Extending Your Vulnerability Scoring and Prioritization Beyond the CVSS

The Common Vulnerability Scoring System (CVSS) certainly has its place in cyber security. In fact, it’s one of the most widely recognized frameworks for evaluating and prioritizing vulnerabilities for a couple reasons. One, it’s easy to use and two, it offers a check-in-the-box solution for those that need it. We previously did a deep dive into the CVSS and how it works here. However, the biggest problem with vulnerability scores is that they lack context. (It uses an algorithm to assign risk scores to vulnerabilities rather than using human judgment.) If you really want to compete against high level actors you have to learn their plays.

So, for incident response and vulnerability triage, you should look beyond CVSS and consider a threat-based approach to better prioritize actions and enhance your network security as a whole. This is absolutely more difficult—you must sort out actor behaviors and the context of real attacks—but the insights you will gain into the problems that exist during different scenarios will help you to genuinely know what needs your attention and how to better protect your network overall.

You can also use both approaches together to assess security risk and tackle real-world threats efficiently. Here’s how to think about vulnerability prioritization and assessment beyond CVSS alone.

A Different Approach to Vulnerability Risk Prioritization

Think of your network like your house. The threats to your network are like burglars trying to break into your home. Why? The solution to prevent a burglary is very similar to the solution to prevent network compromises. The question becomes: What can you put in place that will almost certainly notify you when a burglar is in your house so that you can call the police and report it before your house is ransacked?

Remember, in the network, a vulnerability is just one way to get in. It’s like focusing on unlocked windows to prevent burglaries. Of course, you will lock all your doors and windows before you go on a two-week vacation, but is that enough? You might prevent a low-skill burglar from breaking in but that’s really the bare minimum. We can do more. Start by considering these solutions:

Install alarm systems in every room

Putting sensors on windows and doors will detect when one is opened. But what if the “burglar” cuts a hole in the door and crawls through? What if they break through the glass of a non-opened window and get in that way? That means you’ll also want to add sensors that listen for loud noises, breaking glass, etc.

Think about how a “burglar” might evade those alarms

What if they break in quietly? Glass can be cut without much sound. A determined actor could possibly come up from the crawlspace through a vent or in a room with no windows. These are the things burglars think about, and actors do it on a much deeper level with enterprise networks they are targeting. It’s not to say these “detections” won’t work on some actors, some of the time. But we need detections that work on all actors, all of the time.

Add motion detectors in every room

Motion detectors in every room give us a solid starting point where we theoretically catch every burglary every time. Here’s why: It uses a behavior that absolutely cannot be avoided by the actor. To take things out, he must move around in at least one room.

Anticipate the next step the “burglar” might take

The work doesn’t stop there. Burglars, or actors, will never stop trying to break in, so you need to stay one step ahead. Think about what they might do next. Could they disrupt house power? Then install batteries or backup power and monitor any disruptions in the power distribution to the house. The very act of attempting to manipulate the power fed to the house would out them.

Could a burglar gain unauthorized access to the app that controls the alarm system? Of course, but if we know that’s one of the few ways they can bypass the motion detection sensors, we’re going to give it more attention. We can then add stronger authentication processes, extensive logging, and quicker recovery procedures if unauthorized access is gained.

If you get nothing else from this exercise, let it be that there is significant value in understanding why a “burglar” or bad actor would do these things and how they might be able to subvert the systems you have in place. You must understand that actors will try to attack your system. Therefore, you must employ better detection strategies to start. Then it’s important to assess all your strategies and tactics to better understand and prioritize your known vulnerabilities. That knowledge allows you to develop more robust long-term vulnerability risk prioritization and mitigation solutions.

You Are the Best Decision Maker for Action on Vulnerabilities

Again, vulnerability risk scoring is useful, but a framework like this doesn’t don’t calculate risk using this perspective. How would using a solution like CVSS know that a power blip could indicate a burglar is trying one of two possible things that could bypass the strong detection system you’ve installed?

CVSS wouldn’t, because understanding and countering threats specific to you is not its job—that role falls to you. You are responsible for the security of your house (or your network). You have all the information. You make all the decisions. You will outsource some things, sure, but you should choose an organization that understands burglar (or bad actor) behaviors very well and wants to know exactly the detections you have in place, so they can more accurately provide solutions against your most critical vulnerabilities. An organization like this can stand apart by doing what others many times fail to do—understand their adversaries.

Contact us today to learn more about our Vulnerability Risk Scoring and Reporting solution and how combining these two approaches can increase your protection against vulnerabilities.