Intel score vs CVSS score - which is better for patch prioritization ?

In the last blog on this subject we analyzed the results of back testing ThreatWorx AI ( Attenu8 ) model efficacy for CVSS v3 scores. Here is the link to the blog in case you missed it. While the results are indeed very impressive ( 100% accurate CVSS v3 score prediction for every other vulnerability ), the question to ask here is -

Are CVSS v3 scores indicative of eventual weaponization of those vulnerabilities ( i.e malware and ransomware leveraging them for their attacks ) ?

The reason this question is critical is because getting prioritization of your patching accurate is more crucial than identification of vulnerabilities in itself. Lets first look at answering the question looking back at vulnerabilities that have been weaponized over the last 12 months ( November 2022 - November 2023 ).

CVSS v3 score distribution for weaponized vulnerabilities

The CVSS v3 score distribution of 250 weaponized vulnerabilities between November 2022 - November 2023 can be seen below.

Some data points that come out of this,

57 / 250 have a CVSS score less then 6.0, i.e 23%

120 / 250 have a CVSS score less than or equal to 7.5, i.e a whopping 48%

83 / 250 have a CVSS score 9.0 or more, i.e 33%

33% of the total weaponized vulnerabilities would have been prioritized accurately based on CVSS scores. ( almost 1 out of 3 ).

23% of the total weaponized vulnerabilities would get ignored and another 48% would also have a fairly high chance of getting ignored as well ( almost 2 out of 3 ).

So the question is, can we do better and the answer is overwhelmingly 'yes'.

ThreatWorx "Intel score" distribution for weaponized vulnerabilities

ThreatWorx AI models associate a "intel score" for a vulnerability, this has come out as an extension of the patented approach that ThreatWorx has taken towards machine curation of vulnerability data to build an ever evolving vulnerability graph.

The "Intel score" factors in numerous considerations such as social chatter, vendor and product past record, attack vectors that help gain initial foothold, dark web activity, relative complexity of published proof of concepts etc.

If we juxtapose the same set of vulnerabilities against the "intel score" computed by ThreatWorx AI, we can see the sharp contrast. Here is how the chart looks,

Intel score can range between 0 and 100.

Some data points that come out of this,

84 / 250 have a Intel score of 95 or more, i.e 33%

214 / 250 have a Intel score of 90 or more, i.e a whopping 85%

37 / 250 have a Intel score less than 90. i.e 14%

The data speaks for itself and validation of the use of AI / ML for vulnerability prioritization.