Threat Score Calculation - Examples

Some examples to explain how we would arrive at a Threat Score.

Example 1

A SAID has two CVEs; two come back as exploited.

Triggered Rules

The following rules are triggered:

CVE1 triggers 
Historically Linked to Remote Access Trojan
Linked to Recent Cyber Exploit
CVE2 triggers 
Historically Linked to Exploit Kit

The Threat Score would be 54.

Calculating the Score

The criticality range is set by the most critical rule triggered, which is critical. This sets the score's maximum and minimum range as between 45 and 70.

 

Item

Value

Base Score

+45

Historically Linked to Exploit Kit

+4

Linked to Recent Cyber Exploit

+1

Historically Linked to Remote Access Trojan

+4

Threat Score (Sum of above values)

54

Example 2

A SAID has seven CVEs; and all come back as exploited. 

Triggered Rules

The following rule is triggered by all CVEs:

CVE1, CVE2, CVE3, CVE4, CVE5, CVE6 and CVE7 triggers 
Historically Linked to Exploit Kit

The Threat Score would be 70.

Calculating the Score

The criticality range is set by the most critical rule triggered, which is critical. This sets the score's maximum and minimum range as between 45 and 70.

 

Item

Value

Base Score

+45

Historically Linked to Exploit Kit

+4 * 7 CVE = +28

Threat Score (Sum of above values)

73

Note:At this point, we have exceeded the maximum for a critical threat, which is 70, so the score is 70.

Example 3

A SAID has one CVE and it comes back as exploited.

Triggered Rules

The following rule is triggered:

CVE1 triggers 
Recently Linked to Malware

The Threat Score would be 27.

Calculating the Score

The criticality range is set by the most critical rule triggered, which is high. This sets the score's maximum and minimum range as between 24 and 44.

 

Item

Value

Base Score

+24

Recently Linked to Malware

+3

Threat Score (Sum of above values)

27

Example 4

A SAID has many CVEs, none come back as exploited.

The score would be 0 because there are no rules triggered.

Advisory with Multiple Vulnerabilities

An advisory Threat Score is based upon each of the CVEs included in an Advisory as specified above. In Software Vulnerability Research, the vulnerabilities that have exploits are indicated with a red circle for easier identification.