Methodology & Data Sources: Skybox Vulnerability Center

For more than a decade, Skybox™ Security has been at the forefront of today's vulnerability and threat intelligence research. With a dedicated team of analysts and advanced technology, Skybox provides IT security professionals with the visibility into their attack surface and exploitable attack vectors, so they can target truly critical vulnerabilities with precision and systematically reduce risk.

Skybox Research Lab

The Skybox® Research Lab is the force behind the intelligence used by Skybox® Vulnerability Center and the Skybox® Security Suite. The team of security analysts scours data from dozens of sources and investigates sites in the dark web. The result is the most accurate vulnerability assessments based on Skybox–certified intelligence of the current threat landscape — delivered to you daily.

The work of the Skybox Research Lab tracks tens of thousands of vulnerabilities on more than 8,000 products including:

  • Server and desktop operating systems
  • Business and desktop applications
  • Networking and security technologies
  • Developer tools
  • Internet and mobile  applications
  • IoT devices

Industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices

While many tasks of the Research Lab are automated, the human element is key. Security analysts validate and enhance data through manual analysis, bringing their knowledge of attack trends, cyber events and tactics, techniques and procedures of today’s cyberattackers. Their ongoing investigations determine what vulnerabilities are being exploited in the wild and packaged in distributed crimeware such as ransomware, malware, exploit kits and other attacks exploiting server–side vulnerabilities.

Research Lab findings are used throughout the Skybox Security Suite via the intelligence feed.

Skybox Vulnerability Index

The charts on the main page of Vulnerability Center show the Skybox™ Vulnerability Index. This Index is a measurement that gives an indication of both the scale and severity of vulnerabilities affecting an enterprise organization at a point in time. The Skybox Vulnerability Index has no upper bound, and there is no maximum number of vulnerabilities.

The Vulnerability Index is calculated daily from a summation of factors assigned to every vulnerability reported in the Skybox Vulnerability Database in a preceding time window. The default time window is 90 days, relevant for an organization with a 90-day vulnerability management cycle from assessment to remediation. The Index can be customized to a 30-day or 180-day rolling time window, allowing organizations to see the impact of faster or slower resolution cycles on overall risk.

Vulnerability severity is used as a weighting factor. Hence 10 new critical vulnerabilities would influence the Vulnerability Index to a greater degree than 10 new low or medium severity vulnerabilities. All vulnerabilities added to the Index are assigned a severity index between 0 and 1, with 1 indicating critical vulnerabilities.

Data Sources

The Skybox Research Lab's team updates the Skybox Vulnerability Database daily correlating the information from more than 30 sources: 

  • National Vulnerability Database (NVD)
  • Vendor threat advisories
  • Vulnerability scanners mapping
  • Threat feeds for malware and exploits
  • Catalogs of intrusion prevention signatures from IPS vendors
SCANNERS THREAT INTELLIGENCE VENDOR ADVISORIES INTRUSION PREVENTION SYSTEMS OTHER
* BeyondTrust Retina ** AlienVault OTX Adobe Cisco SourceFire CERT, ICS-CERT
McAfee Foundstone Exploit-DB Apple Fortinet FortiGuard ** Flexera Secunia
Qualys Cloud Platform ** IBM X-Force Exchange Cisco PSIRT HP TippingPoint Mitre CVE
Rapid7 Nexpose ** Symantec A-Z Microsoft McAfee IPS NIST NVD
Tenable Nessus   Oracle Palo Alto Networks Rapid 7 Metasploit
Tripwire IP360   Red Hat   Symantec Security Focus
    Siemens   Zero-day vulnerabilities for published incidents

*Scanners supported as cross-references with CVE ID

**Supplementary information only, no cross reference support

 

Skybox uses the CVE to cross-reference the various sources.  In addition, our intelligence feed contains vulnerabilities that do not have a CVE reference, such as vulnerabilities that may represent two different risk scenarios on different systems or network configurations, or vulnerabilities with no assigned CVE.

Skybox catalogs records by the first 'reporting date' assigned to a vulnerability from any source.  Sometimes, a new vulnerability is added that has an older reporting date, so the historical list is updated with more recent information.

The severity rating is based on Skybox Security's risk modeling (CVSS V3 compliant), which takes various parameters into account. CVSS base sore ranges from 0 to 10, while score 9 or higher indicates of a critical vulnerability. These are typically remote code execution or memory corruption vulnerabilities, which means the attacker can gain full control over the affected machine, as opposed to other effects like DoS which are usually considered less severe.