Last updated at Wed, 27 Sep 2023 15:42:21 GMT
Cyber risk is increasing both in volume and velocity. 考虑到威胁的形势, 弱点, 漏洞, 或, 组织, teams and vulnerability analysts alike need of better prioritization mechanisms. That's why we developed a new risk scoring methodology: 积极的风险.
Rapid7 has offered five risk strategies for many years, each strategy with its own specific approach to surfacing that which matters most. 我们的第六个风险策略, 积极的风险, is designed to focus security and remediation efforts on the 漏洞 that are actively exploited in the wild or most likely to be exploited.
积极的风险 uses CVSS scores along with intelligence from threat feeds like AttackerKB, Metasploit, ExploitDB, 项目海森堡, CISA KEV列表, and other third-party dark web sources to provide security teams with threat-aware vulnerability risk scores on scale of 0-1000.
积极的风险 is available via InsightVM, InsightCloudSec, Nexpose, and our recently released 执行风险视图.
进入主动风险
Exploitability has become one of those terms that the security community has maligned, 不是出于怨恨, but simply because it’s been applied to too many use cases. Exploitability refers to the ease with which a vulnerability in a computer system, 软件应用程序, 或者网络可以被利用.
This new risk strategy is focused on delivering unambiguous near-time intelligence, by systematically including a number of threat intelligence sources to enhance vulnerability risk score(s).
There are a number of vulnerability intelligence sources that fuel prioritization in 积极的风险, 包括:
- AttackerKB: 2020年推出, a forum for the security community at large to share insights and views that help cut through all the hype and chaos, with a primary purpose to inform infosec professionals on 漏洞 and security threats
- 项目海森堡: A network of low interaction honeypots with a singular purpose, 要了解攻击者, 研究人员, 组织也在这样做, 在, 针对云环境. 这个全球网络成立于2014年, 由Rapid7, it records telemetry about connections and incoming attacks to better understand the tactics, 技术, and procedures used by bots and human attackers
- Metasploit:可以说是最广泛使用的, 社区支持, 道德黑客框架, 白帽使用, security 研究人员 and generalists in pentesting,
teaming, 周大福演习, education as well as broad or very specialized security assessment exercises - 利用数据库 (exploit-db.com): Widely used online repository and reference for security 研究人员, pentesters, and ethical hackers; it’s become a go-to resource offering an extensive archive of exploits and 漏洞, allowing users to track the evolution of security threats over time 在 software, 硬件, 以及操作系统
- CISA Key Exploited Vulnerabilities (KEV) Catalog: Established in 2021 to “provide an authoritative source of 漏洞 that have been exploited ‘in the wild,’” & Infrastructure Security Agency; witnessing fairly broad and hasty adoption 在 industries as a method to focus and improve remediation throughput
- OSINT和商业饲料: Dependent on the nature of the vulnerability or threat the sources above are combined and validated with additional intelligence and context to enhance prioritization results and ultimately customer outcomes
The immediate value in threat intel data ingestion and normalization alone, 主动风险提供的, will incentivize and amplify the interest for potential adoption. 主动风险也是CVSS 3.1 compliant 在 all new CVEs and makes ready future adoption of revised scoring systems (CVSS v4.0的目标是2023年10月31日出版). There is strong market demand and intensifying use and application of ‘exploitability’ intelligence as seen in CVSS v4.0和前面提到的CISA KEV.
Normalize vulnerability risk scoring 在 cloud and on-prem environments
积极的风险 normalizes risk scores 在 cloud and on-premises environments to effectively assess and collaborate with teams 在 an organization.
Security teams can leverage 积极的风险 dashboard cards in InsightVM and 执行风险视图 in our 云风险完成 solution to support cross-functional conversations.
积极的风险 is a step change along the path of risk prioritization improvement, and the much longer and windier road we travel together towards improved risk management outcomes.
