Much has been said about vulnerability prioritization by different cybersecurity vendors, but the absence of a standard guide from an authoritative source had left much to be desired. Well that wait of now over, Cybersecurity and Infrastructure Security Agency (CISA) recently published the CISA Stakeholder-Specific Vulnerability Categorization (SSVC) guide. It is basically a customized decision tree model that assists in prioritizing vulnerability response for United States Government (USG), as well as state, local, tribal and territorial (SLTT) governments and critical infrastructure entities. CISA has already been using SSVC to help prioritize its vulnerability response and vulnerability messaging to public.
We will take a detailed look at CISA SSVC guide in this blog article.
CISA SSVC decision tree model helps prioritize vulnerabilities into 4 possible decision outcomes:
- Track – the vulnerability does not require action at this time.
- Track* – the vulnerability contains specific characteristics that may require closer monitoring for changes.
- Attend – the vulnerability requires attention from the organization’s internal, supervisory-level individuals.
- Act – the vulnerability requires attention from the organization’s internal, supervisory-level and leadership-level individuals.
CISA SSVC uses the following decision points and associated values for making vulnerability scoring decisions:
- (State of) Exploitation – This measure determines the present state of exploitation of the vulnerability. Note it does not predict future exploitation or measure feasibility or ease of adversary development of future exploit code. Possible values – None, Public PoC, Active.
- Technical Impact – This is similar to the Common Vulnerability Scoring System (CVSS) base score’s concept of “severity”. Possible values – Partial, Total.
- Automatable – Automatable represents the ease and speed with which a cyber threat actor can cause exploitation events. Several factors influence whether an actor can rapidly cause many exploitation events. For example – attack complexity, specific code that an actor would need to write or configure themselves, etc. Possible values – No, Yes.
- Mission Prevalence – This measures the impact of the vulnerability on Mission Essential Functions (MEFs) where a MEF is a function “directly related to accomplishing the organization’s mission as set forth in its statutory or executive charter”. Possible values: Minimal, Support, Essential.
- Public Well-Being Impact – This measures the impacts of affected system compromise on humans. SVCC embraces the Centers for Disease Control (CDC) expansive definition of well-being, one that compromises physical, social, emotional and psychological health. Possible values: Minimal, Material, Irreversible.
- Mitigation Status – This measures the degree of difficulty to mitigate the vulnerability in a timely manner. There are 3 factors to consider: availability, difficulty and type. Possible values: Available, Unavailable, Low, High, Fix and Workaround.
ThreatWorx Attenu8 engine automatically prioritizes vulnerabilities and their impacts on organizational systems. Attenu8 already uses all of the decision points used in SSVC (except for Public Well-Being Impact) as below:
- Exploitation Status – Attenu8 gather exploitation status from well known sources (like CISA Key Exploited Vulnerabilities (KEV), indicators from dark web, etc.). Also Attenu8 leverages its AI/ML models to predict likelihood of exploit for emerging vulnerabilities.
- Technical Impact – Attenu8 folds in the CVSS score while arriving at prioritization score. In the absence of CVSS score from NVD, Attenu8 uses proprietary AI / ML models to accurately predict the CVSS vector to arrive at the CVSS score. Also, Attenu8 can effectively predict the security weakness i.e. Common Weakness Enumeration (CWE).
- Automatable – Attenu8 gets these signals from threats reports to determine malware leveraging specific vulnerabilities.
- Mission Prevalence – ThreatWorx allows customers to specify mission / business criticality of the organization systems to ensure uniform prioritization across the board.
- Mitigation Status – Attenu8 considers remediation aspects like availability of patch, workaround or remediation. ThreatWorx provides a recommendation which includes details about specific patch to be applied (along with patch link or number).
In addition to the above factors, Attenu8 also tracks “Social Temperature” of the vulnerability across different social platforms (like twitter, etc.)
Based on the above factors, Attenu8 assigns a risk score to each vulnerability and its impact on organizational systems. The risk score assigned to each vulnerability aids in determining its relevance from tracking perspective. Vulnerability impacts are categorized as “Do Now” i.e. immediate priority versus “Do Later” using the risk score. This makes it really convenient for customers to tackle the important issues on priority.
Without blowing our trumpet, I would like to highlight that ThreatWorx Attenu8 has been using these factors for prioritization for a while now, even before CISA SSVC guide was released. It is certainly reassuring to know that we have been on the right path for vulnerability prioritization all along.
For more details on ThreatWorx Attenu8, please write to us at firstname.lastname@example.org