on Cybersixgill to empower their security teams with the information they need to make well-informed decisions about the best way to prevent cyberattacks.
What is CVE?
CVE stands for Common Vulnerabilities and Exposures, a list of publicly disclosed risks and vulnerabilities. The CVE definition can also refer to a vulnerability that has been documented and assigned a number within the CVE list.
What is the Common Vulnerabilities and Exposures list?
Common Vulnerabilities and Exposures, or CVE, is a list of publicly disclosed vulnerabilities in software and systems that may be exploited by cyber criminals to gain unauthorized access to a network or to launch a variety of cyberattacks.
What is difference between a vulnerability and an exposure?
A vulnerability is a fault within a system such as flaws in software that can be exploited by cyber criminals to gain access to systems and data. Exposures are typically one-time events where data, credentials, and other sensitive information is inadvertently or maliciously shared with unauthorized users or the public.
Cybersixgill’s end-to-end Dynamic Vulnerability Exploitation takes a contextual, more accurate approach to vulnerability management and prioritization. This year, back-to-school time coincides with increased cyberattacks against higher education instit …Read more
Russian dark web actors use underground markets to move money and purchase illicit goods, despite the Western embargo. When a banned product is in high demand, there is opportunity for a black market to thrive. Considering the extent of Western governm …Read more
Compromised university credentials and endpoints on the dark web could cost students and schools millions. Introduction Possession of a student’s university account is desirable for threat actors. It enables them to impersonate the student and steal th …Read more