I recently invented a “People First” Cybersecurity Vulnerability Scoring method and I called it CITE, Civilian Internet Threat Evaluation with many benefits over CVSS. In it, I prioritize “exploit chains” as the primary threat going forward. Low and behold, this new exploit, although iOS, possibly one of the most sophisticated attacks ever using one of the longest exploit chains ever! Proof positive!
Depending on how you define it; I define the Kaspersky diagram has 8 steps. In my system, I define steps that advance the exploit discretely as stages, so I would evaluated Triangulation to be a 4 stage exploit chain. I should tally this attack to see how it scores and make a CITE-REP(ort).
You can read about it if interested. An intersting modeling problem for me was does stages always equate to complexity? Number of exploits in the chain make it easier or harder to intrusion detect given that it was designed as a chain, maybe to prevent just that? How are stages, complexity, chains and remediation evaluted inversely?
Glancing through your article, while you have correctly assessed the need for risk based prioritization of vulnerability remediation and mitigation, your central premise is flawed.
Vulnerability is not threat— CVSS is a scoring system for individual vulnerabilities, not exploit chains. For that, you’ll want to compare with ATT&CK or the legacy cyber kill chain.
Help me understand your glancing criticisms that I’m taking with a grain of salt.
You didn’t mention the central premise that is flawed, what do you think it is?
I’m not confused about vulnerability and threat, what specifically did read to you give you that impression?
You mention that CVSS, which I hold Certification in, is for scoring single threats which I said so many times that is why I made such a system, to depart from CVSS singular, that is inadequate in being singular and common. Glance again?
Compare what with attack? Also, if you mean Lockheed Martin Cyber Kill Chain, that has nothing to do with scoring, that is the methology OF the attack and defense of it, not the attack itself, is a defensive strategy includng reconaissance and nothing to do with scoring.
From the title of your article and your executive summary, the premise of your paper is that CVSS is flawed, and CITE is your solution.
From the title of your article, and choice of name, “QHE CVSS Alternative; CITE”. CVSS is a VULNERABILITY Scoring System. CITE, as your propose, is a THREAT evaluation tool. You can see how one could have the impression that they were incorrectly being used interchangeably.
As you yourself stated, CVSS does exactly what it says on the box. It provides a singular rating for a software vulnerability, in a vacuum. It does not prescribe to do anything more, and it does a good job doing what it sets out to do (including specifically as an input to other quantitative risk calculations).
Compare what with attack?
Your methodology heavily relies on “the analysis of cybersecurity experts”, and in particular, frequently references “exploit chains”, mappings which are not clearly defined, and appears to rely on the knowledge of the individual practitioner, rather than existing open frameworks. MITRE ATT&CK and CAPEC already provide such a mapping, as well as a list of threat actor groups leveraging tactics, techniques, and procedures (e.g., exploitation of a given CVE). Here’s a good articlewhich maps similarly to how we operate our cybersecurity program.
I think there is a lot on the mark in your article about the issues with cybersecurity today, but again, I believe that your premise that CVSS needs replacing is flawed, and I don’t think you provided a compelling case to demonstrate how/why it is flawed. If anything, I think you would agree that if organizations are exclusively using CVSS scores to prioritize remediation, they’re doing it wrong, and fighting an impossible battle. But this means the organization’s approach is wrong, not CVSS itself.
Your article stands better alone as a proposal for a methodology for quantifying risk and threat to an organization (or society?), rather than as a takedown of CVSS.
Ah, much better. MITRE CWSS + CWARF is comprehensive, yet insular and as is MITRE, Military/NATSEC Focused. I do not see any flaws in my reasoning, but words as communication. I do concede that maybe my saying an alternative to CVSS is not really the best wording as I see such things in very broad terms, but I get the perspective now. As in, the common singular, Gov/Corp system does not fit, I need an alternative model that does. In contrast to I need another exactly scoped system that does it differently alternative.
To evidence this I can point to that fact that I even advocated that CVSS-BTE v4.0 should be NVD baseline, but I didn’t make this very clear that I’m expanding the CVSS as an alternative use, different in applicability, essential in nature, and somewhat built upon CVSS and OWASP with a different, very important objective.
Not replacment which I never intended… I’ll change the article to reflect those views, well done.
