In the primary a part of this sequence, we took a detailed have a look at CVSS and the way it works, concluding that whereas CVSS could supply some advantages, it’s not designed for use as a sole technique of prioritization. In this text, we’ll cowl some various instruments and programs for remediation prioritization, how they can be utilized, and their professionals and cons.
EPSS, first printed at Black Hat USA 2019, is (like CVSS) maintained by a FIRST Special Interest Group (SIG). As famous in the whitepaper that accompanied the Black Hat speak, the creators of EPSS intention to fill a niche within the CVSS framework: predicting the chance of exploitation based mostly on historic knowledge.
The authentic model of EPSS used logistic regression: a statistical method to measure the chance of a binary consequence by contemplating the contribution a number of impartial variables make to that consequence. For occasion, if I wished to make use of logistic regression to measure the chance of a sure/no occasion occurring (say, whether or not a given individual will buy one in every of my merchandise), I’d look to gather a big pattern of historic advertising and marketing knowledge for earlier prospects and would-be prospects. My impartial variables can be issues like age, gender, wage, disposable revenue, occupation, locale, whether or not an individual already owned a rival product, and so forth. The dependent variable can be whether or not the individual purchased the product or not.
The logistic regression mannequin would inform me which of these variables make a big contribution to that consequence, both constructive or unfavourable. So, for instance, I’d discover that age < 30 and wage > $50,000 are positively correlated to the result, however already owns related product = true is, unsurprisingly, negatively correlated. By weighing up the contributions to those variables, we are able to feed new knowledge into the mannequin and get an thought of the chance of any given individual wanting to purchase the product. It’s additionally necessary to measure the predictive accuracy of logistic regression fashions (as they might end in false positives or false negatives), which might be achieved with Receiver Operating Characteristic (ROC) curves.
The creators of EPSS analyzed over 25,000 vulnerabilities (2016 – 2018), and extracted 16 impartial variables of curiosity together with the affected vendor, whether or not exploit code existed within the wild (both in Exploit-DB or in exploit frameworks like Metasploit and Canvas), and the variety of references within the printed CVE entry. These had been the impartial variables; the dependent variable was whether or not the vulnerability had really been exploited within the wild (based mostly on knowledge from Proofpoint, Fortinet, AlienVault, and GreyNoise).
The authors discovered that the existence of weaponized exploits made essentially the most vital constructive contribution to the mannequin, adopted by Microsoft being the affected vendor (doubtless because of the quantity and recognition of merchandise Microsoft develops and releases, and its historical past of being focused by risk actors); the existence of proof-of-concept code; and Adobe being the affected vendor.
Interestingly, the authors additionally famous some unfavourable correlation, together with Google and Apple being the affected distributors. They surmised that this can be on account of Google merchandise having many vulnerabilities, of which comparatively few had been exploited within the wild, and Apple being a closed platform that risk actors haven’t traditionally focused. The inherent traits of a vulnerability (i.e., the knowledge mirrored in a CVSS rating) appeared to make little distinction to the result – though, as one would possibly anticipate, distant code execution vulnerabilities had been extra more likely to be exploited in comparison with, say, native reminiscence corruption bugs.
EPSS was initially carried out in a spreadsheet. It supplied an estimate of chance {that a} given vulnerability can be exploited inside the subsequent 12 months. Subsequent updates to EPSS adopted a centralized structure with a extra refined machine studying mannequin, expanded the function set (together with variables akin to public vulnerability lists, Twitter / X mentions, incorporation into offensive safety instruments, correlation of exploitation exercise to vendor market share and set up base, and the age of the vulnerability), and estimated the chance of exploitation inside a 30-day window fairly than 12 months.
Figure 1: A screenshot from the EPSS Data and Statistics web page, exhibiting the highest EPSS scores from the final 48 hours on the time the picture was captured. Note that EPSS doesn’t conclude that many of those CVEs will find yourself being exploited
While a easy on-line calculator is accessible for v1.0, utilizing the most recent model requires both downloading a each day CSV file from the EPSS Data and Statistics web page, or utilizing the API. EPSS scores should not proven on the National Vulnerability Database (NVD), which favors CVSS scores, however they’re obtainable on different vulnerability databases akin to VulnDB.
