Vulnerability Severity
In cybersecurity, vulnerability severity refers to the potential risk posed by a security flaw in a system, network, or application. It helps organizations prioritize which vulnerabilities need to be addressed most urgently.
Think of it like a medical triage system: a critical vulnerability is like a heart attack, requiring immediate attention, while a low-severity vulnerability might be more like a common cold, still important to address but not an immediate emergency.
The most widely used standard for assessing vulnerability severity is the Common Vulnerability Scoring System (CVSS). CVSS provides a standardized framework for measuring the severity of security flaws and assigns a numerical score (from 0 to 10), with higher scores indicating greater severity.
Here's a detailed breakdown of how vulnerability severity is determined and its common ratings:
How Vulnerability Severity is Determined (CVSS Metrics):
CVSS scores are based on various metrics, typically categorized into three main groups:
Base Metrics: These represent the inherent characteristics of a vulnerability, regardless of specific environmental factors.
Exploitability Metrics:
Attack Vector (AV): How the vulnerability can be exploited (e.g., Network, Adjacent Network, Local, Physical). A remote network attack has a higher score.
Attack Complexity (AC): How difficult it is to exploit the vulnerability (Low, Medium, High). Lower complexity means easier exploitation.
Privileges Required (PR): What level of privileges an attacker needs to exploit the vulnerability (None, Low, High). Fewer privileges mean a higher score.
User Interaction (UI): Whether user interaction is required for the attack to succeed (None, Required). No user interaction means a higher score.
Scope (S): Whether the vulnerability's impact extends beyond the vulnerable component (Unchanged, Changed). Changed scope means a higher score.
Impact Metrics: These assess the potential consequences if the vulnerability is successfully exploited.
Confidentiality Impact (C): Impact on the confidentiality of data (None, Low, High). High impact means significant data disclosure.
Integrity Impact (I): Impact on the integrity of data (None, Low, High). High impact means significant data modification.
Availability Impact (A): Impact on the availability of the system or service (None, Low, High). High impact means significant disruption.
Temporal Metrics: These reflect characteristics that change over time.
Exploit Code Maturity (E): The current state of exploit techniques or code availability (Unproven, Proof of Concept, Functional, High). The more mature the exploit, the higher the score.
Remediation Level (RL): The availability of a fix or workaround (Official Fix, Temporary Fix, Workaround, Unavailable). The less available a fix, the higher the score.
Report Confidence (RC): The level of confidence in the existence of the vulnerability (Unknown, Reasonable, Confirmed). Higher confidence means a higher score.
Environmental Metrics: These allow for tailoring the score to a specific organizational environment.
Confidentiality Requirement (CR), Integrity Requirement (IR), Availability Requirement (AR): The importance of confidentiality, integrity, and availability to the organization for the affected system (Low, Medium, High). This allows organizations to adjust the score based on the criticality of the data or system.
Modified Base Metrics: The organization can modify the base metrics (Attack Vector, Attack Complexity, etc.) based on their specific environment and compensating controls.
Common Vulnerability Severity Levels (CVSS Qualitative Ratings):
CVSS scores are typically translated into qualitative ratings to make them easier to understand and prioritize:
None (0.0): No security impact.
Low (0.1 - 3.9): Minimal risk. Exploitation is difficult, or the impact is very limited.
Medium (4.0 - 6.9): Moderate risk. Exploitation may require some effort, and the impact is less severe than high-severity vulnerabilities.
High (7.0 - 8.9): Significant risk. Exploitation is relatively easy, and the impact could be severe, potentially leading to data loss or system compromise.
Critical (9.0 - 10.0): Requires immediate attention. Exploitation is highly likely, and the impact could be catastrophic, often leading to full system compromise, significant data breaches, or denial of service.
Why Vulnerability Severity is Important:
Understanding vulnerability severity is crucial for:
Prioritization: It enables organizations to prioritize their remediation efforts, focusing resources on the most critical threats first to minimize potential damage.
Risk Management: While CVSS primarily measures severity, it's a key input into an organization's overall risk management framework. Risk management also considers the likelihood of exploitation and the business impact specific to the organization's assets.
Communication: Standardized severity ratings facilitate clear communication about vulnerabilities among security teams, developers, and management.
Compliance: Many regulatory frameworks and industry standards require organizations to assess and manage vulnerability severity.
It's important to note that while CVSS is a powerful tool, it doesn't always provide a complete picture of the risk to an organization, as risk also includes the likelihood of a threat exploiting the vulnerability and the specific business impact. Some organizations also use dynamic vulnerability priority ratings (VPR) which adjust based on the current threat landscape and real-time exploitability.
