Threat Score Calculation - Examples

Some examples to explain how we would arrive at a Threat Score.

Example 1

A SAID has two CVEs; two come back as exploited.

Triggered Rules

The following rules are triggered:

CVE1 triggers 
Historically Linked to Remote Access Trojan
Recent remote code execution POC verified
CVE2 triggers 
Historically Linked to Exploit Kit

The Threat Score would be 51.

Calculating the Score

The criticality range is set by the most critical rule triggered, which is critical. This sets the score's maximum and minimum range as between 45 and 70.

Item

Value

Base Score

+45

Recent remote code execution POC verified

+4

Linked to Recent Cyber Exploit

+1

Historically Linked to Remote Access Trojan

+1

Threat Score (Sum of above values)

51

Example 2

A SAID has seven CVEs; and all come back as exploited. 

Triggered Rules

The following rule is triggered by all CVEs:

CVE1, CVE2, CVE3, CVE4, CVE5, CVE6 and CVE7 triggers 
Recently Linked to Malware

The Threat Score would be 23.

Calculating the Score

The criticality range is set by the most critical rule triggered, which is critical. This sets the score's maximum and minimum range as between 13 and 23.

Item

Value

Base Score

+13

Recently Linked to Malware

+2 * 7 CVE = +14

Threat Score (Sum of above values)

27

Note:At this point, we have exceeded the maximum for a critical threat, which is 23, so the score is 23.

Example 3

A SAID has one CVE and it comes back as exploited.

Triggered Rules

The following rule is triggered:

CVE1 triggers 
Historically exploited in the wild

The Threat Score would be 27.

Calculating the Score

The criticality range is set by the most critical rule triggered, which is high. This sets the score's maximum and minimum range as between 24 and 44.

Item

Value

Base Score

+24

Historically exploited in the wild

+3

Threat Score (Sum of above values)

27

Example 4

A SAID has many CVEs, none come back as exploited.

The score would be 0 because there are no rules triggered.

Advisory with Multiple Vulnerabilities

An advisory Threat Score is based upon each of the CVEs included in an Advisory as specified above. In Software Vulnerability Research, the vulnerabilities that have exploits are indicated with a red circle for easier identification.