As famous in our earlier article on this sequence, CVSS scores haven’t traditionally been a dependable predictor of exploitation, so EPSS, in precept, looks like a pure complement — it tells you in regards to the chance of exploitation, whereas CVSS tells you one thing in regards to the affect. As an instance, say there’s a bug with a CVSS Base rating of 9.8, however an EPSS rating of 0.8% (i.e., whereas extreme whether it is exploited, the bug is lower than 1% more likely to be exploited inside the subsequent 30 days). On the opposite hand, one other bug may need a a lot decrease CVSS Base rating of 6.3, however an EPSS rating of 89.9% – during which case, you would possibly wish to prioritize it.
What you shouldn’t do (because the EPSS authors level out) is multiply CVSS scores by EPSS scores. Even although this theoretically offers you a severity * risk worth, do not forget that a CVSS rating is an ordinal rating. EPSS, its creators say, communicates completely different info from that of CVSS, and the 2 must be thought of collectively however individually.
So is EPSS the proper companion to CVSS? Possibly – like CVSS, it’s free to make use of, and provides helpful perception, but it surely does include some caveats.
What does EPSS really measure?
EPSS gives a chance rating which signifies the probability of a given vulnerability being exploited typically. It doesn’t, and isn’t supposed to, measure the probability of your group being focused particularly, or the affect of profitable exploitation, or any incorporation of an exploit into (for example) a worm or a ransomware gang’s toolkit. The consequence it predicts is binary (exploitation both happens or it doesn’t – though be aware that it’s really extra nuanced than that: both exploitation happens or we don’t know if it has occurred), and so an EPSS rating tells you one factor: the chance of exploitation occurring inside the subsequent 30 days. On a associated be aware, it’s price making a be aware of that point interval. EPSS scores ought to, by design, be recalculated, as they depend on temporal knowledge. A single EPSS rating is a snapshot in time, not an immutable metric.
EPSS is a ‘pre-threat’ software
EPSS is a predictive, proactive system. For any given CVE, assuming the requisite info is accessible, it is going to generate a chance that the related vulnerability will probably be exploited within the subsequent 30 days. You can then, in the event you select to, issue on this chance for prioritization, supplied the vulnerability has not already been exploited. That is, the system doesn’t present any significant perception if a vulnerability is being actively exploited, as a result of it’s a predictive measure. To return to our earlier instance of logistic regression, there’s little level operating your knowledge by my mannequin and attempting to promote you my product in the event you already purchased it six weeks in the past. This appears apparent, but it surely’s nonetheless price taking into account: for vulnerabilities which have been exploited, EPSS scores can’t add any worth to prioritization choices.
Lack of transparency
EPSS has an identical problem to CVSS with regard to transparency, though for a distinct purpose. EPSS is a machine studying mannequin, and the underlying code and knowledge is not obtainable to most members of the FIRST SIG, not to mention most people. While the maintainers of EPSS say that “improving transparency is one of our goals,” in addition they be aware that they can’t share knowledge as a result of “we have several commercial partners who requested that we not share as part of the data agreement. As far as the model and code, there are many complicated aspects to the infrastructure in place to support EPSS.”
Assumptions and constraints
Jonathan Spring, a researcher at Carnegie Mellon University’s Software Engineering Institute, factors out that EPSS depends on some assumptions which make it much less universally relevant than it might seem. EPSS’s web site claims that the system estimates “the likelihood (probability) that a software vulnerability will be exploited in the wild.” However, there are some generalizations right here. For instance, “software vulnerability” refers to a printed CVE – however some software program distributors or bug bounty directors may not use CVEs for prioritization in any respect. As Spring notes, this can be as a result of a CVE has but to be printed for a specific problem (i.e., a vendor is coordinating with a researcher on a repair, previous to publication), or as a result of the vulnerability is extra of a misconfiguration problem, which wouldn’t obtain a CVE in any case.
Likewise, “exploited” means exploitation makes an attempt that EPSS and its companions had been in a position to observe and document, and “in the wild” means the extent of their protection. The authors of the linked paper additionally be aware that, as a result of a lot of that protection depends on IDS signatures, there’s a bias in direction of network-based assaults towards perimeter gadgets.
