CVE Severity

CVE Severity refers to the level of risk a specific cybersecurity vulnerability poses to a system. It's a qualitative assessment of the potential impact a vulnerability could have if exploited. While the term "CVE severity" is commonly used, the severity rating is actually determined by the Common Vulnerability Scoring System (CVSS), not the CVE system itself.

How CVSS Determines Severity

CVSS is a standardized, open framework that assigns a numerical score from 0.0 to 10.0 to a vulnerability, which is then mapped to a qualitative severity rating. A higher score indicates a more severe vulnerability. CVSS scores are calculated using a formula that considers three main metric groups: Base, Temporal, and Environmental.

1. Base Metrics

These metrics represent the intrinsic qualities of a vulnerability and are constant over time and across user environments. They are the most essential part of the score and are used to determine the initial severity. The base metrics are divided into two sub-groups:

• Exploitability Metrics: These measure how easy it is to exploit the vulnerability. They include factors like:

  • Attack Vector: The method by which the vulnerability is exploited (e.g., network, local, physical).

  • Attack Complexity: The difficulty of exploiting the vulnerability (e.g., low, high).

  • Privileges Required: The level of access an attacker needs to have on the system to exploit the vulnerability.

  • User Interaction: Whether a user needs to be involved in the attack (e.g., clicking a link).

• Impact Metrics: These measure the consequences of a successful exploit on the system's:

  • Confidentiality: The loss of data secrecy.

  • Integrity: The loss of data trustworthiness and authenticity.

  • Availability: The loss of access to the system or service.

2. Temporal Metrics

These metrics change over time as the circumstances of a vulnerability evolve. They can modify the base score to reflect a more current risk level. Examples include:

• Exploit Code Maturity: The current state of exploit code (e.g., proof-of-concept, functional exploit, or widespread automation).

• Remediation Level: The availability of a patch or workaround.

• Report Confidence: The level of confidence in the existence and technical details of the vulnerability.

3. Environmental Metrics

These metrics enable organizations to tailor the CVSS score to their specific environment. They consider factors unique to an organization, such as the criticality of the affected system and the presence of any compensating security controls.

Qualitative Severity Ratings

After the CVSS score is calculated, it is mapped to one of the following qualitative severity levels:

• None: 0.0

• Low: 0.1–3.9

• Medium: 4.0–6.9

• High: 7.0–8.9

• Critical: 9.0–10.0

These ratings enable security teams and organizations to prioritize which vulnerabilities to address first, allowing them to focus their resources on the most critical threats.

ThreatNG is an all-in-one solution for external attack surface management, digital risk protection, and security ratings that help organizations manage their external cybersecurity posture. It accomplishes this through several key capabilities, including external discovery, external assessment, reporting, continuous monitoring, investigative modules, and intelligence repositories.

External Discovery

ThreatNG performs purely external, unauthenticated discovery, meaning it operates without needing to connect to internal systems. It identifies all of an organization's internet-facing digital assets, such as websites, subdomains, cloud services, and code repositories, from the perspective of an attacker. This capability is fundamental because it identifies potential entry points, including those that may be part of "shadow IT" and are not formally documented internally.

For example, ThreatNG can identify a publicly exposed API endpoint by analyzing JavaScript files and subdomains. It can also uncover unsanctioned SaaS services used by employees. This helps organizations create a comprehensive, attacker-centric inventory of their external assets.

External Assessment

ThreatNG performs several external assessments that evaluate an organization's susceptibility to various cyber risks. These assessments provide a quantitative and qualitative understanding of the potential impact of a vulnerability.

• Web Application Hijack Susceptibility: This assessment analyzes parts of a web application that are accessible externally to identify potential entry points for attackers.

  • Example: ThreatNG might assess a web application's susceptibility as high if it finds that the web application uses deprecated headers, or if it lacks a Web Application Firewall (WAF).

• Subdomain Takeover Susceptibility: This evaluation analyzes subdomains, DNS records, and SSL certificate statuses to find misconfigurations that could allow an attacker to take control of a subdomain.

  • Example: A subdomain that has a DNS record pointing to a cloud service that is no longer active could be flagged as susceptible to takeover.

• Breach & Ransomware Susceptibility: This assessment is based on factors like exposed sensitive ports, known vulnerabilities, compromised credentials on the dark web, and ransomware events or gang activity.

  • Example: ThreatNG would raise a high susceptibility score if it discovers open, sensitive ports like SSH or Telnet, which are common targets for attackers, especially when combined with exposed credentials on the dark web.

• Non-Human Identity (NHI) Exposure: This score uncovers and evaluates risks associated with non-human identities like API keys and service accounts.

  • Example: ThreatNG can identify exposed APIs and sensitive code in repositories or mobile apps that contain access credentials, security keys, or platform-specific identifiers, which could be used to compromise an organization's NHIs.

