Methodology & Data Sources: Skybox Vulnerability Center
For more than a decade, Skybox™ Security has been at the forefront of today's vulnerability and threat intelligence research. With a dedicated team of analysts and advanced technology, Skybox provides IT security professionals with the visibility into their attack surface and exploitable attack vectors, so they can target truly critical vulnerabilities with precision and systematically reduce risk.
Skybox Research Lab
The Skybox® Research Lab is the force behind the intelligence used by Skybox® Vulnerability Center and the Skybox® Security Suite. The team of security analysts scours data from dozens of sources and investigates sites in the dark web. The result is the most accurate vulnerability assessments based on Skybox–certified intelligence of the current threat landscape — delivered to you daily.
The work of the Skybox Research Lab tracks tens of thousands of vulnerabilities on more than 8,000 products including:
- Server and desktop operating systems
- Business and desktop applications
- Networking and security technologies
- Developer tools
- Internet and mobile applications
- IoT devices
Industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices
While many tasks of the Research Lab are automated, the human element is key. Security analysts validate and enhance data through manual analysis, bringing their knowledge of attack trends, cyber events and tactics, techniques and procedures of today’s cyberattackers. Their ongoing investigations determine what vulnerabilities are being exploited in the wild and packaged in distributed crimeware such as ransomware, malware, exploit kits and other attacks exploiting server–side vulnerabilities.
Research Lab findings are used throughout the Skybox Security Suite via the intelligence feed.
Skybox Vulnerability Index
The charts on the main page of Vulnerability Center show the Skybox™ Vulnerability Index. This Index is a measurement that gives an indication of both the scale and severity of vulnerabilities affecting an enterprise organization at a point in time. The Skybox Vulnerability Index has no upper bound, and there is no maximum number of vulnerabilities.
The Vulnerability Index is calculated daily from a summation of factors assigned to every vulnerability reported in the Skybox Vulnerability Database in a preceding time window. The default time window is 90 days, relevant for an organization with a 90-day vulnerability management cycle from assessment to remediation. The Index can be customized to a 30-day or 180-day rolling time window, allowing organizations to see the impact of faster or slower resolution cycles on overall risk.
Vulnerability severity is used as a weighting factor. Hence 10 new critical vulnerabilities would influence the Vulnerability Index to a greater degree than 10 new low or medium severity vulnerabilities. All vulnerabilities added to the Index are assigned a severity index between 0 and 1, with 1 indicating critical vulnerabilities.
Data Sources
The Skybox Research Lab's team updates the Skybox Vulnerability Database daily correlating the information from more than 30 sources:
- National Vulnerability Database (NVD)
- Vendor threat advisories
- Vulnerability scanners mapping
- Threat feeds for malware and exploits
- Catalogs of intrusion prevention signatures from IPS vendors
| SCANNERS | THREAT INTELLIGENCE | VENDOR ADVISORIES | INTRUSION PREVENTION SYSTEMS | OTHER |
|---|---|---|---|---|
| * BeyondTrust Retina | ** AlienVault OTX | Adobe | Cisco SourceFire | CERT, ICS-CERT |
| McAfee Foundstone | Exploit-DB | Apple | Fortinet FortiGuard | ** Flexera Secunia |
| Qualys Cloud Platform | ** IBM X-Force Exchange | Cisco PSIRT | HP TippingPoint | Mitre CVE |
| Rapid7 Nexpose | ** Symantec A-Z | Microsoft | McAfee IPS | NIST NVD |
| Tenable Nessus | Oracle | Palo Alto Networks | Rapid 7 Metasploit | |
| Tripwire IP360 | Red Hat | Symantec Security Focus | ||
| Siemens | Zero-day vulnerabilities for published incidents |
*Scanners supported as cross-references with CVE ID
**Supplementary information only, no cross reference support
Skybox uses the CVE to cross-reference the various sources. In addition, our intelligence feed contains vulnerabilities that do not have a CVE reference, such as vulnerabilities that may represent two different risk scenarios on different systems or network configurations, or vulnerabilities with no assigned CVE.
Skybox catalogs records by the first 'reporting date' assigned to a vulnerability from any source. Sometimes, a new vulnerability is added that has an older reporting date, so the historical list is updated with more recent information.
The severity rating is based on Skybox Security's risk modeling (CVSS V3 compliant), which takes various parameters into account. CVSS base sore ranges from 0 to 10, while score 9 or higher indicates of a critical vulnerability. These are typically remote code execution or memory corruption vulnerabilities, which means the attacker can gain full control over the affected machine, as opposed to other effects like DoS which are usually considered less severe.
