Dark Web Education Hub

The risk of relying on CVSS scores

More resources

In 2021, exploited vulnerabilities surpassed phishing for the first time as the most common attack vector. There are now nearly 200,000 vulnerabilities on the Common Vulnerabilities and Exposures (CVE) list, and tens of thousands of new vulnerabilities are discovered each year, making it impossible for organizations to address and treat every security flaw in their systems. 

As a result, vulnerability management has become a top concern for security teams. Traditionally, teams have relied on the Common Vulnerability Scoring System (CVSS) to determine which vulnerabilities pose the greatest threat and should be addressed first. But relying on CVSS scores can introduce considerable risk. The reason: the CVSS standard assigns scores based primarily on severity – in other words, how much damage attackers might cause if they exploited the vulnerability. What CVSS does not account for is the likelihood of an attack. 

Out of hundreds of thousands of known vulnerabilities, only a small percentage (6%) are likely to be exploited by attackers. To effectively mitigate risk, security teams need a way to prioritize vulnerabilities based on the probability that they’ll be exploited in the near future. That’s where Cybersixgill can help.

How CVSS ratings are determined

As organizations struggle to keep up an effective patching cadence to address vulnerabilities within their systems, security teams need a means to effectively prioritize vulnerabilities. CVSS was developed to simplify vulnerability assessment by assigning a rating to each vulnerability that correlates with severity. Scores take into account the impact of an attack if a vulnerability is exploited, the ease of exploit, and other factors.

For security teams, there is a danger in basing patching cadence and prioritization on CVSS ratings alone. CVSS scores tend to be static and rarely change over time, even when a working exploit kit has been widely distributed across the cybercriminal underground. 

Additionally, there is often a time-lag that elapses between the discovery of a vulnerability and until it is assigned a CVSS rating. While most vulnerabilities are rated quickly, some CVSS ratings take days or weeks, leaving security teams without guidance about the risk these vulnerabilities pose.

But what’s most concerning about relying on CVSS evaluations is that the scores have nothing to do with the actual risk that a vulnerability may be exploited. CVSS ratings are not informed by the signs of imminent exploit that are readily available on the dark web. These signals include attackers’ discussions on dark web forms, the rising popularity of a working exploit kit on paste sites, shared proof-of-concept scripts in code repositories and a spike in sales of vulnerability scanning tools on underground markets when news of a new vulnerability is published.

Ideally, security teams should prioritize patches for vulnerabilities based both on the potential severity of impact and on the probability of exploitation. Fortunately, that’s exactly the kind of insight that Cybersixgill Vulnerability Intelligence provides.

Cybersixgill DVE Intelligence vs. CVSS

Cybersixgill offers a fully automated cybersecurity vulnerability intelligence solution that provides security teams with contextual and actionable insight into threats facing their organizations. With threat intelligence collection capabilities that are the broadest in the industry, we covertly extract data from a wide range of sources on the clear, deep and dark web. By enriching this data with context and making it accessible to security professionals and technology throughout the organization, Cybersixgill helps security teams to expose threat actor activity, preempt attacks and operationalize this threat intelligence according to their unique assets, needs and workflows.

Cybersixgill Dynamic Vulnerability Exploit (DVE) Intelligence delivers tools to enhance the vulnerability management lifecycle, enabling security teams to prioritize vulnerabilities with greater precision than CVSS scores. 

DVE Intelligence scores are based on several factors.

  • Existing proof-of-concept exploit (POC) and exploit kits. Threat actors lurk in code repositories such as GitHub, hoping to find and operationalize POCs as part of their malicious campaigns. Exploit kits are also widely bought and sold on dedicated markets on the dark web, allowing even the least sophisticated actors to exploit complex vulnerabilities for advanced attacks.

  • Dark web chatter & trending CVEs. CVEs that pop up in notorious deep and dark web forums are more likely to be exploited by threat actors, and the rising popularity of a CVE among these sources indicates a higher likelihood of exploitation.

  • Reputations of threat actors & groups (ransomware/APT) discussing CVEs. Cybersixgill assigns reputation scores for each threat actor based on their tenure and the strength of their social network. Mentions of CVEs by threat actors who have higher reputation scores carry more weight in the overall DVE Intelligence score, as do those CVEs associated with ransomware and APT groups.

Benefits of Vulnerability Intelligence

By offering a tool for evaluating vulnerabilities that goes beyond CVSS and other solutions, Cybersixgill DVE Intelligence delivers significant advantages for organizations and security teams.

  • More accurate prioritization. By tracking vulnerabilities that have a higher probability of being exploited in the near future, security teams can more accurately prioritize patches and mitigate risk more effectively.

  • Greater clarity and visibility. Cybersixgill Vulnerability Intelligence provides context and explanations for each rating, enabling security analysts to better understand the threats facing the organization and to put more effective security controls in place. With Cybersixgill’s Investigative Portal, analysts can take a deep dive into each CVE to learn more about actors, tools, dates, mentions, tags, languages and more.

  • Integrated intelligence. Customers can access the module via vulnerability intelligence feeds using an API that seamlessly integrates with all major TIP, SIEM, SOAR and VM platforms or through Cybersixgill's own threat intelligence platform.    

Why Cybersixgill? 

Cybersixgill captures, processes and alerts teams to emerging threats, tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) as they surface on the clear, deep and dark web. Leveraging advanced AI and machine learning algorithms, we quickly prioritize, enrich and score data according to each customer’s unique assets and attack surface. By swiftly publishing threat actor profiles and identifying behavioral patterns, we give cybersecurity teams time to apply practical solutions to areas of risk exposure – before cybercriminals can launch a new attack. Our extraction capabilities are 24 times faster than that of our competitors. And because we only pass on relevant, high-fidelity IOCs and intel, we reduce the level of alert fatigue and numbness experienced by security professionals.


What is a vulnerability?

A vulnerability is a flaw or weakness in a software program or piece of code that cyber criminals can take advantage of to gain unauthorized access to IT environments, user accounts and other computer systems. 

What is a CVE?

CVE is short for Common Vulnerabilities and Exposures. The term CVE refers both to a list of publicly disclosed vulnerabilities and exposures as well as individual vulnerabilities that have been recorded on the CVE list.

What is CVSS?

The Common Vulnerability Scoring System, or CVSS, is an open framework for rating vulnerabilities based on the potential severity of a cyberattack that exploits the vulnerability. CVSS scores have traditionally been used by security teams to prioritize vulnerabilities for remediation. However, because scores only rate vulnerabilities by severity and not by likelihood exploit, CVSS ratings do not show a complete picture of risk. As a result, many security teams seek out additional threat intelligence to determine the probability that a vulnerability will be exploited by threat actors in the near future.