ThreatNG significantly aids in understanding and managing vulnerability severity by providing an external, unauthenticated perspective of an organization's digital assets and associated risks.
External Discovery and External Assessment in Relation to Vulnerability Severity
ThreatNG's ability to perform purely external, unauthenticated discovery is foundational. It identifies an organization's digital footprint, including domains, subdomains, web applications, and mobile applications, from an attacker's viewpoint. This external visibility is crucial for assessing how easily a vulnerability could be exploited without prior knowledge of the internal network.
ThreatNG conducts various external assessments that directly highlight potential vulnerabilities and their severity:
Web Application Hijack Susceptibility: ThreatNG analyzes externally accessible parts of web applications to identify potential entry points for attackers. For example, if a legacy web application has unpatched vulnerabilities like SQL injection or cross-site scripting (XSS), ThreatNG would flag it as highly susceptible. This susceptibility directly correlates to the severity of the underlying vulnerabilities, as successful exploitation could lead to data breaches or website defacement.
Subdomain Takeover Susceptibility: ThreatNG assesses a website's susceptibility to subdomain takeovers by analyzing DNS records and SSL certificate statuses. If ThreatNG discovers a CNAME record pointing to an expired or unprovisioned service (e.g., an old Heroku app), it would identify this as a critical vulnerability. An attacker could claim the service, effectively taking over the subdomain and potentially using it for phishing or hosting malicious content, representing a high severity risk.
BEC & Phishing Susceptibility: This assessment considers factors like domain intelligence, email security presence (DMARC, SPF, DKIM), and compromised credentials from the dark web. If ThreatNG finds that an organization's domain is frequently used in phishing permutations or that a significant number of employee credentials are on the dark web, it indicates a high susceptibility to Business Email Compromise (BEC) and phishing attacks. While not a technical vulnerability in itself, it highlights a severe operational risk that could lead to financial losses or data breaches.
Data Leak Susceptibility: ThreatNG assesses this through Cloud and SaaS Exposure, Dark Web Presence (compromised credentials), and Domain Intelligence. For example, if ThreatNG identifies an Amazon S3 bucket configured for public access containing sensitive company documents (e.g., customer lists, internal financial reports), it would report this as a critical data leak susceptibility. This directly indicates a severe vulnerability leading to potential massive data exposure.
Cyber Risk Exposure: This assessment is comprehensive, considering certificates, subdomain headers, vulnerabilities, sensitive ports, code secret exposure, and compromised credentials on the dark web. If ThreatNG detects an exposed database port (e.g., MongoDB, Elasticsearch) or a public code repository containing API keys or private certificates, these are classified as high to critical severity vulnerabilities, as they offer direct access points for attackers to sensitive systems or data.
Breach & Ransomware Susceptibility: ThreatNG calculates this based on exposed sensitive ports, private IPs, known vulnerabilities, compromised credentials, and ransomware gang activity on the dark web. If ThreatNG identifies multiple exposed RDP ports, coupled with evidence of an organization's credentials being present in ransomware attack data on the dark web, this would indicate an extremely high susceptibility to a ransomware attack. This represents a critical severity, as ransomware can lead to complete operational shutdown and significant financial demands.
Mobile App Exposure: ThreatNG discovers mobile apps in marketplaces and examines their content for embedded access credentials or security credentials. For instance, if a mobile app contains hardcoded AWS access keys or an exposed PGP private key block, ThreatNG would flag this as a critical vulnerability, as it could allow an attacker to gain unauthorized access to cloud resources or decrypt sensitive communications.
Furthermore, ThreatNG identifies Positive Security Indicators. While not vulnerabilities, detecting the presence of beneficial security controls like Web Application Firewalls (WAFs) or multi-factor authentication provides context. For example, if a high-severity vulnerability is found, but ThreatNG also identifies a WAF protecting the application, it helps refine the real-world severity by indicating some level of mitigation is in place.
ThreatNG's External GRC Assessment capability provides continuous, outside-in evaluation of an organization's GRC posture, mapping findings directly to frameworks like PCI DSS and POPIA. This helps organizations identify and address external security and compliance gaps, which often correlate with vulnerabilities. For example, if ThreatNG identifies non-compliance with PCI DSS requirements related to strong encryption for data in transit, it effectively highlights a high-severity vulnerability concerning data confidentiality.
The External Threat Alignment module helps by performing unauthenticated discovery and assessment in a manner an attacker would. This allows ThreatNG to map findings directly to MITRE ATT&CK techniques, showing, for example, how an adversary might achieve initial access or establish persistence. This contextualizes the severity of a vulnerability by showing its role in a broader attack chain.