Numerical outputs
As with CVSS, EPSS produces a numerical output. And, as with CVSS, customers must be conscious that danger just isn’t reducible to a single numerical rating. The similar applies to any try to mix CVSS and EPSS scores. Instead, customers ought to take numerical scores under consideration whereas sustaining an consciousness of context and the programs’ caveats, which ought to affect how they interpret these scores. And, as with CVSS, EPSS scores are standalone numbers; there are not any suggestions or interpretation steerage supplied.
Possible future disadvantages
The authors of EPSS be aware that attackers could adapt to the system. For occasion, a risk actor could incorporate lower-scoring vulnerabilities into their arsenal, figuring out that some organizations could also be much less more likely to prioritize these vulnerabilities. Given that EPSS makes use of machine studying, the authors additionally level out that attackers could sooner or later try to carry out adversarial manipulation of EPSS scores, by manipulating enter knowledge (akin to social media mentions or GitHub repositories) to trigger overscoring of sure vulnerabilities.
SSVC, created by Carnegie Mellon University’s Software Engineering Institute (SEI) in collaboration with CISA in 2019, could be very dissimilar to CVSS and EPSS in that it doesn’t produce a numerical rating as its output in any respect. Instead, it’s a decision-tree mannequin (within the conventional, logical sense, fairly than in a machine studying sense). It goals to fill what its builders see as two main points with CVSS and EPSS: a) customers should not supplied with any suggestions or choice factors, however are anticipated to interpret numerical scores themselves; and b) CVSS and EPSS place the vulnerability, fairly than the stakeholder, on the heart of the equation.
As per the SSVC whitepaper, the framework is meant to allow choices about prioritization, by following a call tree alongside a number of branches. From a vulnerability administration perspective, for instance, you begin by answering a query about exploitation: whether or not there’s no exercise, a proof-of-concept, or proof of energetic exploitation. This results in choices about publicity (small, managed, or open), whether or not the kill chain is automatable, and ‘value density’ (the sources {that a} risk actor would get hold of after profitable exploitation). Finally, there are two questions on security affect and mission affect. The ‘leaves’ of the tree are 4 doable choice outcomes: defer, scheduled, out-of-cycle, or rapid.
Figure 2: A pattern choice tree from the SSVC demo web site
Usefully, the most recent model of SSVC additionally contains a number of different roles, together with patch suppliers, coordinators, and triage/publish roles (for choices about triaging and publishing new vulnerabilities), and in these circumstances the questions and choice outcomes are completely different. For occasion, with coordination triage, the doable outcomes are decline, observe, and coordinate. The labels and weightings are additionally designed to be customizable relying on a company’s priorities and sector.
Having gone by the choice tree, you’ll be able to export a end result to both JSON or PDF. The end result additionally features a vector string, which will probably be acquainted to anybody who learn our evaluation of CVSS within the earlier article. Notably, this vector string incorporates a timestamp; some SSVC outcomes are supposed to be recalculated, relying on the context. The authors of the SSVC whitepaper advocate recalculating scores which rely upon the ‘state of exploitation’ choice level as soon as a day, for instance, as a result of this may change quickly – whereas different choice factors, akin to technical affect, must be static.
As the identify suggests, SSVC makes an attempt to place stakeholders on the heart of the choice by emphasizing stakeholder-specific points and decision-based outcomes, fairly than numerical scores. One helpful consequence of that is which you can apply the framework to vulnerabilities with no CVE, or to misconfigurations; one other is that stakeholders from disparate sectors and industries can adapt the framework to swimsuit their very own wants. It’s additionally pretty easy to make use of (you’ll be able to strive it out right here), when you’ve acquired a deal with on the definitions.
To our data, there hasn’t been any impartial empirical analysis into the effectiveness of SSVC, solely a small pilot examine carried out by SSVC’s creators. The framework additionally prefers simplicity over nuance in some respects. CVSS, for instance, has a metric for Attack Complexity, however SSVC has no equal choice level for ease or frequency of exploitation or something related; the choice level is solely whether or not or not exploitation has occurred and if a proof-of-concept exists.
