Data Enrichment Guide

CyberSecFeed enriches CVE data with multiple intelligence sources to help you prioritize vulnerabilities effectively. This guide explains each enrichment type and how to use them for risk-based vulnerability management.

Overview

Beyond basic CVE information, CyberSecFeed provides three critical enrichment sources:

KEV - Known Exploited Vulnerabilities (always included when available)
EPSS - Exploit Prediction Scoring System (always included when available)
ACSC - Australian Cyber Security Centre advisories (parameter-controlled: requires include=acsc)

Important: ACSC data is only included when explicitly requested using the include=acsc parameter to optimize API performance.

Controlling Enrichment Data Inclusion

CyberSecFeed uses parameter-based inclusion to give you control over which enrichment data is returned:

Default Behavior

# Default request includes KEV and EPSS when available
curl -H "X-API-Key: your-api-key-here" \
     https://api.cybersecfeed.com/api/v1/cve/CVE-2024-0001

Include ACSC Data

# Add ACSC data to the response
curl -H "X-API-Key: your-api-key-here" \
     https://api.cybersecfeed.com/api/v1/cve/CVE-2024-0001?include=acsc

Include Advanced Enrichment

The enrichment framework provides additional intelligence extracted from vendor data including CVSS vectors, attack vectors, CWE classifications, and exploit indicators.

# Add enrichment framework data
curl -H "X-API-Key: your-api-key-here" \
     https://api.cybersecfeed.com/api/v1/cve/CVE-2024-0001?include=enrichment

Example enrichment response:

{
	"data": {
		"cve_id": "CVE-2024-0001",
		"published": "2024-01-15T10:00:00Z",
		"description": "Buffer overflow vulnerability...",
		"enrichment": {
			"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
			"cvss_source": "nvd",
			"cwe_list": ["CWE-120", "CWE-787"],
			"exploit_flag": true,
			"attack_vector": "network",
			"patch_available": true,
			"cpe_count": 15,
			"reference_count": 23,
			"vendor_tags": ["nvd"],
			"enriched_at": "2024-01-15T18:30:00.000Z"
		}
	}
}

Combine Multiple Enrichments

# Include both ACSC and enrichment data
curl -H "X-API-Key: your-api-key-here" \
     https://api.cybersecfeed.com/api/v1/cve/CVE-2024-0001?include=acsc,enrichment

KEV (Known Exploited Vulnerabilities)

What is KEV?

The Known Exploited Vulnerabilities catalog, maintained by CISA (Cybersecurity and Infrastructure Security Agency), contains vulnerabilities that are being actively exploited in the wild. These represent immediate threats that should be prioritized for patching.

Why KEV Matters

Real-world validation: These vulnerabilities have confirmed exploitation
Risk prioritization: Focus on actual threats, not theoretical ones
Compliance: Many frameworks require priority patching of KEV entries
Threat intelligence: Understand what attackers are actually targeting

KEV Data Structure

When a CVE is in the KEV catalog, you'll see this enrichment:

"kev": {
  "dateAdded": "2024-01-20",
  "vendorProject": "Example Corp",
  "product": "Example Product",
  "vulnerabilityName": "Example Product Remote Code Execution",
  "requiredAction": "Apply patches from vendor advisory",
  "dueDate": "2024-02-10",
  "knownRansomware": false,
  "notes": "Actively exploited in targeted attacks"
}

Using KEV Data

Filter for KEV vulnerabilities:

curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/cves?kev=true&limit=50"

Check specific CVE for KEV status:

curl -H "X-API-Key: your-api-key-here" \
     https://api.cybersecfeed.com/api/v1/cve/CVE-2024-0001

Key decision points:

If kev field exists: PATCH IMMEDIATELY
If knownRansomware is true: CRITICAL PRIORITY
Check dueDate for compliance deadlines

EPSS (Exploit Prediction Scoring System)

What is EPSS?

EPSS provides a probability score (0 to 1) indicating the likelihood that a vulnerability will be exploited in the next 30 days. Developed by FIRST (Forum of Incident Response and Security Teams), it uses machine learning to analyze multiple factors.

