NIST 800-53 REV 5 • RISK ASSESSMENT

RA-5(10)Correlate Scanning Information

Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

An attack vector is a path or means by which an adversary can gain access to a system in order to deliver malicious code or exfiltrate information. Organizations can use attack trees to show how hostile activities by adversaries interact and combine to produce adverse impacts or negative consequences to systems and organizations. Such information, together with correlated data from vulnerability scanning tools, can provide greater clarity regarding multi-vulnerability and multi-hop attack vectors. The correlation of vulnerability scanning information is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). During such transitions, some system components may inadvertently be unmanaged and create opportunities for adversary exploitation.

Practitioner Notes

Correlating scan results from different scanners and data sources gives you a more complete picture of your vulnerabilities. One scanner might find something another misses, and combining data helps prioritize remediation.

Example 1: Feed vulnerability scan results from multiple tools (Nessus, Qualys, Defender) into a single platform for correlation. Compare findings to eliminate duplicates, identify discrepancies between scanners, and build a unified view of your vulnerability posture.

Example 2: In Microsoft Sentinel, create a workbook that ingests data from your vulnerability scanner, endpoint detection tool, and cloud security posture management. Correlate a system's vulnerability data with its exposure (internet-facing? high-privilege users?) and active threat detections to prioritize remediation on the systems with the highest combined risk.

More Risk Assessment Controls

RA-1 Policy and Procedures RA-2 Security Categorization RA-2(1) Impact-level Prioritization RA-3 Risk Assessment