Vulnerability Scoring 103

We’ve looked at the Tripwire IP360 Scoring System and how risk is commonly used in two different scenarios, so I figured it was worthwhile to dive into the other complex element of Tripwire’s scoring: skill. Skill is a term that, even within the IP360 Scoring System, has evolved over the years and it’s worth looking at the evolution of the word in terms of IP360 and vulnerabilities. To really think about how skill affects scoring vulnerability, we need to jump back 15 years and consider the original IP360 definitions:

Automated Exploit: A graphical application that includes an installer, or no human interaction required, e.g. a network worm.
Easy: A non-UNIX binary application, typically containing an installation script, batch file, or other simple installation mechanism. A binary is a pre-compiled exploit that does not require specific operating system or networking knowledge.
Moderate: A non-Windows binary application, typically a binary containing an installation script, batch file, or other simple installation mechanism. A binary is a pre-compiled exploit that does require operating system or networking knowledge.
Difficult: A non-Windows shell, Perl, or interpreted script program that requires limited knowledge of operating systems, shell code, interpreters, or networking.
Extremely Difficult: An un-compiled set of source files, typically compressed in some way that requires specific knowledge of operating systems, compilers, and advanced system experience.
No Known Exploit: Typically, this category describes an exploit or that has been referenced in a public forum or advisory and does not include source code, an exploit script, or a reference to predefined exploit source.

These definitions feel very out of place when considered today. That’s because they were defined before easy-to-install Linux distributions like Ubuntu and Live CDs like BackTrack and Kali Linux existed. They remove the assumption of organized cybercrime and nation states involved in cyber warfare that we know to exist today. In order to continually evolve and recognize the changing environment, today VERT focuses on the quality of the available exploit and the proficiency required to effectively exploit a vulnerability with the available materials. As such, our skill definitions would now be better described by the following:

Automated Exploit: An exploit is available in an exploit kit, exploit framework, or malware (e.g. Worm).
Easy: Fully functional exploit code is available, likely in an exploit repository.
Moderate: Exploit Code is available but may not be fully functional.
Difficult: A proof of concept is available.
Extremely Difficult: Minimal details are available — perhaps a technical write-up with no proof of concept.
No Known Exploit: No exploits are available.

So, why are we publishing a blog post dedicated to clearing this up? VERT feels that scoring correctly is extremely important and this is an area that occasionally needs clarification. This blog post concludes our scoring introduction; readers of the series should now have a solid understanding of the terminology used in upcoming blog posts in relation to Tripwire IP360.

Vulnerability Scoring 103

Automated Exploit: A graphical application that includes an installer, or no human interaction required, e.g. a network worm.

Easy: A non-UNIX binary application, typically containing an installation script, batch file, or other simple installation mechanism. A binary is a pre-compiled exploit that does not require specific operating system or networking knowledge.

Moderate: A non-Windows binary application, typically a binary containing an installation script, batch file, or other simple installation mechanism. A binary is a pre-compiled exploit that does require operating system or networking knowledge.

Difficult: A non-Windows shell, Perl, or interpreted script program that requires limited knowledge of operating systems, shell code, interpreters, or networking.

Extremely Difficult: An un-compiled set of source files, typically compressed in some way that requires specific knowledge of operating systems, compilers, and advanced system experience.

No Known Exploit: Typically, this category describes an exploit or that has been referenced in a public forum or advisory and does not include source code, an exploit script, or a reference to predefined exploit source.

Automated Exploit: An exploit is available in an exploit kit, exploit framework, or malware (e.g. Worm).

Easy: Fully functional exploit code is available, likely in an exploit repository.

Moderate: Exploit Code is available but may not be fully functional.

Difficult: A proof of concept is available.

Extremely Difficult: Minimal details are available — perhaps a technical write-up with no proof of concept.

No Known Exploit: No exploits are available.

Related Posts

Tyler Reguly

Contact Information

Privacy Policy

Cookie Policy

Impressum