Methodology & Data Sources: Skybox Vulnerability Center

For more than a decade, Skybox™ Security has been at the forefront of today's vulnerability and threat intelligence research. With a dedicated team of analysts and advanced technology, Skybox provides IT security professionals with the visibility into their attack surface and exploitable attack vectors, so they can target truly critical vulnerabilities with precision and systematically reduce risk.

Skybox Research Lab

The Skybox™ Research Lab is the force behind the intelligence used by Skybox™ Vulnerability Center and the Skybox™ Security Suite. Our team of security analysts scours data from more than 30 leading public and private security feeds as well as more than 700,000 sites in the dark web. Skybox uses this information to correlate the vulnerabilities in an organization’s native environment with those being exploited in the wild — applying attack simulation and considering elements such as compensating controls, network context and potential business impact.

The result is the most accurate vulnerability analysis based on Skybox-certified intelligence of the current threat landscape,with clear identification of the imminent threats that should be addressed immediately, augmented with recommendations for ongoing, gradual risk reduction. The work of the Skybox Research Lab tracks tens of thousands of vulnerabilities on more than 7,500 products including:

  • Server and desktop operating systems
  • Business and desktop applications
  • Networking and security technologies
  • Development tools
  • Internet and mobile applications
  • IoT devices
  • Industrial control system (ICS) and supervisory control and data acquisition (SCADA) device

While many tasks of the Research Lab are automated, the human element is key. Security analysts validate and enhance data through manual analysis, bringing their knowledge of attack trends, cyber events and tactics, techniques and procedures of today’s cyber-attackers. Their ongoing investigations determine what vulnerabilities are being exploited in the wild and packaged in distributed crime ware such as ransomware, malware, exploit kits and other attacks exploiting client-side and server-side vulnerabilities.

Research Lab findings are used throughout the Skybox Security Suite via the intelligence feed.

Skybox Vulnerability Index

The charts on the main page of Vulnerability Center show the Skybox™ Vulnerability Index. This Index is a measurement that gives an indication of both the scale and severity of vulnerabilities affecting an enterprise organization at a point in time. The Skybox Vulnerability Index has no upper bound, and there is no maximum number of vulnerabilities.

The Vulnerability Index is calculated daily from a summation of factors assigned to every vulnerability reported in the Skybox Vulnerability Database in a preceding time window. The default time window is 90 days, relevant for an organization with a 90-day vulnerability management cycle from assessment to remediation. The Index can be customized to a 30-day or 180-day rolling time window, allowing organizations to see the impact of faster or slower resolution cycles on overall risk.

Vulnerability severity is used as a weighting factor. Hence 10 new critical vulnerabilities would influence the Vulnerability Index to a greater degree than 10 new low or medium severity vulnerabilities. All vulnerabilities added to the Index are assigned a severity index between 0 and 1, with 1 indicating critical vulnerabilities.

Data Sources

The Skybox Research Lab's team updates the Skybox Vulnerability Database daily correlating the information from more than 30 sources: 

  • National Vulnerability Database (NVD)
  • Vendor threat advisories
  • Vulnerability scanners mapping
  • Threat feeds for malware and exploits
  • Catalogs of intrusion prevention signatures from IPS vendors
SCANNERS THREAT INTELLIGENCE VENDOR ADVISORIES INTRUSION PREVENTION SYSTEMS OTHER
BeyondTrust Retina AlienVault OTX Adobe Fortinet FortiGuard CERT, ICS CERT
McAfee Foundstone Exploit-DB Apple McAfee IPS Flexera Secunia
Qualys Cloud Platform Recorded Future Cisco Palo Alto Networks IBM X-Force
Rapid7 Nexpose Symantec A-Z Microsoft Trend Micro TippingPoint Mitre CVE
Tenable Nessus   Oracle Cisco SourceFire NIST NVD
Tripwire IP360   Red Hat   OSVDB
        Symantec Security Focus
        Rapid 7 Metasploit
        Zero-day vulnerabilities for published incidents

 

Skybox uses the CVE to cross-reference the various sources.  In addition, our intelligence feed contains vulnerabilities that do not have a CVE reference, such as vulnerabilities that may represent two different risk scenarios on different systems or network configurations, or vulnerabilities with no assigned CVE.

Skybox catalogs records by the first 'reporting date' assigned to a vulnerability from any source.  Sometimes, a new vulnerability is added that has an older reporting date, so the historical list is updated with more recent information.

The severity rating is based on Skybox Security's risk modeling (CVSS V3 compliant), which takes various parameters into account. CVSS base sore ranges from 0 to 10, while score 9 or higher indicates of a critical vulnerability. These are typically remote code execution or memory corruption vulnerabilities, which means the attacker can gain full control over the affected machine, as opposed to other effects like DoS which are usually considered less severe.