Risk-Based Vulnerability Management (RBVM)

Risk-Based Vulnerability Management (RBVM) is a cybersecurity strategy that prioritizes the remediation of vulnerabilities based on the potential risk they pose to an organization. Instead of simply addressing vulnerabilities in the order they are discovered or solely based on their severity rating, RBVM uses a more contextual approach.

Here's a breakdown of the key components of RBVM:

• Vulnerability Identification: This involves using tools and techniques to discover vulnerabilities in systems, applications, and networks.

• Vulnerability Assessment: This step evaluates each vulnerability's characteristics, such as its severity (e.g., CVSS score), exploitability, and potential impact.

• Asset Valuation: RBVM emphasizes understanding the value of the assets affected by vulnerabilities. Critical systems and sensitive data are given higher priority.

• Threat Assessment: This involves analyzing the current threat landscape, including prevalent attack vectors, known exploits, and the likelihood of exploitation.

• Risk Prioritization: This is the core of RBVM. Vulnerabilities are prioritized based on the combination of vulnerability assessment, asset valuation, and threat assessment. A high-severity vulnerability on a low-value asset might be a lower priority than a medium-severity vulnerability on a critical system that attackers frequently target.

• Remediation: This involves addressing the vulnerabilities, such as patching systems, configuring security controls, or implementing workarounds.

• Verification: After remediation, verifying that the vulnerability has been effectively addressed is essential.

• Monitoring and Reporting: RBVM is an ongoing process that involves continuous monitoring for new vulnerabilities, tracking remediation efforts, and reporting on the organization's vulnerability management posture.

RBVM helps organizations make more informed decisions about vulnerability management, enabling them to use their resources effectively and reduce their overall risk.

ThreatNG and Risk-Based Vulnerability Management

ThreatNG provides data and assessments that align well with the core principles of RBVM, enabling organizations to prioritize vulnerabilities based on risk.

1. External Discovery

• ThreatNG’s Capability: ThreatNG performs external, unauthenticated discovery. This is fundamental to RBVM as it establishes the complete inventory of externally facing assets with vulnerabilities.

• Example: ThreatNG discovers all subdomains and web applications. This is crucial for RBVM because it identifies all potential attack vectors. For instance, if ThreatNG discovers a forgotten subdomain hosting a critical application, vulnerabilities on that subdomain would be prioritized higher due to the application's importance.

• Synergy with Complementary Solutions:

  • Asset Management Systems: ThreatNG's discovery data can usefully feed into asset management systems, which can then enrich this data with business criticality information. For example, suppose ThreatNG finds a vulnerability on a server. In that case, the asset management system can indicate if that server hosts a critical database, thus increasing the vulnerability's priority within an RBVM framework.

2. External Assessment

ThreatNG's external assessment capabilities provide key inputs for the risk calculation in RBVM:

• Vulnerability Information: ThreatNG provides direct vulnerability information.

  • Example: ThreatNG's Domain Intelligence module covers parameters, including vulnerabilities, to determine cyber risk exposure. If ThreatNG identifies a system with a publicly known and actively exploited vulnerability, this significantly increases the risk and thus the priority in RBVM.

• Impact Assessment: ThreatNG provides data that helps assess the potential impact of a vulnerability.

  • Example: ThreatNG assesses Web Application Hijack Susceptibility. A high susceptibility score indicates a potentially high-impact vulnerability, as a successful hijack can lead to data breaches and service disruption. Similarly, ThreatNG's assessment of Data Leak Susceptibility helps prioritize vulnerabilities that could expose sensitive information.

• Likelihood Assessment: ThreatNG provides information relevant to the likelihood of exploitation.

  • Example: ThreatNG's intelligence repositories, such as DarCache Vulnerability, provide information on known exploits. If ThreatNG identifies a vulnerability for which a working exploit exists, the likelihood of exploitation increases its risk score in RBVM.

• Synergy with Complementary Solutions:

  • Vulnerability Scanners: ThreatNG's vulnerability findings can usefully feed into vulnerability scanners. The scanners can then provide more detailed vulnerability information (e.g., CVSS scores), combined with ThreatNG's impact and likelihood assessments to refine the risk calculation in RBVM.

