7. Risk Scoring 101

You will learn how NopSec creates its scores you use to prioritize your effort.

Last Updated: 2/23/24

 

Score Lifecycle

All vulnerability instances follow the following lifecycle from the NVD publishing a CVE, the scanners updating their plugins to identify the vulnerability and assigning a severity, to NopSec re-prioritizing the vulnerability leveraging its machine learning model and finally by leveraging contextual data from your environment to further prioritize your risk as a vulnerability instance.

NopSec Vulnerability Risk Score

  • Vulnerability is published as a CVE or CWE
  • NopSec runs its threat intelligence feed to collect data on all known CVEs and CWEs.
  • NopSec leverages a proprietary Machine Learning model to output a NopSec Risk Score using the data collected by its threat intelligence feed.
  • The NopSec ML model aims to identify vulnerabilities that are most likely to be used by an attacker and label vulnerabilities that have been seen to be a part of known attacks as a threat. This means that Vulnerabilities that NopSec believes to not be used in an attack will have their scores lowered compared to base CVSS or Scanner Scores, and vice versa, it could raise a score based on the likelihood it will be used by an attacker. 
  • This is at the core of why NopSec is able to prioritize more accurately compared to its competitors.

 

 

Scanner Risk Score

  • NopSec then ingests your Scanner data which provides a specific vulnerability's CVE or CWE IDs.
  • Each Scanner attempts to map a specific vulnerability to a specific target, NopSec calls this a Vuln Instance. 
  • We've noticed most scanners tend to mirror the base CVSS scores even when claiming to use machine learning or a threat feed, which means they are not able to provide users with an effective prioritization of vulnerabilities.

NopSec Contextual Risk

A Vuln Instance Risk Score is unique to your environment whereas the NopSec Vuln Risk Score is the base risk we believe the vulnerability has before knowing anything about your network. 
  • Each Target receives a Target Criticality.
    • Clients can set this manually or allow NopSec to attempt to set the criticality automatically using a set of rules looking for target categorization and function.
  • Mitigating Controls found on devices such as an EDR/XDR can reduce the risk of a vuln instance.
    • Each Target could also have an integration that provides an Endpoint Control such as Crowdstrike XDR or Microsoft Defender for Endpoint. These controls could prevent certain actions proactively.
    • NopSec rewards you by providing a Target Risk Reduction which lowers the vuln instance risk scores by a certain Control Risk Reduction.

NopSec Vulnerability Instance Risk Score

  • NopSec performs a calculation that is a function of:
    • ((Vuln Score x 10) - (8 * Y)) - Z%
    • Where Y is the level of Target Criticality set for the specific target:
      • 0 = Critical
      • 1 = High
      • 2 = Medium
      • 3 = Low
      • 4 = None
    • And Z is the Control Risk Reduction percentage
    • Ex. ((3.5 x 10) - (8 * 0) ) - 25%
      • 35-0 = 35
      • 35 - 25% = 26.25

Process

  • Periodically, NopSec updates its threat feed processes to gather more data or improve the data.
  • Periodically, NopSec updates its machine learning model to reduce the likelihood of drift. NopSec continually trains its model to ensure consistency.
  • After every integration ingestion, as Vuln Instance records are being created the Vuln Instance score is calculated and stored. 
  • Periodically, NopSec runs a risk calculation process to ensure all vuln instances are up to date based on new finding from our risk model and threat intelligence feeds.