Why CVSS 4.0 isn’t all you need
Managing cyber risk takes threat intelligence
Most people who know anything about cybersecurity have heard of ranking vulnerabilities to describe how critical they are; with 1 being low, and 10 high.
These numbers, used worldwide, come from the publicly available Common Vulnerability Scoring System (CVSS) used by the U.S. National Vulnerability Database (NVD). NVD gauges the severity of the Common Vulnerabilities and Exposures (CVEs)—publicly known information security flaws. Many cybersecurity professionals use CVSS scores to prioritize which of their cyber risks to remediate first.
Where did CVSS come from?
In February 2005, CVSS version 1 was developed by a handful of “pioneers” with the aim of reaching wide industry adoption, according to Dave Dugal and Dale Rich, chairs of the CVSS Special Interest Group (SIG). Version 1 received little peer review before its release, and much criticism after its release, they say.
Before 2005, vendors used their own custom and incompatible rating systems to define the severity of cyber risks. Then the U.S. National Infrastructure Advisory Council (NIAC) recognized a need to standardize vulnerability measurements across software and platforms, so they created CVSS.
In April 2005, NIAC called upon the Forum of Incident Response and Security Teams (FIRST) to become the custodian of CVSS for future development. FIRST is a non-profit organization formed in 1990, with the mission “to make the Internet a safer place for everyone.” Its members come from a wide variety of organizations including educational, commercial, vendor, government and military.
In June 2019, FIRST published CVSS 3.1, the latest version being used today, with a warning that it wasn't designed to measure the severity of a vulnerability and should not be used alone to assess risk.
CVSS is now under public review for version 4, expected to be published October 1, 2023.
FIRST sets high hopes for CVSS 4.0
FIRST says CVSS 4.0 will be “a cyber sector game-changer,” This new version will be critical for properly assessing and prioritizing vulnerabilities. FIRST expects 4.0 will provide the “highest fidelity of vulnerability assessment” to date.
According to FIRST, CVSS 4.0 will:
- Offer finer granularity in base metrics
- Remove downstream scoring ambiguity
- Simplify threat metrics
- Enhance the effectiveness of assessing environment-specific security requirements and compensating controls
In addition, 4.0 will use some added factors for scoring a CVE, including looking to see if it’s automatable. 4.0 will also assign CVSS scores based on:
- Value density
- Vulnerability response effort
- Provider urgency
Controversy surrounding CVSS
Despite how many organizations use CVSS worldwide, it is not popular with everyone. Some say it’s too complex and subjective, and it's widely misused for vulnerability prioritization, says Chris Hughes, author of “Will CVSS 4.0 be a vulnerability-scoring breakthrough or is it broken?,” published in CSO. “The unfortunate reality is that in an industry that is often led by marketing hype and promises of silver bullets, there isn't one,” he says of CVSS 4.0.
“CVSS is laden with issues,” says Henry Howland in an article titled, “CVSS: Ubiquitous and Broken,” published in Digital Threats: Research and Practice. “There is no clear reasoning given as to how the system was devised, it is riddled with logical inconsistencies, and it is only able to partially account for the context of a vulnerability, as well as being an empirically poor means of representing a vulnerability’s severity,” Howland says.
FIRST recognizes that a CVSS scoring isn’t all you need to prioritize cybersecurity actions. Dave Dugal with CVSS SIG emphasizes the importance of using threat intelligence and environmental metrics for accurate scoring under CVSS 4.0.
Today under CVSS 3.1, organizations use a base CVSS score, but 4.0 will change that with new nomenclature that looks like this:
- CVSS-B: CVSS Base Score
- CVSS-BT: CVSS Base + Threat Score
- CVSS-BE: CVSS Base + Environmental Score
- CVSS-BTE: CVSS Base + Threat + Environmental Score
“The more metrics used to enrich your CVSS scoring, the higher quality your assessment will be,” Dugal says.
CVSS doesn’t tell your whole cyber story
The truth is, not all risks are created equal. CVSS scores don’t tell you the context of these ratings for your enterprise. Some risks, like those that are publicly known, could derail your entire organization. Others may not threaten your critical processes at all.
Using CVSS scores alone to prioritize remediation—even those with more metrics under 4.0—is unwise, because context is such an important part of making cybersecurity decisions. The only way to prioritize a risk or vulnerability is to understand it in relationship to all the attack vectors in your system, from a hackers point of view; outside in.
This expanded context helps you decide which vulnerabilities should be patched as soon as possible and which can be left a little longer, depending on your resources. The effective prioritization of patching can result in a stronger security posture as part of a holistic view of your attack surface.
Threat intelligence is key
For a full picture, CVSS scores need to be used in light of threat intelligence. Threat intelligence can reveal the potential impact a vulnerability may have on an organization, and when.
Integrating Threat Intelligence: Inside the minds of modern adversaries
Blog Post - Rogier Fischer, CEO
Threat Intelligence is a cybersecurity discipline that involves collecting, analyzing, and understanding information about potential threats and threat actors. It's like having a weather forecast for cyber threats. It helps organizations predict, prepare for, and mitigate potential attacks.
Not all vulnerabilities are exploited equally by attackers in the real world. An unpatched server in an obscure corner of a network might theoretically present a high-risk vulnerability, but if it's not on the radar of actual threat actors, it may not necessarily be high-risk. Conversely, threat actors might heavily target a low-severity vulnerability due to ease of exploitation, amplifying its real-world risk. Threat intelligence could predict which is the case.
Hadrian’s answer to using CVSS effectively
Hadrian’s answer is a multidimensional approach to today’s rapidly evolving threat landscape. Our proprietary Orchestrator AI provides a proactive, contextual, and comprehensive view of an organization's cyber exposure.
By integrating our threat intelligence with insights about your digital infrastructure, we can show you what is likely to be attacked based on current threat landscape trends. This will help you prioritize your efforts to protect your enterprise against attack.
Our threat intelligence is part of a bigger plan for protection. We use External Attack Surface Management (EASM) to find and monitor all your internet-facing assets. Then we use automated security testing to root out every blind spot. Orchestrator AI then goes to work with this data to predict threat actors’ attack paths, alerting you to what is most important to deal with immediately.
We are hackers—the good kind. That’s how we can think like hackers and use our extensive professional knowledge to program our solutions to fight off hackers.
Hackers use a variety of methods to gain access to your system. It’s not as simple as using a CVSS score to tell you what to do next. You need much more.
Learn more about Hadrian’s threat intelligence.