Most organizations face challenges with prioritizing risk from a new vulnerability or threat. At times, late breaking threats do not provide a severity assessment. The standard way to identify the key characteristics of a threat is using CVSS (Common Vulnerability Scoring System). CVSS provides a Vector (based on key dimensions / attributes of the threat and its impact & exploitability) and a numerical Score (in the range of 0 to 10).
Note this blog article describes key metrics of CVSS 2.0. The latest version is CVSS 3.0 (released in June 2015)
CVSS provides a solid mechanism to detail out the severity details of a vulnerability. These details are essentially captured in the CVSS Vector as metric groups as explained below:
Base Metrics – This captures characteristics of a vulnerability that are constant with time and across user environments. This group comprises of six key metrics:
- {AccessVector [AV], AccessComplexity [AC], Authentication [Au]} – These help capture how the vulnerability is accessed and whether or not extra conditions are required to exploit it.
- {Confidentiality [C], Integrity [I], Availability [A]} – These are essentially the “impact” metrics that help measure how a vulnerability, if exploited, will directly affect an asset. Here the impacts are defined as the degree of loss of confidentiality, integrity and availability.
Temporal Metrics – This group captures the key threat metrics of a vulnerability which may change over time. This group comprises of the following metrics:
- Exploitability [E] – This indicates the current state of exploit techniques or code availability for the vulnerability.
- Remediation Level [RL] – This indicates the current remediation level for the vulnerability. This is an important factor in the prioritization process.
- Report Confidence [RC] – This metric indicates the degree of confidence in the existence of the vulnerability and the credibility of the known technical details for the vulnerability.
Environmental Metrics – This group captures the bearing of the environment on the risk that a vulnerability poses to an organization. It comprises of the following metrics:
- Collateral Damage Potential [CDP] – This metric measures the potential for loss of life or physical assets through damage to an asset.
- Target Distribution [TD] – This metric measures the proportion of vulnerable systems.
- Security requirements {Confidentiality Requirement [CR], Integrity Requirement [IR], Availability Requirement [AR]} – These metrics essentially enable the organization to customize the CVSS score based on the importance of the affected asset to users organization, measured in terms confidentiality, integrity and availability.
The CVSS standard defines permissible values for each of these key metrics. Also CVSS standard defines the formula for calculating the CVSS score based on the CVSS vector.
Here are the CVSS Vectors and Scores for some sample CVEs:
- CVE-2019-0808 – [CVSS Vector – AV:L/AC:L/Au:N/C:C/I:C/A:C] [CVSS Score – 7.2]
- CVE-2019-3855 – [CVSS Vector – AV:N/AC:M/Au:N/C:C/I:C/A:C] [CVSS Score – 9.3]
As one can see the CVSS vector and score provide an excellent framework for organizations to prioritize threats/vulnerability accurately. It is important to note that NVD and CVE provide CVSS vector and score for most vulnerabilities. However, late breaking new vulnerabilities in most cases are yet to find a home in NVD/CVE or these are in the “undergoing analysis” phase (i.e. vendor has requested for a new CVE but not shared complete details on the vulnerability as yet). Please see image below:
A related use-case scenario is one wherein the vendor has published an advisory or security bulletin and it references a CVE number, but the CVE does not exist with NVD as yet. In such cases in the absence of CVSS vector and score from the vendor advisory, it becomes extremely difficult for organizations to sift through the advisory content to arrive at a severity score to effectively prioritize it. It is interesting to note that there are over 450+ such reserved CVEs over a last 30 days window, which have no CVSS vector or score assigned as yet by NVD.
Similarly for blog content or security mailing lists, there is text content available (something like a blog article or mailing list article) which describes the scenario for a potential brewing issue. However, there is no severity assigned to the issue as yet.
What should an organization do in such cases (wherein there is no CVSS vector nor score available)? How should the organization prioritize things?
ThreatWatch provides an innovative way using Machine Learning to accurately predict the Base Metrics of the CVSS vector for a new threat and the corresponding CVSS score. Our ML models are Neural Net based (deep learning) and these are trained on over 200K vulnerabilities (includes CVE and non-CVEs i.e. advisories/bulletins/blogs). These models provide overall accuracy upward of 90%. The predicted base metrics (which contribute to the severity of the vulnerability) along with the temporal and environmental factors (like business criticality of the asset, nature of asset (external facing or internal, known exploits, remediations, etc.) help the organization accurately prioritize things.
To know more about how ThreatWatch ML powered solution can help your organization please contact us – info@threatwatch.io