Target Audience | System Admin |
About
What's the rationale behind this best practice?
Vulcan Cyber recognizes a need for organizations to determine a unique risk score that is dynamic, personalized, and customizable. Organizations frequently address the critical need for customized risk scoring in vulnerability management to align with the business and organization's contextualized approach to risk.
This practice is born out of the necessity to educate on the best-practiced custom risk script parameters and align risk assessment with an organization's cyber risk posture, resources, and appetite.
What's the goal of this best practice?
Over the past years, our senior customer success managers have gained valuable insights from our customers' experiences focusing on custom risk scripts. This document is a reflection of these insights, aimed at empowering Vulcan Cyber users to harness the platform's full potential and enhance their organization's cyber risk assessment.
As a Hands-On Vulnerability Manager, your goal is to:
Understand the value and benefits of custom risk scripts and the possible utilizations available at hand.
Define the parameters of the custom risk script according the your organization's needs while taking into consideration various factors, including company and team size; the organization's risk appetite; company vulnerability management processes; etc.
Share the parameters and desirable customization with your Customer Success Manager at Vulcan Cyber. Proper definition will eventually allow you to (4);
Identify a manageable number of critical (prioritized) vulnerabilities that can be addressed in a reasonable timeframe and thereby meet organizational SLAs.
Why customize risk score?
Cybersecurity is not a one-size-fits-all field, and organizations often face unique challenges and requirements when it comes to prioritizing vulnerabilities based on their initially provided risk. By allowing for the scripted customization of risk scores, vulnerability managers can make sure their remediation resources are focused on vulnerabilities that truly matter to the organization.
Organizations of all sizes should incorporate different contextual risk attributes and parameters to produce a dynamic score for each vulnerability in the system and for vulnerabilities in aggregate.
Vulcan Cyber supports the customization of risk scoring through utilization of the following parameters:
Custom Risk Script Best Practices
Utilizing Vulcan Cyber Threat Intelligence sources
The Vulcan Cyber platform relies on threat intelligence data collected by the Vulcan Cyber Voyager18 research team to offer the most reliable risk rating for a given vulnerability. The exploitable information is gathered from large exploits databases, while the exploited in the wild (weaponized) and malware threats are sourced from CISA and others. Vulcan Cyber threat intelligence database is updated daily with vulnerability scores adjusted accordingly; Vulcan correlates this data using CVE and CWE, matching against Vulcan's vulnerability database.
To utilize Vulcan Cyber threat intelligence data in determining vulnerability severity:
Define the specific asset/vulnerability attributes you want to incorporate into the risk calculation. E.g., Vulcan Tags, Asset Tags, External Facing Tag, IP, etc.
Determine which vulnerability or asset sources (AKA, Scanners) the calculation should apply to.
Define the risk score calculation for other vulnerability sources in the platform, such as for Vulnerabilities with CVE vs. without CVE. For example:
For vulnerabilities with CVE:Critical where:
Threats = RCE AND Remote AND Exploitable
Asset tag = External facing
High where:
Threats = RCE AND Remote AND Exploitable
Medium where:
Threats = Exploitable
Low where:
All other vulnerabilities
For vulnerabilities without CVE:
"CVSS": 0.6, "Threats": 0.0, "Tags": 0.4
Utilizing Vulcan Cyber risk weights
Today, risk score weights can be set globally and applied to all sources in the platform. Using a customized risk script, organizations can allocate risk score weights as needed. This flexibility allows for fine-tuning risk scoring based on the availability of asset tags and risk parameters from various sources.
To utilize Vulcan Cyber risk weights in determining vulnerability severity:
Define the asset tag sources (Connectors) to calculate the risk for. For example, If asset tags are absent from source A, but you can obtain or generate relevant tags from source B, you have the flexibility to calculate the risk without relying on asset tag information from source A while incorporating the tag information from source B.
Define different risk weights for different scanners. For example:
For Qualys and Tenable:
Vulnerabilities with CVE: Severity: 50%, Threats: 30%, Tags: 20%
Vulnerabilities W/O CVE: Severity: 85%, Tags: 15%
For HackerOne and BitSight:
Vulnerabilities with and without CVE: Use only the technical severity: 100%
For Wiz:
Set the weights according to the asset types: Hosts, container images, and cloud resources.
Note: It is recommended to adjust the script manually over time, with assistance from the Vulcan Cyber CS team, and periodically check risk score trends in the organization.
See the risk change over time from the vulnerability’s first-seen date < X days. Triage the trend using Vulcan Analytics reports.
