Risk Based Vulnerability Management
      Back to home
      1. Knowledge Base
      2. Risk Based Vulnerability Management

      What does 'exploited' mean?

      'Exploited' refers to a vulnerability that has been used in an attack.

      The simple answer is this refers to a vulnerability that has been used in an attack. However, there are some nuances to this, and to how Orpheus refers to exploitation. The following are the stages for us to consider.

      • Vulnerability discovered
      • Proof-of-concept (POC) exploit
      • Exploited

      Thousands of vulnerabilities are discovered each year. Not all of these will have a POC exploit attached to them, although many will.

      If a vulnerability has a POC exploit, this means that a researcher has demonstrated that this vulnerability can be exploited. The POC will provide the route for an attacker to follow to exploit this vulnerability. However, at this stage, this has been demonstrated by a researcher in cyber defence, and not used in an attack.

      To directly observe CVE exploitation, security researchers must write a detection rule. This can take various forms but is typically a hash of a section of code, or a set of behaviours/heuristics, which, if seen, suggests the script is attempting to exploit a particular CVE. This rule is then applied either to suspected malware samples or set up on honeypots, to see if it is triggered.

      The ground truth of CVE exploitation necessarily underpins any patch prioritisation system and is a central area of focus for Orpheus. As a component of our CVE scoring, we combine the most comprehensive sources of malware samples and honeypot activity into our databases. We also process data from millions of malware samples daily, and malicious activity from a network of over 5000 honeypots.

      The disagreement arises as some vulnerabilities will be exploited but after widespread patching, it is unlikely to be exploited again in the future. Or the vulnerability may not have been widely exploited and some feel that this should then not be included. Orpheus mitigates these disagreements with our prioritization score. Our score changes in line with threat actor behaviour and would decrease if one of these factors was evident.