CVSS Scores in Cyber Threat Intelligence
The Common Vulnerability Scoring System (CVSS) rates vulnerabilities by severity, assigning a numeric score. There are 3 metric groups: Base, Temporal, and Environmental. Only the Base score is published in vulnerability databases; organizations are supposed to calculate their own Temporal and Environmental scores based on their own situations.
However, many organizations don’t put in the effort, and simply prioritize their vulnerability management efforts based on the Base score. This goes against the intent of CVSS scores, and results in decreased efficiency and effectiveness in vulnerability management. Cyber threat intelligence provides needed context to CVSS scores.
CVSS Overview
CVSS includes 3 metric groups:
- Base: metrics based on vulnerability’s inherent characteristics
- Temporal: metrics that change over time due to factors outside the vulnerability, such as availability of exploit code
- Environmental: metrics based on the impact of the vulnerability on an organization, unique to its environment
Base and Temporal metrics are usually provided by vulnerability bulletin analysts, security vendors, or software vendors. Environmental metrics are specified by organizations.
CVSS scores are meant to communicate the level of a vulnerability’s severity, not the level of risk a vulnerability poses to an organization.
CVSS is designed to measure the severity of a vulnerability and should not be used alone to assess risk.
Concerns have been raised that the CVSS Base Score is being used in situations where a comprehensive assessment of risk is more appropriate. … the CVSS Base Score represents only the intrinsic characteristics of a vulnerability which are constant over time and across user environments. The CVSS Base Score should be supplemented with a contextual analysis of the environment, and with attributes that may change over time by leveraging CVSS Temporal and Environmental Metrics. More appropriately, a comprehensive risk assessment system should be employed that considers more factors than simply the CVSS Base Score. Such systems typically also consider factors outside the scope of CVSS such as exposure and threat.
Common Vulnerability Scoring System v3.1: User Guide, FIRST
do not select an arbitrary score above which vulnerabilities must be fixed, ignoring all issues below that level
do not take raw CVSS scores without taking into account organisation specific mitigations or priorities
Vulnerability management, UK National Cyber Security Centre
CVSS Base scores are included in the National Vulnerability Database (NVD). Calculators to include Temporal and Environmental scores are available from FIRST and NIST.
The current version is 3.1. Version 2.0 is being phased out.
CVSS Metrics
3 groups of several metrics go into CVSS scores.
Base Metrics
Exploitability Metrics
- Attack Vector (AV)
- — Network (N): vulnerable component is bound to network stack; remotely exploitable
- — Adjacent (A): vulnerable component is bound to network stack, but attack limited at protocol level to logically adjacent topology
- — Local (L): vulnerable component not bound to network stack
- — Physical (P): requires physical access
- Attack Complexity (AC)
- — Low (L): doesn’t require special access conditions
- — High (H): requires conditions beyond attacker’s control
- Privileges Required (PR)
- — None (N): requires no prior privileges
- — Low (L): requires basic user privileges
- — High (H): requires admin privileges
- User Interaction (UI)
- — None (N): doesn’t require user interaction
- — Required (N): requires user action
Scope (S)
- Unchanged (U): exploiting vulnerability only affects resources managed by same security authority as manages vulnerable component
- Changed (C ): exploiting vulnerability can affect resources beyond those managed by same security authority as manages vulnerable component
Impact Metrics
- Confidentiality (C )
- — High (H): total loss of confidentiality; all info is compromised, or compromised info has direct, serious impact
- — Low (L): some loss of confidentiality; some info is compromised; no direct, serious impact
- — None (N): no loss of confidentiality
- Integrity (I)
- — High (H): total loss of integrity; attacker can modify all info, or compromised info has direct, serious impact
- — Low (L): partial loss of integrity; attacker can modify some info; no direct, serious impact
- — None (N): no loss of integrity
- Availability (A)
- — High (H): total loss of availability; attacker can completely deny access, or limited denial has direct, serious impact
- — Low (L): performance is reduced, or interruptions occur
- — None (N): no loss of availability
Temporal Metrics
Exploit Code Maturity (E)
- Not Defined (X): insufficient info to choose another value