And, presumably to keep away from over-complicating the choice tree, not one of the choice factors in any of the SSVC bushes have an ‘unknown’ possibility by default; as a substitute, customers are suggested to make a “reasonable assumption” based mostly on prior occasions. In sure circumstances, this will likely skew the eventual choice, notably close to choice factors outdoors a company’s management (akin to whether or not a vulnerability is being actively exploited); analysts could also be uncomfortable with ‘guessing’ and err on the aspect of warning.
That being stated, it’s maybe no unhealthy factor that SSVC avoids numerical scores (though some customers may even see this as a draw back), and it has a number of different elements in its favor: It’s designed to be customizable; is totally open-source; and gives clear suggestions as a closing output. As with many of the instruments and frameworks we focus on right here, a stable method can be to mix it with others; inputting EPSS and CVSS particulars (and the KEV Catalog, mentioned beneath), the place relevant, right into a tailor-made SSVC choice tree is probably going to provide you an affordable indication of which vulnerabilities to prioritize.
The KEV Catalog, operated by the Cybersecurity and Infrastructure Security Agency (CISA), is a regularly up to date record of which CVEs risk actors are recognized to have actively exploited. As of December 2024, there are 1238 vulnerabilities on that record, with supplied particulars together with CVE-ID, vendor, product, a brief description, an motion to be taken (and a due date, which we’ll come to shortly), and a notes area, typically containing a hyperlink to a vendor advisory.
As per CISA’s Binding Operational Directive 22-01, “federal, executive branch, departments and agencies” are required to remediate relevant vulnerabilities within the KEV Catalog, together with another actions, inside a sure timeframe (six months for CVE-IDs assigned earlier than 2021, two weeks for all others). CISA’s justification for creating the KEV Catalog is much like factors we made in our earlier article: Only a small minority of vulnerabilities are ever exploited, and attackers don’t seem to depend on severity scores to develop and deploy exploits. Therefore, CISA argues, “known exploited vulnerabilities should be the top priority for remediation…[r]ather than have agencies focus on thousands of vulnerabilities that may never be used in a real-world attack.”
The KEV Catalog just isn’t up to date on a scheduled foundation, however inside 24 hours of CISA changing into conscious of a vulnerability that meets sure standards:
- A CVE-ID exists
- “There is reliable evidence that the vulnerability has been actively exploited in the wild”
- “There is a clear remediation action for the vulnerability”
According to CISA, proof of energetic exploitation – whether or not tried or profitable – comes from open-source analysis by its personal groups, in addition to “information directly from security vendors, researchers, and partners…information through US government and international partners…and through third-party subscription services.” Note that scanning exercise, or the existence of a proof-of-concept, should not ample for a vulnerability to be added to the Catalog.
Full disclosure: Sophos is a member of the JCDC, which is the a part of CISA that publishes the KEV Catalog
Figure 3: Some of the entries within the KEV Catalog
While primarily geared toward US federal businesses, many personal sector organizations have adopted the record for prioritization. It’s not exhausting to see why; the Catalog gives a easy and manageable assortment of energetic threats, in CSV or JSON codecs, which may simply be ingested and, as CISA suggests, integrated right into a vulnerability administration program for prioritization. Crucially, CISA is obvious that organizations mustn’t rely solely on the Catalog, however take different sources of knowledge under consideration
Like EPSS, the KEV Catalog is based on a binary consequence: if a bug is on the record, it’s been exploited. If it’s not, it hasn’t (or, extra precisely, we don’t know if it has or not). But there’s numerous contextual info KEV doesn’t present, which may support organizations with prioritization, notably sooner or later because the record continues to develop and turn into extra unwieldy (and it’ll; there is just one purpose a vulnerability would ever be faraway from the record, which is that if a vendor replace causes an “unforeseen issue with greater impact than the vulnerability itself”).
