Separating the Signal from the Noise: How Mandiant Intelligence Rates Vulnerabilities — Intelligence for Vulnerability Management, Part Three

One of the critical strategic and tactical roles that cyber threat
intelligence (CTI) plays is in the tracking, analysis, and
prioritization of software vulnerabilities that could potentially
put an organization’s data, employees and customers at risk. In this
four-part blog series, FireEye Mandiant Threat Intelligence
highlights the value of CTI in enabling vulnerability management,
and unveils new research into the latest threats, trends and recommendations.

Every information security practitioner knows that patching
vulnerabilities is one of the first steps towards a healthy and
well-maintained organization. But with thousands of vulnerabilities
disclosed each year and media hype about the newest “branded”
vulnerability on the news, it’s hard to know where to start.

The National Vulnerability Database (NVD) considers a range of
factors that are fed into an automated process to arrive at a score
for CVSSv3. Mandiant Threat Intelligence takes a different approach,
drawing on the insight and experience of our analysts (Figure 1). This
human input allows for qualitative factors to be taken into
consideration, which gives additional focus to what matters to
security operations.

Figure 1: How Mandiant Rates Vulnerabilities

Assisting Patch Prioritization

We believe our approach results in a score that is more useful for
determining patching priorities, as it allows for the adjustment of
ratings based on factors that are difficult to quantify using
automated means. It also significantly reduces the number of
vulnerabilities rated ‘high’ and ‘critical’ compared to CVSSv3 (Figure
2). We consider critical vulnerabilities to pose significant security
risks and strongly suggest that remediation steps are taken to address
them as soon as possible. We also believe that limiting ‘critical’ and
‘high’ designations helps security teams to effectively focus
attention on the most dangerous vulnerabilities. For instance, from
2016-2019 Mandiant only rated two vulnerabilities as critical, while
NVD assigned 3,651 vulnerabilities a ‘critical’ rating (Figure 3).

Figure 2: Criticality of US National
Vulnerability Database (NVD) CVSSv3 ratings 2016-2019 compared to
Mandiant vulnerability ratings for the same vulnerabilities

Figure 3: Numbers of ratings at various
criticality tiers from NVD CVSSv3 scores compared to Mandiant
ratings for the same vulnerabilities

Mandiant Vulnerability Ratings Defined

Our rating system includes both an exploitation rating and a risk rating:

The Exploitation Rating is an in indication of what is
occurring in the wild.

Figure 4: Mandiant Exploitation Rating definitions

The Risk Rating is our expert assessment of what impact an
attacker could have on a targeted organization, if they were to
exploit a vulnerability.

Figure 5: Mandiant Risk Rating definitions

We intentionally use the critical rating sparingly, typically in
cases where exploitation has serious impact, exploitation is trivial
with often no real mitigating factors, and the attack surface is large
and remotely accessible. When Mandiant uses the critical rating, it is
an indication that remediation should be a top priority for an
organization due to the potential impacts and ease of exploitation.

For example, Mandiant Threat Intelligence rated CVE-2019-19781 as
critical due to the confluence of widespread exploitation—including by
APT41—the public release of proof-of-concept (PoC) code that
facilitated automated exploitation, the potentially acute outcomes of
exploitation, and the ubiquity of the software in enterprise environments.

CVE-2019-19781 is a path traversal vulnerability of the Citrix
Application Delivery Controller (ADC) 13.0 that when exploited, allows
an attacker to remotely execute arbitrary code. Due to the nature of
these systems, successful exploitation could lead to further
compromises of a victim’s network through lateral movement or the
discovery of Active Directory (AD) and/or LDAP credentials. Though
these credentials are often stored in hashes, they have been proven to
be vulnerable to password cracking. Depending on the environment, the
potential second order effects of exploitation of this vulnerability
could be severe.

We described widespread exploitation of CVE-2019-19781 in our blog
 earlier this year, including a timeline from disclosure on
Dec. 17, 2019, to the patch releases, which began a little over a
month later on Jan. 20, 2020. Significantly, within hours of the
release of PoC code on Jan. 10, 2020, we detected reconnaissance for
this vulnerability in FireEye telemetry data. Within days, we observed
weaponized exploits used to gain footholds in victim environments. On
the same day the first patches were released, Jan. 20, 2020, we observed
APT41, one of the most prolific Chinese groups we track, kick off an
expansive campaign exploiting CVE-2019-19781 and other vulnerabilities
against numerous targets.

Factors Considered in Ratings

Our vulnerability analysts consider a wide variety of
impact-intensifying and mitigating factors when rating a
vulnerability. Factors such as actor interest, availability of exploit
or PoC code, or exploitation in the wild can inform our analysis, but
are not primary elements in rating.

Impact considerations help determine what impact exploitation
of the vulnerability can have on a targeted system.

