BSidesNoVA 2021 | Kwadwo Burgee |Stakeholder Specific Vulnerability Categorization: CVSS Alternative

so good morning everyone my name is and i work as a vulnerability analyst for the cyber security and infrastructure security agency yes i will um be putting up the slides in just a second i will share my screen um in fact let me do that now and we can just jump right into it

there we go

so my talk is my talk today is going to be about stakeholder specific vulnerability categorization uh i'm pretty sure some of you are aware of cvss commonwealth common vulnerability scoring system um so cbss is a way of scoring vulnerabilities but i wanted to give some context behind what the us government has been testing i want to say for about the past year um this is a joint project with as this was created uh through the us government's relationship with uh carnegie mellon sei and this was a scoring system that we were using to kind of give us an idea of how to properly assess risk when it comes to scoring vulnerabilities

so first off i'm going to give you the bottom line up front i'm going to talk about cvss and ssvc i'm going to talk about ssvc as um the introduction an introduction to it how we used it and one of the key um advantages of ssvc is adaptability i'm going to talk about the testing i'm going to talk about how we incorporated ssvc into scissor and i'll also be talking about the results and the impacts that we've seen so far from using ssvc so to give you the tlbr or the bottom line up front everyone is aware cvss is current de facto standard for prioritizing vulnerabilities uh one of the issues that we have had um

as analysts within the disclosure branch within vulnerability management is that it needs improvements to better assess vulnerability management and risk posture what do i mean by that what i mean is that if i am thrown a cvss score of a vulnerability of 9.9 then that's a oh my goodness it's a fat what i like to call thanos snap event in that half the universe dies everybody is in danger but if that 9.9 is associated with a smart tv that's not connected to my network that number doesn't really give me any of that context so we were as we were looking at scoring we were looking at ways that we can provide more context to vulnerability scoring so that way we can

associate where we need to put our resources ssvc was developed by software engine engineering institute sei or who you know is uh part of it is cert cc as part of their system sponsored work plan so with this it addresses issues with cvs a couple that i've already uh told you about and it aims to improve vulnerability management at a process and accounts for diverse stakeholders not everybody's network is the same so we have seen that with ssbc it allows for stakeholders for organizations to have a better handle of where they can put their resources when it comes to vulnerability remediation ssbc also supports says his goals of helping stakeholders make the best cyber security decisions

at the end of the day i can throw numbers at you all day but you're the one who is in control of your network and you can assess your risk better than i can so we have taken ssvc we've customized it for our disclosure grants for our scoring system and the testing has been happening since april of 2020 and the results have been pretty much positive so ssvc of central centralized around evidence-based decisions a decision tree whereas cvss focuses strictly on technical severity and how bad a vulnerability is ssvc focuses more on an environment and how your environment is set up and what risk that vulnerability has towards your environment again uh developed by sei as part of their social

sponsored work plan but it's currently in the hypothesis stage we are pushing information out because we want people to kind of think about it to test it to see if it works for their own environments this is not something where the us government is saying that um come july everyone in the united states has to use ssvc that is not our point that is not what we're trying to get across the only thing that we're doing right now is that we're showing hey we've been trying this out for a year there are some results to it you guys could take a look at it and see what you think give us any feedback to what you see might be positives or

negatives to it and let's try to put together something that improves the entire vulnerability ecostr ecosystem we've pushed it out to the ics community i know um [Music] some of you have seen some versions of it already incorporated uh the one that i'm going to be showing you now is specifically to i.t and how disclosure branch scores things this is not as an intent to try to tell you that everybody should use it this way which is actually one of the positives of ssvc is because of its adaptability so the decision tree is what allows for that adaptability previously disclosure had a numeric scoring system of how we did things internally but one of the disadvantages of that was

that it was limited to the analyst interpretation of available information what that means is that if someone has been in the field for about 20 years they can assess differently um how something should be scored as far as a vulnerability is concerned to someone who's been in the business for about five it's not a sense of like one person is right over another but it allows that sort of context and allows those perspectives to be considered within the decision tree so it's rely it also has a reliance on prevalence data current sources aren't reliable or necessarily accurate what do we mean by that it means that it's based off of a yes or no is there proof of concept

available is it being used um are these devices in your network how prevalent are they in your network and it takes those decisions and puts them together and it helps to kind of give you a framework of how you should look at certain vulnerabilities so the solutions for ssvc there's a decision tree which is the outcomes based on relevant data um some as i said like some of it is binary and some of it is just based off of knowledge that you have about your environment the purpose of the affected product is considered but it's looped in with prevalence again if i have my smart tv that has a cvss score of like 9.9 and it's sitting on a separate network