For occasion, the Catalog doesn’t element the quantity of exploitation. Has a bug been exploited as soon as, or a handful of instances, or hundreds of instances? It doesn’t present any details about affected sectors or geographies, which might be helpful knowledge factors for prioritization. It doesn’t let you know what class of risk actor is exploiting the vulnerability (apart from ransomware actors), or when the vulnerability was final exploited. As with our dialogue of EPSS, there are additionally points round what is taken into account a vulnerability, and the transparency of knowledge. Regarding the previous, a KEV Catalog entry should have a CVE – which can be much less helpful for some stakeholders – and concerning the latter, its exploitation protection is restricted to what CISA’s companions can observe, and that knowledge just isn’t obtainable for inspection or corroboration. However, a curated record of vulnerabilities that are believed to have been actively exploited is probably going helpful for a lot of organizations, and gives extra info on which to base choices about remediation.
You’re maybe beginning to get a way of how a few of these completely different instruments and frameworks might be mixed to provide a greater understanding of danger, and result in extra knowledgeable prioritization. CVSS offers a sign of a vulnerability’s severity based mostly on its inherent traits; the KEV Catalog tells you which of them vulnerabilities risk actors have already exploited; EPSS offers you the chance of risk actors exploiting a vulnerability sooner or later; and SSVC may also help you attain a call about prioritization by taking a few of that info under consideration inside a custom-made, stakeholder-specific decision-tree.
To some extent, CVSS, EPSS, SSVC, and the KEV Catalog are the ‘big hitters.’ Let’s now flip to some lesser-known instruments and frameworks, and the way they stack up. (For readability, we’re not going to have a look at schemes like CWE, CWSS, CWRAF, and so forth, as a result of they’re particular to weaknesses fairly than vulnerabilities and prioritization.)
Vendor-specific schemes
Several business entities supply paid vulnerability rating companies and instruments designed to help with prioritization; a few of these could embody EPSS-like prediction knowledge generated by proprietary fashions, or EPSS scores along with closed-source knowledge. Others use CVSS, maybe combining scores with their very own scoring programs, risk intelligence, vulnerability intelligence, and/or details about a buyer’s belongings and infrastructure. While these choices could present a extra full image of danger and a greater information to prioritization in comparison with, say, CVSS or EPSS alone, they’re not sometimes publicly obtainable and so aren’t open to analysis and evaluation.
Some product distributors have devised their very own programs and make their scores public. Microsoft has two such programs for vulnerabilities in its personal merchandise: a Security Update Severity Rating System which, like CVSS, gives a information to the severity of a vulnerability (Microsoft states that its scores are based mostly on “the worst theoretical outcome were that vulnerability to be exploited”); and the Microsoft Exploitability Index, which goals to offer an evaluation of the probability of a vulnerability being exploited. This seems to be based mostly on Microsoft’s evaluation of the vulnerability; how troublesome it will be to use; and previous exploitation developments, fairly than a statistical mannequin, though not sufficient info is supplied to verify this.
Red Hat additionally has a Severity Ratings system, comprising 4 doable scores together with a calculated CVSS Base rating. Like the Microsoft programs, this solely pertains to vulnerabilities in proprietary merchandise, and the means by which the scores are calculated should not clear.
CVE Trends (RIP) and alternate options
CVE Trends, which on the time of writing just isn’t energetic on account of X’s restrictions on utilization of its API, is a crowdsourced dashboard of knowledge scraped from X, Reddit, GitHub, and NVD. It confirmed the ten most at the moment mentioned vulnerabilities based mostly on that knowledge.
Figure 4: The CVE Trends dashboard
As proven within the screenshot above, the dashboard included CVSS and EPSS scores, CVE info, and pattern tweets and Reddit posts, in addition to ‘published’ dates and a measurement of debate exercise in the previous few days (or 24 hours).
While CVE Trends might be helpful for getting an thought of the present ‘flavor of the month’ CVEs among the many safety neighborhood – and may be useful in acquiring breaking information about new vulnerabilities – it didn’t support in prioritization above and past new, high-impact bugs. It solely confirmed ten vulnerabilities at a time, and a few of these – together with Log4j, as you’ll be able to see within the screenshot – had been comparatively previous, although nonetheless being mentioned due to their prevalence and notoriety.
As famous above, CVE Trends is at the moment inactive, and has been since mid-2023. As of this writing, guests to the location obtain the next message, which additionally appeared because the closing message on its creator’s Twitter feed:
Figure 5: CVE Trends’ farewell message / tweet
It stays to be seen whether or not X will loosen up its API utilization restrictions, or if the creator of CVE Trends, Simon J. Bell, will probably be ready to discover different choices to revive the location’s performance.