Utilizing other various threat intelligence sources
Threat intelligence analysis is the process of enhancing existing information by supplementing missing or incomplete data. It enhances the context of the threat information that may have been buried in the alerts or held in external sources.
A threat intelligence platform can improve threat detection and monitoring workflows, provide contextual threat intelligence by providing in-depth information and context about specific threats, assist in understanding the effectiveness and relevance of the threat intel feeds collected from various sources, and assist in better decision-making.
Vulcan already enriches vulnerability information with threat intelligence data gathered from various vulnerability DBs. Organizations that rely on TI feeds for other use cases, such as incident response, security operations, etc., can utilize this information in Vulcan to align prioritization with their organization’s standard and gain more insights into threat actors and threat details exploiting the vulnerability.
Supported TI integrations include: Mandiant, Recorded Future, and CTCI.
To utilize data from various threat intelligence sources to determine vulnerability severity:
Define the TI source and parameters for each severity level (Critical, High, Medium, Low). For example:
Critical where:
Vulnerabilities with Mandiant Risk: Critical
Asset with External Facing tag
High where:
Vulnerabilities with Mandiant Risk: Critical or High
Asset without External Facing tag
Medium where:
Vulnerabilities with Mandiant Risk: Medium
Low where:
Vulnerabilities with Mandiant Risk: Low
Utilizing different KPIs from the scanners
Various scanners provide different risk scores that estimate a vulnerability's severity in addition to the CVSS score. Vulcan Cyber accommodates these scores, allowing organizations to leverage the additional information. For example:
Tenable VPR (Vulnerability Priority Rating) considers the threat environmental aspect, such as the exploit code of a vulnerability becoming available or having escalated maturity.
Qualys Vulnerability Score (QVS) is a Qualys score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more.
To utilize scanners' KPIs in determining vulnerability severity:
Define the different risk parameters from a single scanner to create a unique risk score in Vulcan Cyber. For example:
Use Tenable VPR along with the CVSS score. Since VPR reflects the current threat landscape, it can be leveraged with the CVSS score and account for a more complete view of severity.
Note that VPR with a higher value represents a higher likelihood of exploit. Consider decreasing the risk of a CVE having a CVSS of 9.8 but a VPR of 2, and vice versa.
Define the specific asset attributes to add to the calculation and decide how the score should be mapped.
Define the risk score calculation for other vulnerability data sources aggregated with Vulcan Cyber.
Note: This practice is true for Qualys QVS, CrowdStrike Exprt.AI, BitSight Rating score, and many more. You can decide to use a different risk parameter than CVSS or combine it with Vulcan Cyber risk calculation logic.
Utilizing CVSS temporal score
The Base Score (CVSS) reflects the severity of a vulnerability according to its intrinsic characteristics, which are constant over time and assume the reasonable worst-case impact across different environments.
The Temporal Metrics adjust the Base Score severity of a vulnerability based on factors that change over time, such as the availability of exploit code.
The Environmental Metrics adjust the Base Score and Temporal Metric severities to a specific computing environment. They consider factors such as the presence of mitigations in that environment.
Source: https://www.first.org/cvss/specification-document
To utilize CVSS temporal score in determining vulnerability severity:
Utilize CVSS, temporal, and environmental score metrics to aggregate all the conditions of a vulnerability to be defined as critical (attack vector, complexity, required privileges, remediation level, report confidence, etc.).
Define the specific asset attributes to add to the calculation.
Define how the score should be skewed once a vulnerability instance answers the parameters defined above.
Define which vulnerability/asset source(s) this calculation applies to.
Define the risk score calculation for other vulnerability data sources aggregated with Vulcan Cyber. Example:
If the vulnerability is from Tenable Start with Risk Score = Vulcan Risk Score Offset the Risk Score by a predetermined value using the Temporal Vector String Using the Temporal Vector String, modify the risk score by the following offsets for the given vector metric and value (given in the spreadsheet) "E":{"U": Offset -10, "P": Offset -5, "F": Offset +5, "H": Offset +10}, "RL":{"O": Offset +0, "T": Offset +0, "W": Offset +0, "U": Offset +5}, "RC":{"U": Offset -5, "R": Offset +0, "C": Offset +0} *(If any metric (E, RL, or RC) is not defined, +0 offset for that metric)
FAQ
Can I manually edit the risk of vulnerability that has a custom risk score applied?
Yes. You can edit and override the risk provided based on the custom risk script parameters. See Editing risk manually.
Can I manually edit the parameters of the custom risk script?
No. To change the parameters or update the script, contact your Customer Success Manager at Vulcan Cyber.