completely separated from my internal then okay that that's one thing but if i have that smart tv connected to my um to my active directory i've got some other problems but it also incorporates that hey you need to kind of take a look at the the way the decision tree is based off of because of this exploitation evidence is weighed whether uh there's proof of concept or if there's no proof of concept or if it's actively being exploited and the mitigations are also tracked within the decision tree so for us for sizza we have broken down decisions into three categories there's a fourth category which i'll get into so the first category is track which

basically means we kind of take a look at it and we say okay um there's probably something here but we'll kind of keep an eye on it because it might be something but for right now we don't need to really put a lot of resources in you can patch this as you need anything that's a little bit above that it could be like okay this doesn't look bad but one decision could make it like really really terrible um changing it from a meh to a oh my goodness thanos just snapped half the universe out of existence we put that as a track star attend means that vulnerability requires attention for people outside of vulnerability management

what does that mean is that we're taking a look this is like okay this is almost going to be a big deal what we need to do is we need to let people know and if something happens then we're already prepared i can give you an example of that of just something that happened yesterday um so our branch scored the recent vmware vulnerability the 2198 cbe2021 21985. we scored that when uh information was released back on may 21 may 25th and we scored that as an attempt part of the reason we scored it as an attempt is that this thing allows for remote code execution it's really bad but as of right now there's no proof of

concept that's available so we'll take a look we'll keep that in a 10 status and if anything changes then we can push it up to act so something actually did change and it changed it to act and what happened is that we received proof of concept and we also receive reports that exploitation was likely happening um so when you have proof of concept that is actively being exploited we feel it is likely active being exploited then it pushes it up to act an act is like all hands on deck red alert battle stations requires immediate attention relevant leadership is aware that will usually lead to a current activity advisory which is posted on the sysa.gov website

um it can also lead to emergency directives that are pushed out such as what happened with solarwinds and the microsoft exchange vulnerabilities that happened back in march and april so our vectors for ssvc are based off of the following exploitation evidence virulence technical impact mission prevalence and public well-being so the exploitation evidence as i said with the vmware is either none proof of concept or active virulence is slower rapid what it means is that slow is okay you just shut off somebody's computer with a bsod rapid means oh i can make this wormable technical impact partial or total again bsod versus i have complete control over the machine and i can run code as i

feel mission prevalence is the importance of the software or the hardware um to the environment that it's installed in and the public well-being is minimal material or irreversible irreversible comes with like loss of life mission prevalence and public well-being cross-intersect for low medium and high so if you have public well-being of being high such as um the irreversible that could mean that um as far as taking out taking out a traffic light in a busy intersection something like that could could conceivably lead to loss of life so i know this is small but i'm going to walk this through with you with one example and this is an example of the ssvc tree and depending on the decisions that

you see on the screen you walk through a tree and you decide is it slow is it rapid is it partial is it total is the public well-being medium or low high and depending on the decisions will lead you to your final destination now the good thing about this is that we have based it off of what we see what our requirements are but the adaptability of ffvc allows for others to kind of consider other factors um within your decision tree so if you don't think that if you're not really looking at like mission well-being or what you're focused more on is as a vendor is this something that needs to be patented do i need to send out a patch

immediately do i need to have my crew work on a patch immediately or is it something that can be patched within a monthly patching cycle that's all figured in the ssvc decision tree so i'm going to give you an example of our scissors legacy scoring for ssvc versus ssvc's actual scoring when we did it through the decision tree so one of the examples well known blue keep cbe20190708 we scored that internally um as a 17 or a medium our scoring system went up to 25. so at 17 it's like it's almost there but we need to kind of keep an eye on it and that was only because um proof of concept hadn't been released

at the time that the vulnerability had been um remediated our score had a 17 it was based off of impact prevalence impact which similar to how bad it is prevalence is how prevalent it is within the united states government competency how easy it is the higher number means that it's very easy uh exploitability is either one or a five it means if it's five it means it can be done over the network one it has to be local and mitigation is there a patch if it was a five then it'd be no patch of mitigation one um there were patches that were released for this we ran it through ssvc and the decision tree came up and

exploitation had proof of concept now if that proof of concept became active and someone was actively using that that would be pushed up to an act based off of how we see the ssvc tree uh virulence came through as rapid obviously because it's wormable technical impact is total you can take down all types of things with it and mission well-being is high because remote desktop is pretty much used in microsoft environments so to give you a breakdown of how we came to that decision with blue keep here we go so we start with exploitation is there no exploitation is there proof of concept or is the proof of concept active so we saw that there was proof of

concept available but at the time it was just blue screen of death it wasn't really doing anything so we went from there virulence is it slow or is it rapid it's rapid because the vulnerability was wormable so we pushed that over to wrap it the technical impact is it a partial technical impact as in it could take a system down or is uh or is it total impact which means that it could absolutely ruin your day um take down the network with with the right information with the right tools so we said it was a total and mission well-being is it low is it medium or is it high we saw that the mission well-being is high because it's

