The Complete Guide to Lunar’s Risk Scoring System
This topic was recently the focus of an in-depth webinar hosted by Webz.io. For the complete details, you can watch the recording by clicking here. This blog is a summary of the findings presented during the webinar.
Security teams are inundated with an overwhelming volume of alerts, making it challenging to prioritize and respond effectively. This overload often results in delayed incident response times and potential security breaches, a phenomenon known as alert fatigue. While risk scoring is intended to alleviate this burden by assigning numerical values to threats based on their severity, many organizations struggle to trust these scores due to a lack of transparency about how they are calculated.
Without understanding the criteria and context behind a risk score, security teams may hesitate to rely on it fully, undermining its effectiveness. To build trust, cybersecurity tools must not only provide risk scores but also explain the methodology and context that drive these assessments. When teams are equipped with both transparent risk metrics and rich contextual information, they can make informed decisions, streamline their workflows, and reduce alert fatigue with confidence.
Understanding risk scores
In today’s complex threat landscape, security teams are inundated with a constant stream of alerts. An Orca Security report states that the majority of their survey respondents – cybersecurity professionals – receive more than 500 cloud security alerts per day.” To effectively prioritize and respond to the threats you are being alerted to, security teams must clearly understand their potential impact. So tools assign a risk score to each alert. Risk scoring is a powerful technique that assigns numerical values to threats based on various factors, such as severity, urgency, and likelihood. By quantifying risk, security teams can make informed decisions, allocate resources efficiently, and focus on the most critical threats.
Key factors influencing risk scores
A good dark web monitoring platform shows you how to interact with your alerts by making sure you understand the values behind the risk score. Lunar’s team bases each risk score on the following information:
- Content
- What does the post, message or document say?
- Source
- Where was it published?
- How reliable is the source itself?
- How dangerous is this source?
- Threat actor behind the post
- What is the reputation of the threat actor who published the post on the dark web?
Lunar’s Approach to risk scoring
The risk scoring system in Lunar, our dark web monitoring platform, is designed to help security teams prioritize threats and make informed decisions. The cyber product team worked closely with our threat intelligence analysts and Lunar’s users to analyze a vast amount of data about threats and threat actors from the deep and dark web. The end result – risk scores that are not only data-driven but also aligned with the real-world needs and challenges of those managing cybersecurity tasks every day.
Threat type: stealer logs
Stealer logs, generated by infostealer malware, pose a significant threat to organizations. These malicious files, often traded on dark web marketplaces, contain sensitive information such as login credentials, cookies, and credit card details. Each stealer log represents an infected device.
Lunar automatically analyzes the specific subdomains listed in each stealer log to determine what level of access the compromised account has access to. If the infected device belongs to someone with high-level access, like an admin, it poses a more serious threat.
First example
In the example above, the staging prefix suggests the file is associated with an employee who works as a developer and does not have broad privileges across other server networks.
Second example
In the example above, the RDP prefix tells us that the domain is associated with a remote login. RDP access often provides the user access to the internal network.
Not all stealer logs indicate the same level of imminent danger to an organziation. When compromised devices belong to employees with high-level access, the risk to the organization is even greater. The chart below compares the risk of different stealer logs that were found on Russian Market, an infamous dark web marketplace.
| Cyber risk score | Explanation of cyber risk score | |
| First example | 7 (high) | Indicates high risk but not critical since the infected device belongs to an employee with limited access to the network. |
| Second example | 10 (critical) | Indicates critical risk. Immediate action should be taken since the infected device has direct access to the internal network. |
Actionable insight
To mitigate this risk, security teams must actively monitor the dark web for stealer logs containing PII of their employees. By analyzing the data within these logs, security teams can identify compromised devices, alert affected users, and take steps to secure their accounts.
Once the infected device is identified, the team must immediately isolate the infected device by disconnecting it from the network. This prevents the malware from spreading across the network. Then, the team should remove the info stealer malware from the device and reset all of the credentials used on the device.
Threat type: ransomware
Ransomware continues to be a significant threat to organizations worldwide. Cybercriminal groups leverage the dark web to target vulnerable systems, demand ransom payments, and publicly shame victims by leaking sensitive data. If you find your domain or subdomain on a ransomware site it means that your network has already been breached. Lunar gives the highest risk score to posts found on a ransomware blog.
Cyber risk score: 10 (critical)
Explanation of cyber risk score
Indicates a confirmed attack on the business.
Actionable insight
By setting up alerts for specific domains and subdomains, organizations can receive immediate notifications when their assets are mentioned on ransomware sites, indicating a confirmed attack. This early warning system enables rapid response and mitigation efforts, minimizing the impact of the breach. Lunar’s risk scoring system further enhances threat prioritization by assigning high-risk scores to posts that directly impact the organization.
Threat type: vulnerabilities
Zero-day vulnerabilities pose a significant threat to organizations, as they can be exploited by attackers before the software supplier patches the vulnerability. Threat actors buy and sell exploits and discuss how to take advantage of zero-day vulnerabilities on the dark web. It is very important to monitor discussions of zero-days in order to prepare countermeasures before these vulnerabilities are widely exploited. By monitoring dark web forums and marketplaces, security teams can proactively identify zero-day threats that are relevant to their network and take steps to mitigate the risk.
Not all vulnerabilities are zero-days; many are publicly disclosed CVEs with easily accessible exploit kits shared in the dark web. Threat actors can use exploit kits to infiltrate systems that haven’t been patched yet.
When assessing the risk of each vulnerability, we take the Common Vulnerability Scoring System (CVSS) into account. Using CVSS, software vulnerabilities can be classified and calculated according to their characteristics and severity. CVSS consists of four metric groups: Base, Threat, Environmental, and Supplemental.
Actionable insight
It’s important to also monitor the dark web for CVEs and make sure that all of your company’s systems are up-to-date.
Ways to save time by improving your search on Lunar, or another dark web monitoring platform:
- Using keywords like “poc” or “exploit”
- Filtering by risk score in order to focus on the most important results
- Setting alerts based on specific search keys and criteria and receive notifications
The example below shows a general search on the dark web for CVEs, without using our guidelines for honing in on the most critical results. As a result, each post has a different risk score.
How do you know you can trust the risk scores on your dark web monitoring platform?
- Is the scoring process open and well-documented?
- Does the score take into account specific details about your environment such as an asset value, geographic factors, or industry-specific threats?
- Can users provide feedback on the risk scores?
Combating alert fatigue with customizable alerts
For situations like CVEs and stealer logs where you can find results on the dark web with different levels of immediate risk, it is important to be able to customize the alerts you set on your dark web monitoring tool.
Want to streamline your security operations and reduce alert fatigue? Lunar’s risk scoring system can help. Learn how by chatting with one of our experts today.
