Vulnerability Prioritization FAQ
General Information
How is vulnerability remediation prioritized today?
- CVSS score: The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
- Exploit Availability: Whether a proof-of-concept exploit exists or if the exploit code has been released “in the wild.” Vulnerabilities with known, public exploits should be prioritized because they can be more easily leveraged by attackers.
- Asset criticality: The importance of the affected asset to the organization should be considered.
- Attack vector: The ease with which an attacker can exploit the vulnerability. For example, remote code execution vulnerabilities.
- Business Impact: The potential impact on business operations if the vulnerability were to be exploited.
- Patch availability: Whether a patch is available.
Why are the patching indicators used today not good enough?
- Most of the intelligence provided by vulnerability management vendors is from 3rd party organizations. This means that:
- There is a substantial difference in urgency between a vulnerability that is marked “in the wild” compared to one that has active attack and exploit traffic occurring. Current solutions cannot provide this sort of timely information.
- Exploitability information can often be out-of-date when using 3rd party aggregated sources; a primary source is required for the information provided to be both timely and fresh.
- The evidence supporting prioritization is often based on narrative sources (e.g. content on x.com, etc.) rather than being hard data like attacker IPs or exploit traffic packet captures.
- There is not a single source of truth when it comes to “In the wild” exploitation.
- The collection process is manual and takes time and resources to collect.
How does GreyNoise Vulnerability Prioritization differ from other vulnerability intelligence products?
- Unique Perspective: We help practitioners understand the exploitability of a vulnerability based on real observation in the wild through thousands of purpose built sensors across the world.
- Timely: We help practitioners get near-real time updates on what is getting exploited and how it’s trending, rather than providing information that is days or weeks old.
- Evidence: We help practitioners get artifacts of the actual exploit binaries. This helps them understand how the exploitation works, and how to write detection rules for firewalls and network security products.
- Machine consumable: We help practitioners leverage our data for automation. We want to make it easy for practitioners to consume and automate actions with our intelligence. We want to make their workflows faster and more effective.
Why should I care about “Active In The Wild” exploitation?
“In the wild” exploitation is a key indicator that vulnerability managers must take into account when prioritizing patching. It indicates that exploit code has been released and incorporated into rootkits, botnets, and other malware, raising the risk of compromise. GreyNoise Vulnerability Prioritization includes information on current exploit activity, alerting security professionals when attacks are not just theoretically possible but actually currently occuring.
How is that question (ITW exploitation) typically answered today?
- CISA’s Known Exploited Vulnerabilities (KEV) Catalog
- Key Issues
- Doesn’t give context around the exploitation. For example, it doesn’t tell you how it’s trending, what IPs are exploiting it, what geographical region the exploitation is happening in.
- It gets its information from 3rd parties, making it slower, incomplete, not up to date, and lacking context.
- Key Issues
- Vulnerability Intelligence from vendors such as Qualys, Tenable, and Rapid7
- Key Issues
- Information is not automated or in real time. These vendors rely on discussion forums, social media, and incident response reports to gather intelligence. The information is often days old, when every hour is critical.
- Some of the feeds do not have coverage for internet exposed assets.
- Intelligence is repackaged from other sources, some of which may not be reliable.
- Key Issues
- Manufacturers/vendors of the product
- Key issues
- Exploitability information is incomplete and outdated. In most cases, they are not the first one to know about the vulnerability. They update their blog once every 3-4 days while the exploitation trend is changing every hour. Several vendors take a conservative approach of publishing as little detail as possible because of potential legal risk.
- Key issues
- Independent researchers, non-profits, and governments agencies
- Key Issues:
- Gathering the information published by researchers is cumbersome as it relies on scavenging social media sites and blogs. In addition, the credibility of the data can also be questionable. There is no reliable single source of truth.
- Key Issues:
Who can benefit from using GreyNoise Vulnerability Prioritization?
Vulnerability managers and Vulnerability intelligence teams.
Product Usage
How do I get started with GreyNoise Vulnerability Prioritization?
There are two primary ways you can get started with GreyNoise Vulnerability Prioritization:
- You can search for a CVE for free at viz.greynoise.io or via the API.
- You can contact your CX rep or [email protected] to demo our enterprise offering and learn more about our capabilities.
Is there documentation available?
Yes, you can find documentation on GreyNoise Vulnerability Prioritization here.
What types of vulnerabilities does GreyNoise cover?
Currently, GreyNoise focuses on remotely exploitable vulnerabilities. We specifically address those where their CVSS v3.1 Access Vector is Network (AV:N) and focus on those with either no or low Privileges Required (PR:N, PR:L) although in some cases we also address high (PR:H).
What are the key features of GreyNoise Vulnerability Prioritization?
Key actions we recommend users take:
- Blocklist: Use our dynamic blocklist to block IPs that are actively exploiting a vulnerability.
- Alerts: Create an Alert for a CVE so you can be informed when it is actively being exploited in the wild.
Technical Details
How does GreyNoise gather and analyze vulnerability data?
We use our honeypots and tagging engine to monitor for in-the-wild usage of vulnerabilities. We combine this with NIST, CISA, and 3rd-party data about CVEs.
How often is the vulnerability database updated?
Updates happen within an hour currently; by the end of 2024 this will occur within minutes.
Integration and API
Does GreyNoise Vulnerability Prioritization offer an API for integration?
Yes. You can access your API key on your account settings page. Visit https://www.greynoise.io/integrations for the full list of integrations.
How do I integrate GreyNoise Vulnerability Prioritization with my existing security tools?
We are currently working to add support to many of our current integrations. If you have a specific integration request that we have not completed yet, please email [email protected]
Are there any SDKs or libraries available for easier integration?
The GreyNoise SDK includes CVE lookup commands to support this.
Pricing & Packaging
What are the pricing plans for GreyNoise Vulnerability Prioritization?
Contact [email protected] for pricing information.
Is there a free trial or demo available?
Yes. You can contact [email protected] to request a demo.
Troubleshooting
What should I do if I encounter an issue with GreyNoise Vulnerability Prioritization?
If you are a GreyNoise Vulnerability Prioritization customer, contact your CX rep. Otherwise, contact [email protected] and we will get back to you promptly.
Can I request new features or provide feedback?
Yes! We would love to hear from you. You can email [email protected] with any feature requests or feedback that you have.
Miscellaneous
Why not wait until a CVE is in KEV before prioritizing?
KEV is a strong indicator. However, it is, by name, “known exploited,” which means any time between when exploitation begins and when it is added to the KEV is wasted. Exploitation has to begin somewhere before it is socialized to be added.
How do I stay informed about new features and updates?
You can subscribe to our product updates on your account details page at viz.greynoise.io. Check the “I'd like to receive product updates from GreyNoise” box a the bottom of the page and save your changes.
Are there any upcoming webinars or events related to GreyNoise Vulnerability Prioritization?
You can find all our upcoming events here
Product Roadmap
What new features or enhancements are planned for future releases?
GreyNoise Product Management performs quarterly roadmap webinars. See the GreyNoise Events calendar for the next scheduled update.
How can I participate in beta testing for new features?
Reach out to [email protected] if you would like to be added as a design partner or beta tester for future releases.
Updated 4 months ago