  • Threat Intelligence Platforms (TIPs): Threat intelligence platforms provide real-time information on threat actors and their campaigns. Combining ThreatNG's vulnerability data with TIP data allows for dynamic risk scoring. For instance, if a vulnerability is not rated as critical but actively exploited by a sophisticated threat group, its risk and priority should be elevated in RBVM.

3. Reporting

• ThreatNG’s Capability: ThreatNG provides prioritized reports. These reports directly support RBVM by providing a risk-based ranking of vulnerabilities.

• Example: ThreatNG's reports include risk levels to help organizations prioritize their security efforts. This aligns perfectly with RBVM's goal of first focusing on the highest-risk vulnerabilities.

• Synergy with Complementary Solutions:

  • GRC (Governance, Risk, and Compliance) Systems: ThreatNG's prioritized reports can usefully integrate with GRC systems. This enables organizations to track remediation efforts, demonstrate compliance with security policies, and report on their vulnerability management posture, all within a risk-based context.

4. Continuous Monitoring

• ThreatNG’s Capability: ThreatNG continuously monitors the external attack surface. This is essential for RBVM because the threat landscape and an organization's exposure can change rapidly.

• Example: ThreatNG continuously monitors all organizations' external attack surface, digital risk, and security ratings. Suppose ThreatNG detects a new critical vulnerability or a change in an asset's exposure (e.g., a previously internal system becomes externally accessible). In that case, it triggers an immediate reassessment of risk and prioritization within the RBVM framework.

• Synergy with Complementary Solutions:

  • Security Orchestration, Automation and Response (SOAR) Platforms: ThreatNG's alerts about high-risk vulnerabilities can trigger automated workflows in SOAR platforms. These workflows can automatically prioritize remediation tasks, assign them to the appropriate teams, and track their progress, all within the RBVM context.

5. Investigation Modules

ThreatNG's investigation modules provide detailed information that is valuable for understanding the context and potential impact of vulnerabilities, which is crucial for accurate risk assessment in RBVM:

• Domain Intelligence: This module provides context about domains and subdomains, which is crucial for assessing the criticality of a vulnerable asset.

  • Example: ThreatNG's Subdomain Intelligence feature can identify a subdomain's purpose (e.g., whether it hosts a critical application or a test environment). This information directly influences the asset valuation component of RBVM.

• Sensitive Code Exposure: This module discovers exposed credentials and sensitive information in code repositories.

  • Example: Discovering exposed database credentials in a public code repository is high-risk because it could lead to immediate data breaches. This information is critical for both the impact and likelihood assessment in RBVM.

• Cloud and SaaS Exposure: This module identifies cloud services and SaaS implementations, providing context for vulnerabilities in those environments.

  • Example: If ThreatNG identifies a vulnerability in a cloud storage service used to store sensitive customer data, the potential impact will be significantly increased, leading to a higher risk score in RBVM.

• Synergy with Complementary Solutions:

  • Configuration Management Databases (CMDBs): ThreatNG's investigation data can correlate with CMDB information to understand system dependencies. This helps prioritize vulnerabilities that could cascade and impact multiple critical systems, a key consideration in RBVM.

6. Intelligence Repositories (DarCache)

• ThreatNG’s Capability: ThreatNG's intelligence repositories (DarCache) provide valuable threat intelligence that enhances the risk assessment in RBVM.

  • Example: The Vulnerabilities (DarCache Vulnerability) repository provides information on vulnerabilities, including whether there are known exploits (DarCache eXploit) and their severity scores (DarCache EPSS, DarCache KEV). This information is essential for assessing the likelihood of exploitation, a key factor in RBVM.

• Synergy with Complementary Solutions:

  • Threat Intelligence Platforms (TIPs): DarCache data can usefully enrich TIPs, providing context for vulnerabilities. For example, suppose DarCache indicates that a known ransomware group is actively exploiting a vulnerability (DarCache Ransomware). In that case, a TIP can use that information to increase the priority of vulnerability in RBVM.

ThreatNG significantly enhances Risk-Based Vulnerability Management by providing comprehensive external attack surface visibility, detailed risk assessments, continuous monitoring, and valuable threat intelligence. Its capabilities enable organizations to move beyond basic vulnerability prioritization and adopt a more informed, risk-driven approach. The potential synergies with complementary solutions further amplify its effectiveness in a holistic vulnerability management strategy.