After the demise of Bell’s web site, an organization referred to as Intruder developed their very own model of this software, in beta as of this writing, which can also be referred to as ‘CVE Trends.’ It comes full with a 0-100 temperature-style ‘Hype score’ based mostly on social media exercise.
SOCRadar additionally maintains an identical service, referred to as ‘CVE Radar,’ which incorporates particulars of the variety of tweets, information studies, and vulnerability-related repositories in its dashboard; in a touching gesture, it acknowledges Simon Bell’s CVE Trends work on its major web page (as Intruder does on its About web page). Both CVE Radar and Intruder’s model of CVE Trends usefully incorporate the texts of associated tweets, offering an at-a-glance digest of the social media dialogue a few given bug. Whether the builders of both software intend to include different social media platforms, given the exodus from X, is unknown.
CVEMap
Introduced in mid-2024, CVEMap is a comparatively new command-line interface software by ProjectDiscovery that goals to consolidate a number of features of the CVE ecosystem – together with CVSS rating, EPSS rating, the age of the vulnerability, KEV Catalog entries, proof-of-concept knowledge, and extra. CVEMap doesn’t supply or facilitate any new info or scores, because it’s solely an aggregation software. However, the truth that it combines varied sources of vulnerability info right into a easy interface – whereas additionally permitting filtering by product, vendor, and so forth – could make it helpful for defenders looking for a way to make knowledgeable prioritization choices based mostly on a number of info sources.
Bug Alert
Bug Alert is a service designed to fill a particular hole for responders: It goals to alert customers solely to vital, high-impact vulnerabilities (those that at all times appear to hit on a Friday afternoon or simply earlier than a public vacation) as shortly as doable by way of e-mail, SMS, or telephone notifications, with out having to attend for safety bulletins or CVE publication. It’s supposed to be a community-driven effort, and depends on researchers submitting notices of latest vulnerabilities as pull requests to the GitHub repository. It’s not clear if Bug Alert’s writer continues to be sustaining it; on the time of writing, the final exercise on the Github repository was in October 2023.
As with CVE Trends, whereas Bug Alert could fill a helpful area of interest, it’s not designed for use for prioritization typically.
vPrioritizer
vPrioritizer is an open-source framework designed to permit customers to evaluate and perceive contextualized danger on a per-asset or per-vulnerability foundation, thereby merging asset administration with prioritization. This is achieved by utilizing CVSS scores along with “community analytics” and outcomes from vulnerability scanners. Sadly, regardless of being talked about within the SSVC whitepaper in 2019 and offered at the Black Hat USA Arsenal in 2020, it isn’t clear if vPrioritizer’s developer nonetheless maintains the mission; as of this writing, the final decide to the GitHub repository was in October 2020.
Vulntology
Vulntology is a NIST-led effort to characterize vulnerabilities (the identify is a portmanteau of ‘vulnerability’ and ‘ontology’) in accordance with how they are often exploited, the potential affect of exploitation, and mitigating elements. Its acknowledged targets embody the standardization of description of vulnerabilities (for instance, in vendor advisories and safety bulletins); enhancing the extent of element in such descriptions; and enabling simpler sharing of vulnerability info throughout language boundaries. An instance of a ‘vulntological representation’ is accessible right here.
Figure 6: An illustration of Vulntology’s proposed work, taken from the mission’s GitHub repository
Vulntology is subsequently not a scoring framework, or perhaps a choice tree. Instead, it’s a small step in direction of a standard language, and one which can, if it turns into widely-adopted, be of serious worth relating to vulnerability administration. A standardized method to describing vulnerabilities will surely be of use when evaluating a number of vendor safety advisories, vulnerability intelligence feeds, and different sources. We point out it right here as a result of it does have some implications for vulnerability prioritization, albeit within the long-term, and it’s making an attempt to resolve an issue inside the vulnerability administration area. The final decide to the mission’s Github seems to have occurred in spring 2023.
