Overview
The Mandiant Advantage integration makes it possible for analysts and engineers to have actionable, real-time vulnerability and threat intel intelligence—automatically correlated with normalized network, application, cloud, and container scan data plus org-defined risk and asset criticality context—all in one place. The integration uses a custom threat intel feed from Mandiant that exposes data points tailored to the vulnerability landscape. This allows Nucleus subscribers to save time and move faster with automated, prioritized responses to the highest-risk vulnerabilities in a way that fits their organization and existing VM processes.
Risk Rating
The Risk Rating is an expert assessment of what impact an attacker could have on a targeted organization if they were to exploit a vulnerability.
| Low | Exploitation of these vulnerabilities would have little to no security impact on targeted systems. This means that while technically a vulnerability, there is little to no direct security impact an attacker can have on the targeted system or network. Reliability of exploitation is likely low and unlikely to be performed on a wide scale. |
| Medium | Exploitation of these vulnerabilities would either enable attackers to perform additional activities on the targeted device or network or could allow enable attackers to have a direct impact on the security of the targeted device or network, but would require notable additional factors to be performed or mitigated. Reliability of exploitation is likely questionable and may or may not be able to be performed on a wide scale. |
| High | Exploitation of these vulnerabilities would enable attackers to have a notable direct impact to the security of targeted devices and networks without needing to overcome any major mitigating factors. Reliability of exploitation is expected to be high and can typically be done on a wide scale. |
| Critical | Exploitation of these vulnerabilities fundamentally undermine the security of affected devices and networks, enabling actors to perform significant attacks with minimal effort, impacting a wide number of systems, often with little to no mitigating factors to overcome. Reliability of exploitation is most likely very high and can almost certainly be performed effectively at scale. |
For additional information on how Mandiant rates vulnerabilities, see this article.
Exploitation Rating
The Exploitation Rating is an indication of what is occurring in the wild in terms of exploitation-related activity.
| No Known | No known exploitation activity, underground discussions, PoC or exploit code, but has low potential for exploitation |
| Anticipated | No known exploitation activity, underground discussions, PoC or exploit code, but has high potential for exploitation. |
| Available | Exploit or PoC code is publicly available or underground discussions, alleged selling, or alleged privately held code observed. |
| Confirmed | Limited reported or confirmed exploitation activities. |
| Wide | Exploitation has been reported or confirmed to widely occur. |
Additional Mandiant Fields:
| Field | Field Values | Description |
|---|---|---|
| Ease of Attack | Difficult, Moderate, Easy, No Info | How difficult is the exploit to use in practice |
| Exploit Consequence | Information Disclosure, Data Loss, Data Manipulation, Denial-of-Service, Code Execution, Command Execution, Security Bypass | The result of successful exploitation, such as privilege escalation or remote code execution |
| Exploit in Wild | Yes, No | Vulnerability exploit observed in the wild by Mandiant |
| Exploit Vectors | Web, General Network Connectivity, Local Access, Email, File Share, Open Port, Local Network Access, Physical Access | The type of access required to successfully exploit the vulnerability |
| Mitigations | Anti-virus Signatures, Intrusion Prevention Signatures, Firewall, Patch, Unavailable, Workaround | Indicates vulnerability mitigations available |
| Zero Day | Yes, No | Indicates if a vulnerability is a zero day |
| Associated Malware | exists or does not exist | Indicates if a vulnerability has associated Malware |
Where to find Mandiant Intelligence in Nucleus
- Vulnerabilities > Active: Search, sort, and filter using the criteria and fields from the Mandiant vulnerability intelligence feed.
- Vulnerabilities > Active > Vulnerability Details > Vulnerability Intelligence: Access all the Mandiant vulnerability intelligence for a vulnerability in one place.
- Automation: Use intelligence fields including Mandiant, EPSS score, and CISA BOD 22-01 as filters in automation rules for greater flexibility over triggering events.
- Reports: Filter certain reports by the same Mandiant feed fields for more reporting on the criteria that matter to you.
Operationalizing Mandiant Threat Data in Your Vulnerability Management Program
Example #1 - Vulnerability Prioritization and Triage
When getting started with Nucleus, an excellent way to determine which vulnerabilities need immediate attention is to focus on the vulnerabilities with a Mandiant Risk Rating of Critical or High. From the Vulnerabilities page, you can search, sort, and filter on the Mandiant Risk Rating and all other fields from the Mandiant vulnerability intelligence feed.
Example #2 - Automated Remediation Workflows
By leveraging Mandiant fields in automation rules, you can streamline ticket generation and automatically assign findings to teams or individuals for remediation.
Example #3 - Automated Alerting and Reporting
Using the Mandiant fields as filters in Nucleus's automated notification rules, you can trigger downstream events like a message in Slack or Microsoft Teams or an email when these criteria are met. You can filter across all the threat and data sources including Mandiant, EPSS, CISA BOD 22-01, CVE, CVSS, etc. and it’s customizable based on what's organizationally important to you.