I recently invented a “People First” Cybersecurity Vulnerability Scoring method and I called it CITE, Civilian Internet Threat Evaluation with many benefits over CVSS. In it, I prioritize “exploit chains” as the primary threat going forward. Low and behold, this new exploit, although iOS, possibly one of the most sophisticated attacks ever using one of the longest exploit chains ever! Proof positive!
Depending on how you define it; I define the Kaspersky diagram has 8 steps. In my system, I define steps that advance the exploit discretely as stages, so I would evaluated Triangulation to be a 4 stage exploit chain. I should tally this attack to see how it scores and make a CITE-REP(ort).
You can read about it if interested. An intersting modeling problem for me was does stages always equate to complexity? Number of exploits in the chain make it easier or harder to intrusion detect given that it was designed as a chain, maybe to prevent just that? How are stages, complexity, chains and remediation evaluted inversely?
https://www.quadhelion.engineering/articles.html
Sooo, xkcd 927?
That’s Standards, isn’t it?
Edit: yup
is this how people who quote Bible verses feel? i can just surmise the meaning by the number and the context because I’m so familiar with the source
I just surmise by the context and end up usually correct so the numbers haven’t quite clicked in yet
It must be, cause I immediately recognized the numbers.
Link for the lazy
no garfield 3:16
Glancing through your article, while you have correctly assessed the need for risk based prioritization of vulnerability remediation and mitigation, your central premise is flawed.
Vulnerability is not threat— CVSS is a scoring system for individual vulnerabilities, not exploit chains. For that, you’ll want to compare with ATT&CK or the legacy cyber kill chain.
Help me understand your glancing criticisms that I’m taking with a grain of salt.
You mention that CVSS, which I hold Certification in, is for scoring single threats which I said so many times that is why I made such a system, to depart from CVSS singular, that is inadequate in being singular and common. Glance again?
Compare what with attack? Also, if you mean Lockheed Martin Cyber Kill Chain, that has nothing to do with scoring, that is the methology OF the attack and defense of it, not the attack itself, is a defensive strategy includng reconaissance and nothing to do with scoring.
As you yourself stated, CVSS does exactly what it says on the box. It provides a singular rating for a software vulnerability, in a vacuum. It does not prescribe to do anything more, and it does a good job doing what it sets out to do (including specifically as an input to other quantitative risk calculations).
Your methodology heavily relies on “the analysis of cybersecurity experts”, and in particular, frequently references “exploit chains”, mappings which are not clearly defined, and appears to rely on the knowledge of the individual practitioner, rather than existing open frameworks. MITRE ATT&CK and CAPEC already provide such a mapping, as well as a list of threat actor groups leveraging tactics, techniques, and procedures (e.g., exploitation of a given CVE). Here’s a good articlewhich maps similarly to how we operate our cybersecurity program.
I think there is a lot on the mark in your article about the issues with cybersecurity today, but again, I believe that your premise that CVSS needs replacing is flawed, and I don’t think you provided a compelling case to demonstrate how/why it is flawed. If anything, I think you would agree that if organizations are exclusively using CVSS scores to prioritize remediation, they’re doing it wrong, and fighting an impossible battle. But this means the organization’s approach is wrong, not CVSS itself.
Your article stands better alone as a proposal for a methodology for quantifying risk and threat to an organization (or society?), rather than as a takedown of CVSS.
Ah, much better. MITRE CWSS + CWARF is comprehensive, yet insular and as is MITRE, Military/NATSEC Focused. I do not see any flaws in my reasoning, but words as communication. I do concede that maybe my saying an alternative to CVSS is not really the best wording as I see such things in very broad terms, but I get the perspective now. As in, the common singular, Gov/Corp system does not fit, I need an alternative model that does. In contrast to I need another exactly scoped system that does it differently alternative.
To evidence this I can point to that fact that I even advocated that CVSS-BTE v4.0 should be NVD baseline, but I didn’t make this very clear that I’m expanding the CVSS as an alternative use, different in applicability, essential in nature, and somewhat built upon CVSS and OWASP with a different, very important objective.
Not replacment which I never intended… I’ll change the article to reflect those views, well done.
Thanks for sharing! I’m amazed at how sophisticated this was.