Impact Type

Impact Consideration

Exploitation Consequence

The result of successful
exploitation, such as privilege escalation or remote code

Confidentiality Impact

The extent to which exploitation
can compromise the confidentiality of data on the impacted

Integrity Impact

The extent to which exploitation
allows attackers to alter information in impacted systems

Availability Impact

The extent to which exploitation
disrupts or restricts access to data or systems

Mitigating factors affect an attacker’s likelihood of
successful exploitation.

Mitigating Factor

Mitigating Consideration

Exploitation Vector

What methods can be used to exploit
the vulnerability?

Attacking Ease

How difficult is the exploit to use
in practice?

Exploit Reliability

How consistently can the exploit
execute and perform the intended malicious activity?

Access Vector

What type of access (i.e. local,
adjacent network, or network) is required to successfully
exploit the vulnerability?

Access Complexity

How difficult is it to gain access
needed for the vulnerability?

Authentication Requirements

Does the exploitation
require authentication and, if so, what type of

Vulnerable Product Ubiquity

How commonly is the
vulnerable product used in enterprise environments?

Product’s Targeting Value

How attractive is the
vulnerable software product or device to threat actors to

Vulnerable Configurations

Does exploitation require
specific configurations, either default or non-standard?

Mandiant Vulnerability Rating System Applied

The following are examples of cases in which Mandiant Threat
Intelligence rated vulnerabilities differently than NVD by considering
additional factors and incorporating information that either was not
reported to NVD or is not easily quantified in an algorithm.


Vulnerability Description

NVD Rating

Mandiant Rating



A command injection vulnerability in
the Web UI component of Cisco IOS XE versions 16.11.1 and
earlier that, when exploited, allows a privileged attacker to
remotely execute arbitrary commands with root



This vulnerability was rated high by NVD, but
Mandiant Threat Intelligence rated it as low risk because it
requires the highest level of privileges – level 15 admin
privileges – to exploit. Because this level of access should
be quite limited in enterprise environments, we believe that
it is unlikely attackers would be able to leverage this
vulnerability as easily as others. There is no known
exploitation of this activity.


A use after free vulnerability
within the FileReader component in Google Chrome 72.0.3626.119
and prior that, when exploited, allows an attacker to remotely
execute arbitrary code. 




NVD rated CVE-2019-5786 as medium,
while Mandiant Threat Intelligence rated it as high risk. The
difference in ratings is likely due to NVD describing the
consequences of exploitation as denial of service, while we
know of exploitation in the wild which results in remote code
execution in the context of the renderer, which is a more
serious outcome.

As demonstrated, factors such as the assessed ease of exploitation
and the observance of exploitation in the wild may result a different
priority rating than the one issued by NVD. In the case of
CVE-2019-12650, we ultimately rated this vulnerability lower than NVD
due to the required privileges needed to execute the vulnerability as
well as the lack of observed exploitation. On the other hand, we rated
the CVE-2019-5786 as high risk due to the assessed severity, ubiquity
of the software, and confirmed exploitation.

In early 2019, Google reported
two zero-day vulnerabilities were being used together in the wild:
CVE-2019-5786 (Chrome zero-day vulnerability) and CVE-2019-0808 (a
Microsoft privilege escalation vulnerability). Google quickly released
a patch for the Chrome vulnerability pushed it to users through
Chrome’s auto-update feature on March 1. CVE-2019-5786 is significant
because it can impact all major operating systems, Windows, Mac OS,
and Linux, and requires only minimal user interaction, such as
navigating or following a link to a website hosting exploit code, to
achieve remote code execution. The severity is further compounded by a
public blog
 and proof of concept exploit code that was released a few
weeks later and subsequently incorporated into a Metasploit module.

The Future of Vulnerability Analysis Requires Algorithms and
Human Intelligence

We expect that the volume of vulnerabilities to continue to increase
in coming years, emphasizing the need for a rating system that
accurately identifies the most significant vulnerabilities and
provides enough nuance to allow security teams to tackle patching in a
focused manner. As the quantity of vulnerabilities grows,
incorporating assessments of malicious actor use, that is, observed
exploitation as well as the feasibility and relative ease of using a
particular vulnerability, will become an even more important factor in
making meaningful prioritization decisions.

Mandiant Threat Intelligence believes that the future of
vulnerability analysis will involve a combination of machine
(structured or algorithmic) and human analysis to assess the potential
impact of a vulnerability and the true threat that it poses to
organizations. Use of structured algorithmic techniques, which are
common in many models, allows for consistent and transparent rating
levels, while the addition of human analysis allows experts to
integrate factors that are difficult to quantify, and adjust ratings
based on real-world experience regarding the actual risk posed by
various types of vulnerabilities.

Human curation and enhancement layered on top of automated rating
will provide the best of both worlds: speed and accuracy. We strongly
believe that paring down alerts and patch information to a manageable
number, as well as clearly communicating risk levels with Mandiant
vulnerability ratings makes our system a powerful tool to equip
network defenders to quickly and confidently take action against the
highest priority issues first.

Register today to hear FireEye Mandiant Threat Intelligence experts
discuss the latest in vulnerability
threats, trends and recommendations
 in our upcoming April 30 webinar.