Analyst firm Gartner recently published a report titled, “Implement a Risk-Based Approach to Vulnerability Management.” It focused on a risk-based approach for a vulnerability management process and includes several statements and recommendations that our X-Force Red team strongly supports. Some of them include:

  • “A vulnerability is only as dangerous as the threat exploiting it.”
  • “Vulnerability rating schemes that don’t take into account what threat actors are leveraging in the wild can cause organizations to address less risky issues first.”
  • “Implement a risk-based approach that correlates asset value, the severity of vulnerabilities and threat actor activity via the use of threat intelligence and analytics to calculate a realistic risk rating.”
  • “Prioritizing treatment of vulnerabilities commonly targeted by exploit kits, malware, ransomware and threat actors, while also considering asset criticality and external exposure, will focus remediation on the elimination of imminent risks.”

How Can Security Teams Optimize the Vulnerability Management Process?

X-Force Red built X-Force Red Vulnerability Management Services (VMS) with these same methodologies in mind. One of the biggest challenges plaguing security teams worldwide is figuring out which vulnerabilities, out of hundreds of thousands that are uncovered daily, to remediate first.

With limited time and resources, security teams manually sift through each vulnerability, trying to decipher which one could cause the most harm to their organization. Many have relied on the Common Vulnerability Scoring System (CVSS), but those scores do not factor in the importance of an exposed asset, or whether the vulnerability is actively weaponized by criminals.

As a result, security teams often waste time following up on false positives and minimal risk vulnerabilities, while the most dangerous ones remained unpatched.

Inside X-Force Red’s Vulnerability Ranking Formula

X-Force Red set out to help organizations tackle the prioritization problem by focusing on the same key components covered in Gartner’s recent report: weaponization, severity and asset value. X-Force Red VMS includes automated ranking.

This image is from X-Force Red. It shows how X-Force Red VMS ranks vulnerabilities, with the most critical one being clearly stated on the top of the pyramid. The ranking is based on if the vulnerability is being weaponized, value of the exposed asset and criticality.

After a scan produces an extensive list of vulnerabilities, our proprietary analytics correlate the criticality, asset value and active exploits. We then automatically rank the vulnerabilities, prioritizing those that have been weaponized to expose a high-value asset. Whereas manual prioritization methods typically take four to five days to complete, our ranking is done within minutes, enabling remediation to begin immediately.

The core function of our ranking formula is prioritizing vulnerabilities by risk. A broken door on a safe is a serious vulnerability; a broken door on a safe with a burglar outside is a more serious vulnerability. We train your enterprise to start by securing the latter.

We apply that philosophy to every vulnerability we detect, and, based on its latest report, it’s clear Gartner shares that view.

Download the complete Gartner report

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read