Criminal market knowledge
Finally, a fast phrase on legal market knowledge and the way future analysis would possibly put it to use for prioritization. Back in 2014, researchers from the University of Trento carried out a examine on whether or not CVSS scores are an excellent predictor for exploitation. They concluded that CVSS scores don’t match the charges of exploitation, however they did conclude that remediation “in response to exploit presence in black markets yields the largest risk reduction.” It can be an attention-grabbing avenue of analysis to see if the identical continues to be true at this time; exploit markets have elevated in measurement since 2014, and there’s a massive underground financial system devoted to the advertising and marketing and promoting of exploits.
Figure 7: A person provides a Windows native privilege escalation exploit on the market on a legal discussion board
Looking not solely on the existence of exploits in legal marketplaces, but additionally at costs, ranges of curiosity, and buyer suggestions, might be additional helpful knowledge factors in informing prioritization efforts.
The problem, after all, is the problem of accessing these marketplaces and scraping knowledge; many are closed to registration and solely accessible by way of referral, cost, or status. And whereas the underground financial system has elevated in measurement, it’s additionally arguably much less centralized than it as soon as was. Prominent boards could function an preliminary place to promote wares, however most of the salient particulars – together with costs – are typically solely obtainable to potential patrons by way of personal messages, and the precise negotiations and gross sales typically happen in out-of-band channels like Jabber, Tox, and Telegram. Further analysis on this problem is required to find out if it might be a possible supply of knowledge for prioritization.
Having examined CVSS, EPSS, SSVC, and the KEV Catalog in depth – and another instruments and frameworks extra briefly – you received’t be shocked to be taught that we didn’t discover a magic resolution, or perhaps a magic mixture of options, that may resolve all prioritization issues. However, a mixture is nearly at all times higher than utilizing a single framework. More knowledge factors imply a extra knowledgeable view, and whereas this would possibly require some technical effort up entrance, the outputs of many of the instruments and frameworks we’ve mentioned are designed to be simply ingested in an automatic method (and instruments like CVEMap have finished a few of the heavy lifting already).
As effectively as combining outputs, customization can also be actually necessary. This is commonly neglected, however prioritization isn’t simply in regards to the vulnerabilities, and even the exploits. Of course, they’re an enormous a part of the difficulty, however the important thing level is {that a} vulnerability, from a remediation perspective, doesn’t exist in isolation; contemplating its inherent properties could also be useful in some circumstances, however the one actually vital knowledge level is how that vulnerability may affect you.
Moreover, each group treats prioritization otherwise, relying on what it does, the way it works, what its finances and sources appear to be, and what its urge for food is for danger.
Single, one-size-fits-all scores and proposals don’t typically make a lot logical sense from the angle of assessing frameworks, however they make even much less sense from the angle of particular person organizations attempting to prioritize remediation. Context is all the pieces. So no matter instruments or frameworks you utilize, put your group – not a rating or a rating – on the heart of the equation. You could even wish to do that at a extra granular stage, relying on the dimensions and construction of your group: prioritizing and contextualizing per division, or division. In any case, customise as a lot as you’ll be able to, and do not forget that nonetheless outstanding and well-liked a framework could also be, its outputs are solely a information.
With some programs, like CVSS or SSVC, there are built-in choices to customise and tailor outputs. With others, like EPSS and the KEV Catalog, customization isn’t actually the purpose, however you’ll be able to nonetheless add context to these outcomes your self, maybe by feeding that info into different instruments and frameworks and searching on the total image as a lot as doable.
Prioritization additionally goes past the instruments we focus on right here, after all. We’ve centered on them on this sequence as a result of they’re an attention-grabbing element of vulnerability administration, however the info that ought to feed into prioritization choices will ideally come from a wide range of different sources: risk intelligence, weaknesses, safety posture, controls, danger assessments, outcomes from pentests and safety audits, and so forth.
To reiterate some extent from our first article, whereas we’ve identified a few of the downsides to those instruments and frameworks, we don’t intend in in any approach to denigrate their builders or their efforts, and we’ve tried to be truthful and even-handed in our assessments. Creating frameworks like these is numerous exhausting work and requires appreciable thought and planning – and so they’re there for use, so you must use them when and the place it is smart to take action. We hope that this sequence will permit you to do that in a protected, knowledgeable, and efficient method.