As the ICT attack surface broadens (Servers, laptops, network, and ToI), it’s more crucial than ever for ICT security teams to quickly and accurately identify the greatest risks and prioritize remediation efforts accordingly.
Conventional approaches focus primarily on the severity of vulnerabilities as measured by the common vulnerability scoring system. No matter how severe a vulnerability is, it may be safe from attack because it’s not exposed or because there are no active attempts to exploit it. On the other hand, even a low or medium severity vulnerability can constitute a serious risk if it’s readily accessible to threat actors and is being actively exploited.
Attackers are increasingly taking advantage of low/medium-severity vulnerability, going after lower-severity vulnerabilities as the first step in sophisticated multistage campaigns.
Rather than have organisations focus on thousands of vulnerabilities that may never be used in a real-world attack, the focus should shift to those vulnerabilities that are active threats.