Vulnerabilities are not created equal, not when there are so many dependencies, not only around the vuln itself, but it's applicability to your business. Sure, CVSS helps, a little, but ultimately what it has left us all with is a long list of 9s and 10s (or ‘high' alerts) and zero visibility into what to actually fix first. Ideally your vulnerability management program is prioritizing vulnerabilities by business impact, not just CVSS.
In 2009 Rapid7 acquired Metasploit because we knew it was important to not only test attacker methods on your own systems to uncover security issues, but to understand attacker behavior and mentality. Metasploit not only helps companies think like the attacker, but ultimately it helps Rapid7 Nexpose bring that same mentality to vulnerability management. This expertise in the attacker mindset has allowed our customers to build vulnerability management programs that prioritize risk by the likelihood of exploitability, not just prioritizing risk by a generic risk score.
Which Vulnerabilities Will an Attacker be Excited to See?
After the Metasploit acquisition, we decided to do something unique with our risk score – focus on its relative danger to actually being used in an attack. Essentially, which vulnerabilities would an attacker be excited to see? These are the ones you want to fix first! (Bummed out hackers are good hackers.)
As a refresher, our risk score is 1-1000 (much more granular than CVSS) and because of Metasploit and our attacker mentality it is based on the following:
- CVSS Score
- Malware exposure – what malware kits have been written for this vuln?
- Exploit exposure – what exploits have been written, and how easy are they to use (bonus points for being in Metasploit!)
- Age – If a vuln came out in 1999, that's a lot more time for bad guys to play with it and figure out ways to use it
Nexpose users now get a prioritized list of vulnerabilities that are truly the most important to fix first, and de-prioritize some vulnerabilities that might have a high CVSS score in a passive scanning tool to later in the list because it simply would not easily be used in an attack. The way our customers say it, “Fix the most vulnerable vulnerabilities first!”
When a 7.5 is Higher than a 9
It's been seven years since we introduced our vulnerability scoring methodology to the vulnerability management industry and now there's ample evidence supporting the method - beyond the thousands of Nexpose customers - notably a research study done by Dan Geer and Michael Roytman that showed if a vulnerability has a Metasploit exploit available for it, it is much more likely to be used in an attack.
We can also see evidence in our own data. Take this vulnerability for instance:
This default password vuln got a CVSS score of 7.5; high, but certainly not a 9 or 10. Yet, it's a lot nastier than that score implies; it was discovered in 1996, giving attackers plenty of time to come up with ways to use it.
And if you click on the Metasploit symbol you can see attackers have plenty of exploit kits available for these vulnerabilities:
If an attacker saw this vulnerability during reconnaissance, he'd have a whole menu of free tools to use to take advantage of it; why would they waste their time with a new CVSS 10 when the keys have already been crafted for him? Hence, our risk score for this vuln is 904, higher than quite a few CVSS 10s.
The bottom line? If you were going just by CVSS, this easy-to-exploit vulnerability would have been lost in the pile.
How is your vulnerability management program going beyond CVSS to prioritize vulnerabilities? Let us know in the comments, and if you haven't yet, give Nexpose a spin!