Understanding EPSS Scores

Score: 0.00000 to 1.00000 (0% to 100% probability)
Percentile: Where this CVE ranks among all CVEs
- 0.95 percentile = top 5% most likely to be exploited
- 0.50 percentile = more likely than 50% of all CVEs

EPSS Data Structure

"epss": {
  "score": 0.97234,
  "percentile": 0.99123,
  "date": "2024-01-25"
}

Interpreting EPSS Scores

Score Range	Percentile	Risk Level	Recommended Action
0.8 - 1.0	>95th	Critical	Patch within 24-48 hours
0.5 - 0.8	80-95th	High	Patch within 1 week
0.2 - 0.5	50-80th	Medium	Patch within 30 days
0.0 - 0.2	<50th	Low	Standard patch cycle

Using EPSS for Prioritization

Find high-probability exploits:

curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/cves?epss_min=0.8&limit=20"

Combine with severity for better prioritization:

curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/cves?severity_min=7.0&epss_min=0.5"

EPSS vs Traditional Scoring

Traditional CVSS scores measure potential impact, while EPSS predicts actual exploitation likelihood. Use both:

High CVSS + High EPSS: Critical priority
High CVSS + Low EPSS: Important but less urgent
Low CVSS + High EPSS: Don't ignore - actively exploited
Low CVSS + Low EPSS: Standard patch cycle

ACSC (Australian Cyber Security Centre)

What is ACSC?

The Australian Cyber Security Centre provides regional threat intelligence through security alerts and advisories. These notices often contain early warnings about emerging threats and specific guidance for Australian organizations.

Types of ACSC Notices

Alerts: Urgent security notifications requiring immediate action
Advisories: Important security guidance and threat information

ACSC Data Structure

"acsc": [
  {
    "id": "2024-critical-ransomware-alert",
    "title": "Critical Ransomware Campaign Targeting Australian Organizations",
    "type": "alert",
    "priority": "Critical",
    "publishedDate": "2024-01-20T08:00:00Z",
    "summary": "Active ransomware campaign exploiting..."
  }
]

Priority Levels

Critical: Immediate action required
High: Action required within 48 hours
Medium: Action required within 1 week
Low: Awareness and standard procedures
Unrated: Informational

Using ACSC Data

Important: ACSC enrichment is only included when explicitly requested with the include=acsc parameter:

# Request CVE with ACSC data
curl -H "X-API-Key: your-api-key-here" \
     https://api.cybersecfeed.com/api/v1/cve/CVE-2024-0001?include=acsc

Default requests do NOT include ACSC data:

# This will NOT include ACSC data
curl -H "X-API-Key: your-api-key-here" \
     https://api.cybersecfeed.com/api/v1/cve/CVE-2024-0001

Why ACSC matters:

Regional relevance: Threats specifically targeting your region
Early warnings: Often published before global advisories
Tactical guidance: Specific mitigation steps
Compliance: Required for some Australian organizations

Enrichment Framework

What is the Enrichment Framework?

The enrichment framework is CyberSecFeed's intelligence extraction system that analyzes vendor data to provide actionable security insights. It processes CVE data through vendor-specific adapters to extract structured intelligence fields.

Data Sources by Plan:

All Plans: NVD (National Vulnerability Database) enrichment
Enterprise Plans: Custom vendor feeds via dedicated adapters (examples: Cisco, Microsoft, Red Hat, VMware, Oracle, and many others)

Enrichment Data Fields

Field	Type	Description	Example
`cvss_vector`	String	Full CVSS vector string	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
`cvss_source`	String	Vector data source	`nvd` (Enterprise: vendor-specific sources)
`cwe_list`	Array	Associated CWE classifications	`["CWE-120", "CWE-787"]`
`exploit_flag`	Boolean	Exploit code availability detected	`true`, `false`
`attack_vector`	String	CVSS attack vector classification	`network`, `adjacent`, `local`, `physical` (or `N`, `A`, `L`, `P`)
`patch_available`	Boolean	Vendor patch availability	`true`, `false`
`cpe_count`	Integer	Number of affected products	`15`
`reference_count`	Integer	Number of reference links	`23`
`vendor_tags`	Array	Contributing vendor sources	`["nvd"]` (Enterprise: multiple vendor sources)
`enriched_at`	Timestamp	When enrichment was processed	`2024-01-15T18:30:00.000Z`

Using Attack Vector Filtering

Filter CVEs by their attack vector for targeted security focus:

# Network-based vulnerabilities (highest priority for perimeter defense)
# Use lowercase full names: network, adjacent, local, physical
curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/cves?attack_vector=network&include=enrichment&limit=20"

# Local vulnerabilities (privilege escalation concerns)
curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/cves?attack_vector=local&include=enrichment&limit=20"

# Or use uppercase abbreviations: N, A, L, P
curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/cves?attack_vector=N&include=enrichment&limit=20"

Exploit Detection Integration

Combine multiple exploit indicators for comprehensive threat assessment:

# CVEs with confirmed exploits and vendor patches
curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/cves?exploit=true&patched=true&include=enrichment&limit=10"

Combining Enrichment Data

The Power of Multiple Sources

Using all three enrichment sources provides comprehensive risk assessment:

# High-risk query combining all factors
curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/cves?severity_min=7.0&kev=true&epss_min=0.5"

Risk Prioritization Matrix

Scenario	KEV	EPSS	ACSC Alert	Priority
Confirmed Exploitation	✓	High	Any	CRITICAL
High Probability	✗	>0.8	Critical	CRITICAL
Regional Threat	Any	Any	Critical	HIGH
Likely Exploitation	✗	>0.5	High/Medium	HIGH
Standard Risk	✗	<0.5	Low/None	NORMAL

Example: Complete Risk Assessment

{
	"cve": {
		"id": "CVE-2024-0001",
		"cvss": {
			"baseScore": 9.8,
			"baseSeverity": "CRITICAL"
		},
		"kev": {
			"dateAdded": "2024-01-20",
			"knownRansomware": true
		},
		"epss": {
			"score": 0.97234,
			"percentile": 0.99
		},
		"acsc": [
			{
				"priority": "Critical",
				"type": "alert"
			}
		]
	}
}

Analysis:

CVSS: 9.8 (Critical severity)
KEV: Actively exploited, used in ransomware
EPSS: 97% exploitation probability (99th percentile)
ACSC: Critical alert issued

Action: PATCH IMMEDIATELY - Maximum priority

Best Practices

1. Daily KEV Checks

# Check for new KEV entries
curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/kev?limit=10"

2. Weekly EPSS Reviews

# Review high EPSS scores for your environment
curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/cves?epss_min=0.7&published_after=2024-01-18"

3. Monitor ACSC Alerts

Monitor CVEs with ACSC data by using the include=acsc parameter in your regular queries:

# Check recent CVEs for ACSC notices
curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/cves?published_after=2024-01-18&include=acsc&limit=20"

4. Automated Prioritization

Build automated systems that consider all enrichment data:

Query for CVEs affecting your systems
Sort by combined risk factors
Generate patching priorities
Track remediation progress

MITRE ATT&CK (Attack Patterns)

What is MITRE ATT&CK?

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It provides a common language for describing how attackers operate, helping security teams understand and defend against specific attack patterns.

Why ATT&CK Matters for Vulnerability Management

Adversary Perspective: Understand how attackers exploit vulnerabilities
Defense Prioritization: Focus on vulnerabilities used in common attack chains
Detection Engineering: Build detections for exploitation techniques
Threat Intelligence: Map vulnerabilities to active threat campaigns
Security Posture: Identify gaps in defensive coverage

ATT&CK Data Structure

When a CVE has associated ATT&CK techniques, you'll see this enrichment:

"attack": {
  "techniques": ["T1190", "T1059.007", "T1203", "T1210"]
}

Each technique ID represents a specific attack pattern:

T1190: Exploit Public-Facing Application
T1059.007: Command and Scripting Interpreter: JavaScript
T1203: Exploitation for Client Execution
T1210: Exploitation of Remote Services

Requesting ATT&CK Data

Important: ATT&CK enrichment requires the include=attack parameter:

# Request CVE with ATT&CK technique mappings
curl -H "X-API-Key: your-api-key-here" \
     https://api.cybersecfeed.com/api/v1/cve/CVE-2021-44228?include=attack

Example response with ATT&CK data:

{
  "data": {
    "cve": {
      "id": "CVE-2021-44228",
      "description": "Apache Log4j2 JNDI features do not protect against attacker controlled LDAP...",
      "cvss": {
        "baseScore": 10.0,
        "baseSeverity": "CRITICAL"
      },
      "kev": {
        "dateAdded": "2021-12-10",
        "knownRansomware": true
      },
      "attack": {
        "techniques": ["T1190", "T1059", "T1203", "T1210"]
      }
    }
  }
}

Common ATT&CK Techniques in CVEs

Technique	Name	Common CVE Types
T1190	Exploit Public-Facing Application	Web app vulnerabilities, RCE
T1203	Exploitation for Client Execution	Browser, Office exploits
T1210	Exploitation of Remote Services	Network service vulnerabilities
T1068	Exploitation for Privilege Escalation	Local privilege escalation
T1212	Exploitation for Credential Access	Authentication bypasses
T1211	Exploitation for Defense Evasion	Security tool bypasses

Using ATT&CK for Defense Prioritization

1. Find CVEs with ATT&CK Mappings

# Search for CVEs with ATT&CK technique mappings
curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/cves?include=attack&limit=20"

2. Combine with Other Risk Factors

# Critical CVEs in KEV with ATT&CK mappings
curl -H "X-API-Key: your-api-key-here" \
     "https://api.cybersecfeed.com/api/v1/cves?severity_min=9.0&kev=true&include=attack&limit=10"

