Vulnerability Management Needs Threat Intelligence: Here’s How To Combine Them 

In 2022, more than 25,000 new CVEs were discovered and added to the NIST National Vulnerability Database. In just the first ten months of 2023, another 23,500 CVEs were identified and added to the NIST NVD. That’s more than 48,000 new vulnerabilities documented in less than 2 years! 

With so many new CVEs being identified all the time, vulnerability management can seem like an insurmountable challenge. 

Despite the staggering numbers, there’s good news. With the recent release of CVSS 4.0, coupled with advances in threat intelligence that significantly improve risk assessment and prioritization processes, managing and mitigating vulnerabilities need not be such a formidable project. 

This blog post will outline some of the ways you can use automated attack surface management and threat intelligence to simplify and streamline your vulnerability management program. 

CVSS v4.0: Updates to the Industry Standard Scoring System  

In October 2023, the Foundation for Incident Responders and Security Teams (FIRST) released an updated version of the Common Vulnerability Scoring System: CVSS 4.0. Since the most recent update before v4 was back in June 2019, when CVSS v3.1 was released, the security community eagerly awaited this new and improved framework. 

One of the most significant changes introduced by v4 is the criticality of threat intelligence. Broadly speaking, there were 3 major metric groups in CVSS v3.1 used to quantify the risk of a CVE: Base Metrics, Temporal Metrics, and Environmental Metrics. Now, in CVSS v4, the Temporal Metric group has been updated and relabeled as Threat Metrics.  

The introduction of the Threat Metrics group underscores how crucial threat intelligence is when assessing and quantifying the risk of a given CVE. If a CVE is assigned a high severity in the Base Metrics group, but it has never been exploited in the wild and developing a working exploit is extremely technically difficult, that CVE probably doesn’t create much risk for the asset owner.  

On the other hand, a CVE that has a medium severity score in terms of Base Metrics– but exploitation is fully automated and ransomware groups are actively exploiting it in the wild at scale– then the CVE would represent an enormous amount of risk and would need to be patched immediately. 

Start With Your Attack Surface 

While there are thousands of new CVEs identified every month, not all of them will apply to you and your organization. After all, no organization on Earth is using every piece of software in existence. This may seem like a trivial point but it’s important to emphasize: you only need to worry about the CVEs in the software and services you have deployed in your environment. 

Beyond that, you should focus on the software and services running on your Internet-facing assets. While you surely have software running on internal assets behind a VPN and firewall, threat actors will not be able to see or probe those services from the public Internet.  

The immediate risks are caused by CVEs in the software and services running in your external attack surface. That’s actually good news: this is just a small subset of all CVEs in existence.  

After ensuring your asset inventory is complete and up-to-date, it’s helpful to develop a technology inventory so you have a full catalogue of all the software (including version numbers) running on your external assets. This can, of course, be automated with the right tools in place. 

Cyberint’s ASM module continuously discovers your external attack surface, identifies all of your Internet-facing digital assets and checks each asset to fingerprint the technologies running, as well as the specific version of that technology. All discovered technologies are cross-checked with a vulnerability database to see if there are any CVEs associated with them. Alerts are issued when there is software with a high-severity CVE running on one of your assets. 

Sort By Severity Scores 

After gaining an understanding of all the CVEs in the software running on your external assets, the next step is to look at the CVSS Base Metrics scores.   

CVSS base scores are assigned on a scale from 0 to 10, though it’s widely understood that the rankings skew high. This is true because we’re ranking vulnerabilities! Vulnerabilities, by definition, create risk. It would be strange if the rankings skewed low and would raise questions about whether or not they should really be considered vulnerabilities in the first place. 

Here’s a breakdown of the base scores for all CVEs documented that were assigned a CVSS v3.x by NIST: 

That means roughly 57% of all CVSS v3.x base scores are equal to or greater than 7. Again, that’s more good news– you probably don’t need to worry about more than 40% of CVEs.  

Taking things one step further, you really only need to be concerned about the overlap between the CVEs in technologies running on your external digital assets and the CVEs with a base score >=7.  

Leverage Threat Intelligence For Prioritization 

Now for the final, and perhaps most important, step in the process: threat intelligence.  

Threat Intelligence provides extremely useful insights, such as which: 

• CVEs that have have been mentioned in deep and dark web forums 
• CVEs that have been mentioned on source code repositories  
• CVEs that have publicly-available PoC exploits 
• CVEs that are confirmed to be exploited in the wild 
• CVEs that can exploited in a fully automated way 
• CVEs that are exploited by popular malware families 
• CVEs that are actively exploited by ransomware groups 

This data is invaluable when assessing the risk of a given CVE and prioritizing which vulnerabilities your team should address and remediate first. Armed with this intelligence, you can optimize the time and resources your organization commits to vulnerability and patch management, ensuring the greatest reduction of risk based on the fixed inputs. 

Cyberint continuously collects intelligence from across the open, deep and dark web. The CVE Intelligence module provides a library of intelligence on all documented CVEs. This includes thousands of sources: social media platforms, pastebins, code repositories, security blogs, threat actor group chats, deep web forums, darkweb marketplaces, and more. All of this data is readily available to customers to search, explore, and export. 

This information is also used to generate the Cyberint Risk Score, a score that considers all relevant threat intelligence, as well as the CVSS score and the EPSS probability. 

Address Urgent Risks First, Everything Else Later 

What you’re left with is a clear guide to your most urgent risks. You should prioritize the CVEs that meet at the intersection of these 3 categories: 

• Your external attack surface (CVEs in the software running on your external assets) 
• High-severity vulnerabilities (CVEs that have a CVSS base score >=7) 
• High-risk vulnerabilities (CVEs that intel indicates a greater likelihood of exploitation) 

The overlap between these 3 distinct groups is where your most urgent risks sit. 

While a fully mature vulnerability management program will address the vast majority of CVEs in the environment– internal and external, high risk and low risk– many organizations are severely under-resourced. In these cases, prioritization of the most urgent risks is perhaps the most essential part of vulnerability management. If the critical risks are not identified and mitigated immediately, the organization could suffer a costly breach. 

Using the framework provided in this blog, including relevant threat intelligence, accurately assessing risk and prioritizing vulnerabilities for remediation can be a manageable process. 

Get In Touch With Cyberint To Learn More 

As the number of CVEs continues to climb month after month, operating a vulnerability management program is challenging. But it doesn’t need to be an impossible project. By implementing the right combination of people, processes, technology, and intelligence, you can quickly identify and remediate your most urgent risks. This ensures a major reduction in risk and an optimal return on the resources invested in your vulnerability and patch management program. 

Reach out to Cyberint to learn more about how our Attack Surface Management, Vulnerability Intelligence, and Deep and Dark Web Monitoring capabilities can help you proactively reduce risk and defend against the threat of vulnerability exploitation.