Reporting
ThreatNG provides diverse reporting options crucial for communicating vulnerability severity to different stakeholders.
Prioritized Reports (High, Medium, Low, and Informational): These reports directly translate findings into actionable severity levels, allowing security teams to focus on the most critical risks first. For example, a report might list an open database port as "High" severity, while a misconfigured email header might be "Medium."
Security Ratings (A through F): These provide an intuitive, high-level overview of the overall security posture, where a low rating (e.g., "F") would indicate a high aggregate severity of vulnerabilities across the organization's external attack surface.
Executive Reports: These summarize critical findings and their business impact, allowing leadership to understand the top vulnerability severity issues without delving into technical details.
Technical Reports: These offer granular details on each identified vulnerability, including reasoning, recommendations, and reference links. This allows security analysts to understand the technical severity and how to mitigate it. For instance, a technical report for an exposed sensitive port would detail the port number, the service running on it, and its associated CVEs (if any), along with recommendations for closure or restriction.
Continuous Monitorin
ThreatNG offers continuous monitoring of an organization's external attack surface, digital risk, and security ratings. This is vital for managing vulnerability severity because the attack surface is dynamic. New vulnerabilities emerge, configurations change, and new assets come online. Continuous monitoring ensures that as soon as a new high-severity exposure appears, such as a newly deployed unpatched web server or a misconfigured cloud resource, ThreatNG detects it promptly, allowing for rapid remediation.
Investigation Modules
ThreatNG's detailed investigation modules provide the depth needed to understand the nuances of vulnerability severity:
Domain Intelligence:
DNS Intelligence: Beyond simple record analysis, it performs domain name permutations and identifies Web3 domains. For example, if a typo-squatted domain (a common phishing tactic) is found to have weak security controls or is hosting malicious content, this intelligence escalates the severity of the associated BEC/phishing risk.
Email Intelligence: It checks for email security presence (DMARC, SPF, DKIM records). A lack of these records increases the severity of BEC and phishing susceptibility. If ThreatNG identifies that an organization's DMARC policy is not configured for strict enforcement, it highlights a medium-to-high severity vulnerability for email spoofing.
Subdomain Intelligence: This module provides deep insights, including HTTP responses, header analysis (security and deprecated headers), server technologies, and identified content.
If ThreatNG detects a subdomain running an outdated version of Apache with known critical vulnerabilities (e.g., Apache Struts CVEs) via its server headers, this immediately elevates the severity.
Furthermore, if it identifies "Admin Pages" or "Development Environments" that are publicly accessible, even if unauthenticated, this significantly increases the severity as they represent high-value targets for attackers to find further vulnerabilities.
Discovery of exposed IoT/OT ports (e.g., Telnet, SNMP) or database ports (e.g., SQL Server, MongoDB) directly correlates to critical severity vulnerabilities, as these can provide direct access to sensitive systems or data.
Sensitive Code Exposure: This module discovers public code repositories and investigates their content for sensitive data. If ThreatNG finds a GitHub repository containing hardcoded API keys (e.g., Stripe API keys, AWS access keys) or private SSH keys, it marks this as a critical severity exposure. This directly exposes financial systems or cloud infrastructure to compromise.
Mobile Application Discovery: Similar to code exposure, it identifies mobile apps in marketplaces and checks for embedded credentials or security keys. Finding a public-facing mobile app with embedded AWS Access Key IDs or PGP private key blocks would signify a critical vulnerability, as these can be directly exploited by attackers.
Search Engine Exploitation: This helps investigate an organization's susceptibility to exposing sensitive information via search engines. If ThreatNG finds that an organization's internal error messages or privileged folders are indexed by search engines, this represents a medium-to-high severity information disclosure vulnerability, providing attackers with valuable reconnaissance data.
Cloud and SaaS Exposure: This module detects unsanctioned cloud services and open exposed cloud buckets. Discovering an open AWS S3 bucket with read-write access to the public would be a critical severity finding, leading to potential data breaches or data integrity issues.
Intelligence Repositories (DarCache)
ThreatNG's continuously updated intelligence repositories (DarCache) provide critical context for assessing vulnerability severity.
Dark Web (DarCache Dark Web) and Compromised Credentials (DarCache Rupture): The presence of an organization's compromised credentials on the dark web indicates a heightened severity of potential account takeover attacks. This intel helps understand the immediate exploitability of human-factor vulnerabilities.
