The National Vulnerability Database (NVD) is well known in IT security as the source of record for all vulnerabilities which have been assigned a CVE (Common Vulnerabilities and Exposures) enumeration.
Operated by the National Institute of Standards and Technology (NIST) as a part of the United States Department of Commerce, the NVD assigns a Common Vulnerability Scoring System (CVSS) score to each vulnerability, and also provides Common Weakness Enumerations (CWE), Common Platform Enumeration (CPE), and various other pieces of information relevant to the vulnerability’s functionality and exploitability.
While the NVD is a valuable source of vulnerability information, it only represents one piece of the puzzle and should not be used as the single source of truth when evaluating an organization's security and risk posture.
Rather, the NVD should be used as a foundation upon which to build a more complete risk profile. This can be achieved by layering additional information on top of the NVD, such as threat intelligence feeds, trends in public reports or online discussions, weaponization data, and third party and vendor-reported information.
This multi-dimensional approach allows for individual vulnerabilities to be more deeply evaluated in order to not only assess the theoretical risk, but also how likely it is to be used in a cyber-attack and what real-world impact it would have.
To better understand the importance of using multiple sources of knowledge in vulnerability management, let’s consider a use case involving the United States Dept. of Homeland Security AWARE (Agency-Wide Adaptive Risk Enumeration) methodology, used as part of the Continuous Diagnostics and Mitigation (CDM) Program.
AWARE provides risk scores to individual vulnerabilities by augmenting NVD data with external intelligence and customized metrics. The details of the methodology can be found at the CDM’s Training Program website, and here’s a brief overview.
The AWARE methodology assigns a numerical score to a vulnerability in the range of zero to infinity, based on four key components:
- The Base Score (a transformation of the CVSS score);
- The Age Factor, which we will discuss below;
- The Weight Factor, which takes into account whether or not a threat is known to exist for the vulnerability as well as the criticality of the endpoint on which it is found; and
- An Allowable Tolerance Factor which accounts for a grace period of remediation before a score impact is shown.
AWARE used the NVD as the single source of knowledge for the Base Score and Age Factor, while the Weight Factor depends on DHS threat intelligence information that is funneled down from the Federal level to Agency-level dashboards. The Allowable Tolerance factor is based on a time period that depends on whether or not a threat exists for the vulnerability in question.
AWARE’s Age Factor is particularly interesting. According to the CDM’s documentation on the methodology, Age Factor is computed as a logarithmic function of the age (in days) of the vulnerability, as well as a “Days to Double” parameter, described as the time it should take for a vulnerability’s score to double.
This factor is meant to reflect the increased risk posed by a vulnerability over time, on a logarithmic scale. The rationale here is that the older a vulnerability is, the more risk it poses. This appears to be a reasonable assumption from which to operate; however, the core assumption used to define this factor is questionable, namely the age of the vulnerability itself.
It is no secret that many vulnerabilities in the NVD are discovered prior to their publication (Recorded Future reports up to 75% of vulnerabilities fall into this category), and in some cases are assigned a CVE before they are actually posted to the database. Therefore, using the NVD’s publication date in computing an age-based metric for a vulnerability may result in some information being lost.
To find out, we conducted an analysis on the DHS AWARE’s Age-based metric formula. We compared the NVD’s publication date versus the earliest available publication date, and what effect on the Age metric this difference had. Typically, latency between an early publication date and the NVD date is one week or less. The difference in scores for latencies less than one week old is minimal.
However, in some cases we found as much as a 4.5 point difference in the risk score. The higher the CVSS score, the more of a difference an earlier release date makes. In addition, more recently discovered vulnerabilities are also affected to a greater extent. Since the average latency is less than one week, critical vulnerabilities are being overlooked.
Because using an earlier publication date results in an increased Age metric score, many vulnerabilities are not scored appropriately (i.e., not high enough) because they were published late in the NVD. This effect is magnified for vulnerabilities with a higher CVSS base score.
Therefore, to achieve more accurate and reliable vulnerability risk scores, one should supplement NVD data with direct feeds from software vendors, threat intelligence from sources such as the Metasploit project which can provide early indicators of yet-to-be-disclosed emerging threats, and sources that provide trending vulnerability data.
In addition, contextual facts such as industry categorization, internet reputation, and weaponization are all central to assessing the full impact of a weakness and should be considered in addition to its inherent characteristics. Achieving a global view of a vulnerability’s potential impacts is the first step towards implementing an optimized remediation strategy, and stronger security posture.