Threat Vector Categorization

Last Updated: 4/1/24

Categorization

Every vulnerability with a CVSS score is assigned Exploitability, Impact, Temporal, and Environmental metrics which are represented as Vector Strings by the National Vulnerability Database (NVD). These metrics are part of our categorization, however, we're also applying a data science approach by leveraging models to parse vulnerability data and other data gathered from our Threat Intelligence feed to label each vulnerability based on our training. We also allow our research team to influence these categorizations through proprietary rules that we run to further categorize vulnerabilities.

Metrics

As an example the following CVE has the following Vector String:

  • CVE-2020-1472
    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

These vectors are translated as the following metrics:

  • AV:N = Attack Vector - Network
    • A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed "remotely exploitable" and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet from across the public Internet (e.g. CVE 2004 0230).
  • AC:L = Attack Complexity - Low
    • Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.
  • PR:N = Privileges Required - None
    • The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.
  • UI:N = User Interaction - None
    • The vulnerable system can be exploited without interaction from any user.
  • S:C = Scope - Changed
    • An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different
  • C:H = Confidentiality - High
    • There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server
  • I:H = Impact - High
    • There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component
  • A:H = Availability - High
    • There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Data Science

We also are looking for words, strings, and other characteristics found across our threat intelligence feed that matches our researcher logic or our training models. 

Together with the CVSS metrics we determine a specific scoring for categorization. If it passes our threshold we label the vulnerability.

Example

We would end up categorizing this vulnerability as:

  • 'is_exploitable': False, 
  • 'is_command_exec': True, 
  • 'is_cred_compromise': False, 
  • 'is_phishing_attack': False, 
  • 'is_priv_escalation': True, 
  • 'is_unauthenticated': True, 
  • 'is_remote_attack_scenario': True, 
  • 'is_lateral_movement_scenario': False
  • 'is_crowdstrike': True,
  • 'is_recorded_future': True, 
  • 'is_malware': True, 
  • 'is_celebrity_vuln': True, 
  • 'is_cisa_kev': True,
  • 'is_ransomware': False