- High (H): exploitation is reliable and possible via widely available automated tools
- Functional (F): exploit code is available and generally reliable
- Proof-of-Concept (P): POC exploit code is available; exploitation isn’t generally reliable
- Unproven (U): no exploit code exists, or exploitation is theoretical
Remediation Level (RL)
- Not Defined (X): insufficient info to choose another value
- Unavailable (U): no solution, or impossible to apply
- Workaround (W): unofficial solution available
- Temporary Fix (T): official but temporary solution available
- Official Fix (O): official, complete solution available
Report Confidence (RC)
- Not Defined (X): insufficient info to choose another value
- Confirmed (C ): vulnerability confirmed
- Reasonable (R): significant evidence of vulnerability exists, but is unconfirmed
- Unknown (U): some evidence of vulnerability exists, but is unconfirmed; low confidence
Environmental Metrics
Security Requirements (CR, IR, AR)
- Not Defined (X): insufficient info to choose another value
- High (H): loss of confidentiality, integrity, and/or availability likely to have catastrophic effect on organization
- Medium (M): loss of confidentiality, integrity, and/or availability likely to have serious effect on organization
- Low (L): loss of confidentiality, integrity, and/or availability likely to have limited effect on organization
Modified Base Metrics: used by organizations to override Base metrics, if needed, to fit their environment
- Modified Attack Vector (MAV)
- Modified Attack Complexity (MAC)
- Modified Privileges Required (MPR)
- Modified User Interaction (MUI)
- Modified Scope (MS)
- Modified Confidentiality (MC)
- Modified Integrity (MI)
- Modified Availability (MA)
CVSS Rating Scale
CVSS rates vulnerabilities by severity, on a scale of 0 to 10.
- None: 0.0
- Low: 0.1–3.9
- Medium: 4.0–6.9
- High: 7.0–8.9
- Critical: 9.0–10.0
CVSS can also express scores as vector strings. A vulnerability with Base metric values of “Attack Vector: Network, Attack Complexity: Low, Privileges Required: High, User Interaction: None, Scope: Unchanged, Confidentiality: Low, Integrity: Low, Availability: None” and no specified Temporal or Environmental metrics would be expressed this way:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
CVSS & CTI
CVSS Base scores are a useful starting point, but they have shortcomings. They don’t include Temporal and Environmental metrics, which can make a significant difference to the risk of an organization. For example, if you knew that a vulnerability was being actively exploited against other organizations in your industry, would you prioritize it higher than if you knew there was no evidence of exploitation? Yet Exploit Code Maturity (E) is a Temporal metric, and isn’t included in the Base score.
A vulnerability with a high CVSS Base score may actually present low risk to your organization if you have the right mitigations in place. And a vulnerability with a low CVSS Base score may actually present high risk to your organization if exploitation would cause serious damage, or if a threat actor is known to be actively exploiting others in your industry.
Another problem is that it can take days or weeks for vulnerabilities to be assigned a CVSS score and appear in the NVD. How do you defend against a vulnerability you don’t know about?
Also, Tenable reported in 2020 that over 75% of all vulnerabilities with a CVSS Base score of 7 or above had never had an exploit published against them. Would you want your organization spending time and money on these vulnerabilities, especially when it often means taking time and money away from those that could have a larger impact?
Another problem is that threat actors often exploit several lower-severity vulnerabilities to gain initial access, elevate privileges, and continue an attack. Considered individually, the Base scores may have been low enough to fly under the radar of the security team, and the vulnerabilities go unmitigated.
For these reasons, CVSS Base scores paint a simplistic, inaccurate picture. Yet many organizations don’t go beyond them when prioritizing their vulnerability management efforts. The actual risk an organization faces is also based on Temporal and Environmental metrics. By incorporating info beyond Base scores, cyber threat intelligence can paint a larger, more accurate picture.
CTI can provide info about the following items to help an organization better understand a vulnerability’s risk to the organization:
- Organization’s assets
- Business criticality of organization’s assets
- Organization’s risk tolerance
- Vendor advisories
- Proof-of-concept research
- Presence of exploit code in exploit kits and frameworks
- References to exploitation by threat actors on the dark web and elsewhere
- Vulnerability exploitation in the wild
- IoC observations
- Adversary TTPs