3. Map to Your Security Controls

Use ATT&CK techniques to verify your defensive coverage:

T1190 (Exploit Public-Facing App): Check WAF rules, input validation
T1059 (Command/Scripting): Monitor process creation, script execution
T1203 (Client Execution): Endpoint protection, email security
T1210 (Remote Services): Network segmentation, service hardening

ATT&CK in Your Security Workflow

Risk Assessment Enhancement

Combine ATT&CK with other enrichment data:

{
  "cve": {
    "id": "CVE-2024-0001",
    "cvss": { "baseScore": 9.8 },
    "kev": { "knownRansomware": true },
    "epss": { "score": 0.97234 },
    "attack": { "techniques": ["T1190", "T1059"] }
  }
}

Analysis:

T1190: Internet-facing attack vector → Prioritize perimeter systems
T1059: Code execution capability → Monitor for suspicious processes
KEV + Ransomware: Active exploitation → PATCH IMMEDIATELY

Detection Development

Use technique IDs to build detection rules:

# Example: Detect T1190 exploitation attempts
- rule: Exploit_Public_Facing_App
  condition: 
    - web_request.status_code = 200
    - web_request.payload contains exploit_pattern
    - process.parent = "web_server"
  mitre_attack: ["T1190"]

Best Practices for ATT&CK Enrichment

Regular Reviews: Check CVEs affecting your systems for new technique mappings
Gap Analysis: Identify techniques without adequate defensive coverage
Threat Modeling: Use techniques to understand attack paths
Detection Prioritization: Focus on techniques used by relevant threat actors
Training: Use technique descriptions to educate security teams

ATT&CK Integration Example

Here's how to integrate ATT&CK data into your vulnerability management process:

# Example: Prioritize patching based on ATT&CK techniques
def calculate_risk_score(cve_data):
    score = cve_data['cvss']['baseScore']
    
    # Increase priority for initial access techniques
    if 'attack' in cve_data:
        techniques = cve_data['attack']['techniques']
        if 'T1190' in techniques:  # Public-facing exploitation
            score *= 1.5
        if 'T1068' in techniques:  # Privilege escalation
            score *= 1.3
    
    # Factor in active exploitation
    if 'kev' in cve_data:
        score *= 2.0
    
    return min(score, 10.0)  # Cap at 10

Summary

Effective vulnerability management requires more than CVSS scores. By leveraging KEV, EPSS, ACSC, and ATT&CK data through CyberSecFeed:

KEV: Focus on confirmed threats
EPSS: Predict likely exploitations
ACSC: Stay aware of regional threats
ATT&CK: Understand adversary techniques

This multi-source approach ensures you're patching the right vulnerabilities at the right time, maximizing security while optimizing resources.

Overview​

Controlling Enrichment Data Inclusion​

Default Behavior​

Include ACSC Data​

Include Advanced Enrichment​

Combine Multiple Enrichments​

KEV (Known Exploited Vulnerabilities)​

What is KEV?​

Why KEV Matters​

KEV Data Structure​

Using KEV Data​

EPSS (Exploit Prediction Scoring System)​

What is EPSS?​

Understanding EPSS Scores​

EPSS Data Structure​

Interpreting EPSS Scores​

Using EPSS for Prioritization​

EPSS vs Traditional Scoring​

ACSC (Australian Cyber Security Centre)​

What is ACSC?​

Types of ACSC Notices​

ACSC Data Structure​

Priority Levels​

Using ACSC Data​

Enrichment Framework​

What is the Enrichment Framework?​

Enrichment Data Fields​

Using Attack Vector Filtering​

Exploit Detection Integration​

Combining Enrichment Data​

The Power of Multiple Sources​

Risk Prioritization Matrix​

Example: Complete Risk Assessment​

Best Practices​

1. Daily KEV Checks​

2. Weekly EPSS Reviews​

3. Monitor ACSC Alerts​

4. Automated Prioritization​

MITRE ATT&CK (Attack Patterns)​

What is MITRE ATT&CK?​

Why ATT&CK Matters for Vulnerability Management​

ATT&CK Data Structure​

Requesting ATT&CK Data​

Common ATT&CK Techniques in CVEs​

Using ATT&CK for Defense Prioritization​

1. Find CVEs with ATT&CK Mappings​

2. Combine with Other Risk Factors​

3. Map to Your Security Controls​

ATT&CK in Your Security Workflow​

Risk Assessment Enhancement​

Detection Development​

Best Practices for ATT&CK Enrichment​

ATT&CK Integration Example​

Summary​