Ransomware Groups and Activities (DarCache Ransomware): Tracking over 70 ransomware gangs provides intelligence on current threats. If ThreatNG observes an organization's exposed assets or credentials linked to active ransomware gang targets, it elevates the severity of the breach/ransomware susceptibility.
Vulnerabilities (DarCache Vulnerability): This comprehensive repository directly informs vulnerability severity.
NVD (DarCache NVD): Provides detailed technical characteristics and impact scores (CVSS score and severity, attack vector, complexity, impact on confidentiality, integrity, and availability). This allows ThreatNG to accurately assign a numerical severity score (0-10) to discovered vulnerabilities. For example, an exposed service with a CVE listed in NVD having a CVSS score of 9.8 would be immediately categorized as "Critical."
EPSS (DarCache EPSS): Offers a probabilistic estimate of the likelihood of a vulnerability being exploited. This is crucial for prioritizing. A vulnerability might have a high CVSS score, but if its EPSS score is low, it might be less urgent than a slightly lower CVSS score with a high EPSS, indicating active exploitation. This helps differentiate between high technical severity and high real-world risk.
KEV (DarCache KEV): Identifies vulnerabilities actively exploited in the wild. If ThreatNG discovers an asset vulnerable to a KEV-listed CVE, it immediately escalates the severity and priority for remediation, as it represents an immediate and proven threat.
Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit): Direct links to PoC exploits on platforms like GitHub accelerate understanding of how a vulnerability can be exploited and its real-world impact. This intel transforms a theoretical vulnerability into a demonstrable threat, increasing its perceived severity.
Synergies with Complementary Solutions
ThreatNG's comprehensive external insights can be greatly enhanced by working with complementary solutions, even though the document does not explicitly state integrations.
Vulnerability Scanners and Penetration Testing Tools: While ThreatNG focuses on external, unauthenticated discovery and assessment, traditional vulnerability scanners (e.g., Tenable.io, Qualys) and penetration testing tools often perform authenticated, deeper dives into internal systems. ThreatNG could identify an open port or an exposed service, categorizing it with a high severity based on external assessment and intelligence. Complementary vulnerability scanners could then perform an authenticated scan on that specific exposed service to identify all underlying CVEs and misconfigurations in greater detail, confirming or refining ThreatNG's initial severity assessment. For example, ThreatNG might flag a critical Apache Struts vulnerability on an externally facing web server. A complementary internal scanner could then verify the patch level and configuration of that specific server, providing granular details about the vulnerability.
Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's continuous monitoring capabilities generate a stream of external vulnerability and risk data. This data can be ingested by SIEM/SOAR platforms. If ThreatNG identifies a new critical exposure, such as a publicly accessible database, the SIEM could correlate this with internal network traffic logs to see if there are any suspicious connections to that database. A SOAR platform could then automate remediation actions, such as triggering a firewall rule to block access to the exposed database port or creating a ticket in an IT service management system for immediate patching.
Threat Intelligence Platforms (TIPs): While ThreatNG has its own extensive intelligence repositories (DarCache), complementary TIPs (e.g., Recorded Future, Mandiant Threat Intelligence) can provide even broader context on emerging threats, attacker Tactics, Techniques, and Procedures (TTPs), and industry-specific threat landscapes. If ThreatNG identifies a high-severity data leak susceptibility due to exposed cloud storage, a TIP could provide context on recent campaigns targeting similar cloud configurations or specific attacker groups known to exploit such vulnerabilities, further solidifying the urgency and severity of the finding.
Cloud Security Posture Management (CSPM) Tools: ThreatNG identifies cloud and SaaS exposure from an external perspective. Complementary CSPM tools (e.g., Wiz, Orca Security) provide deep, continuous visibility into cloud configurations, misconfigurations, and compliance issues within the cloud environment. If ThreatNG flags an "Open Exposed Cloud Bucket" as a critical severity, a CSPM tool could then provide the exact configuration details, identify who last modified it, and suggest the precise policy change required to secure it, offering a granular level of detail to address the severity.
Digital Forensics and Incident Response (DFIR) Tools: In cases of a suspected breach, ThreatNG's historical data from continuous monitoring and its intelligence on compromised credentials or ransomware activities can inform DFIR efforts. If ThreatNG identifies a high-severity "Breach & Ransomware Susceptibility", DFIR tools can use this initial insight to quickly pinpoint potential entry points and investigate further, leveraging ThreatNG's external view to guide their internal forensic analysis.
By combining ThreatNG's unique external perspective with the deep internal visibility and specialized capabilities of these complementary solutions, organizations can achieve a more holistic and effective approach to managing vulnerability severity, leading to better prioritization, faster remediation, and stronger overall security.