• Data Leak Susceptibility: This is derived from external attack surface and digital risk intelligence, including cloud and SaaS exposure, dark web presence, and domain intelligence.

  • Example: If ThreatNG finds sensitive files like .txt or .sql Dumping files in publicly archived web pages or a public code repository would increase the organization's data leak susceptibility score.

Reporting

ThreatNG offers a variety of reports to help different stakeholders understand and address security risks.

• Executive Reports: These provide a high-level overview of the organization's security posture. They are designed for simplicity and actionability, making them easy for decision-makers to use.

• Technical Reports: These offer detailed information for security experts to investigate and remediate risks.

• Prioritized Reports: Findings are categorized by risk level (High, Medium, Low, and Informational) to help organizations prioritize their security efforts and allocate resources effectively.

• Security Ratings Reports: These give a letter grade (A through F) that reflects the organization's overall external security posture.

• Inventory Reports: These can list all discovered external assets along with their associated technologies, domains, and subdomains.

Continuous Monitoring

ThreatNG provides continuous monitoring of an organization's external attack surface, digital risks, and security ratings. This ensures that, as new vulnerabilities emerge or an organization's digital footprint changes, the platform automatically detects and reports these shifts in real-time. This enables a proactive and dynamic approach to cybersecurity, rather than relying solely on one-time assessments.

Investigation Modules

ThreatNG's investigation modules offer deep insights into various aspects of an organization's digital presence.

• Domain Intelligence: This module analyzes DNS records, domain permutations, and WHOIS information to uncover potential threats.

  • Example: An investigation might use Domain Intelligence to uncover a malicious domain permutation, such as mycompaany.com (with two 'a's), that is being used for a phishing campaign.

• Sensitive Code Exposure: This module discovers public code repositories and mobile applications to find exposed sensitive data.

  • Example: ThreatNG can find an exposed GitHub repository that contains hardcoded credentials like an Amazon AWS Access Key ID or a private SSH key, which an attacker could use to gain unauthorized access.

• Search Engine Exploitation: This module helps users investigate an organization's susceptibility to exposing sensitive information via search engines.

  • Example: It could discover a robots.txt file that inadvertently allows search engines to index sensitive administrative directories or email directories.

• Cloud and SaaS Exposure: This module evaluates cloud services and Software-as-a-Service (SaaS) solutions.

  • Example: ThreatNG can identify open, exposed cloud buckets on AWS, Microsoft Azure, or Google Cloud Platform, or it can find unsanctioned SaaS applications being used by the organization.

• Dark Web Presence: This module identifies mentions of the organization, compromised credentials, and associated ransomware events on the dark web.

Intelligence Repositories (DarCache)

ThreatNG is powered by continuously updated intelligence repositories, branded as DarCache, that provide context and insights into identified risks.

• Vulnerabilities (DarCache Vulnerability): This repository provides a comprehensive approach to managing external risks by understanding their real-world exploitability, likelihood of exploitation, and potential impact. It includes data from:

  • NVD (DarCache NVD): Provides CVSS scores, severity ratings, and technical details of vulnerabilities.

  • EPSS (DarCache EPSS): Offers a probabilistic estimate of the likelihood of a vulnerability being exploited in the near future.

  • KEV (DarCache KEV): Lists vulnerabilities that are actively being exploited in the wild.

  • Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit): Provides direct links to PoC exploits on platforms like GitHub.

• Compromised Credentials (DarCache Rupture): This repository contains compromised credentials that could be used for attacks.

• Ransomware Groups and Activities (DarCache Ransomware): This repository tracks over 70 ransomware gangs and their activities.

Complementary Solutions

ThreatNG's focus on external, unauthenticated data makes it an ideal complement to solutions that specialize in internal or authenticated security.

• Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR): ThreatNG's external intelligence can be used to enrich data within a SIEM or SOAR platform. For instance, a SIEM might receive an alert about a suspicious login attempt from a specific IP address. ThreatNG could then provide context by identifying if that IP address is associated with a malicious domain or is known to be a part of an attacker's infrastructure.

• Endpoint Detection and Response (EDR): ThreatNG's findings can help an EDR solution prioritize alerts. Suppose ThreatNG identifies that an organization has exposed credentials on the dark web. In that case, security teams can proactively use their EDR to monitor for any unusual activity from accounts using those credentials, even before a breach occurs.

• Vulnerability Management Solutions (VMS): A traditional VMS focuses on vulnerabilities found in internal or known assets. ThreatNG's external perspective can add a layer of risk-based prioritization by using its DarCache Vulnerability repository to highlight which vulnerabilities are not only severe but also have an associated PoC or are being actively exploited in the wild. This helps security teams focus on the vulnerabilities that pose the most immediate threat to their external attack surface.