prevalent in microsoft networks so that led us to an attempt that is how scissors version of the ssvc decision tree uh went through and as a and to kind of like um give you an idea blue keeps scored lower as a cvss so you would think that okay it's not really that big of a deal let's not really take a look at it and then you kind of um walk through the decision tree and say oh my goodness we have to take a closer look at this so here are some of the results and impacts of ssvc within cisa most of the vulnerabilities that we have scored as far as like risk level with the us government

we have scored those as a tract as a track um it helps with it we've seen that it helps with awareness of products within your network it kind of gives you an idea of what you have to defend you don't know what you have to defend against unless you know what you have so for an example there's a microsoft office uh rce which is a memory corruption vulnerability our legacy scoring had it as high but when we ran it through ssvc because of the other factors that were involved it went through as a track but then we have an oracle weblogic server rce vulnerability our legacy score it had to get as a medium is like

that it's not that bad but when we ran it through ssvc it was definitely rated as an act so our current usage of ssvc is as follows so for act decisions the red alert thanos snap um they're escalated to relevant leadership which means leadership has the information and more importantly it has the context behind the information that they need to make the right decisions resource allocation is to the most severe vulnerabilities because the vmware was pushed up to an act resources were pushed to um get information out to leadership to create vulnerability notes for leadership and to get that out to the public because of how severe it was so in an internal and external messaging

as i had mentioned before if you look on our website we posted something like yesterday uh as a current activity sometimes you'll find activity alerts uh if you look at the microsoft exchange vulnerabilities from back in march and april you'll see activity alerts associated with that as well as the pulse secure vulnerabilities that have been released over the past couple of months you also see tweets and other mentions within social media so analysts also find ssvc to be faster and easier so it's attributed to evidence-based factors we have new people who have joined our team and we're able to teach them up on ssvc based off of evidence that is publicly available now we share our

information amongst analysts to make sure that we're all seeing things the same way but for the most part we're all on the same page when it comes to making decisions using the decision tree and we've also scored over 400 legacy vulnerabilities within the past year the ease of using ssvc is pretty much incredible because with our previous system we would score vulnerabilities like one every 10 or 15 minutes with ssvc we're able to score vulnerabilities at a rate of like five times that and since the analysts update ssvc decisions when new information is found so as i mentioned before the vmware vulnerability we associated that as an attend but once we found out that there was the

likelihood of exploitation once we had seen twitter and seen some areas getting hit uh then we were able to push that up to an act because we could say okay poc is active now we can push it up to an act now we can push it to uh to our leadership and make decisions based off of that so if you guys have any more information if you want any more information you can go to sizza.gov you can or you can email csd vm underscore disclosure at says the dhs.gov i'll also leave my email address in the comments if you want to reach out and you have any other questions about this uh one thing that i will say is that we

are not ready to publicly release this yet as a you know this is what the government has done but what we're trying to do is we're trying to get information out as to this is what we have been doing with testing we are currently working on a white paper that will explain um our findings and to kind of give you like a better idea of what to look for when we um finally come out with ssvc um i'm going to open the next 10 minutes up for questions so if you guys have any sort of questions um feel free to feel free to ask and i will get to the questions within the um within the comments

uh thank you aaron for posting that um link to the white paper that is the original white paper for ssvc um that was created uh so mirlos how much of the decision tree would be published or recommended or does it depend on every environment so it does depend on it it does depend on the environment that you're using now depending on the type of software the type of hardware um and also depending on the technical severity of the vulnerability that stuff is are that stuff is also included within the ssbc scoring so rather than looking um at specifics within some of the within like one one particular vulnerability can it be exploited remotely yes that's

part of the decision is there active poc yes that's part of the decision so even if you do or do not have those devices on your network some of the decisions that are calculated through ssvc will help to determine what direction you need to go um eric yes these slides are these slides are absolutely available i will make sure that they're available you can reach out to me these were um these slides were actually approved by our external affairs so can definitely share that uh hitesh i any resources learn more about ssvc and how to adapt it to insurance companies that's a good question so there are resources available the the first thing i would do is i would look

at aaron steele's link at the white paper for ssvc and how it was created now for our purpose our purpose might be a little bit different than insurance companies however i do believe that the ssvc decision tree kind of filters along the same lines that um it's somewhat based on your environment and you can modify it to fit your environment the best way um we just want to make sure that we get this information out so that um departments agencies organizations leadership management analysts everyone has the kind of context that they need to make better decisions uh govinder uh thanks for the initiative oh thank you um the four levels which make it more accessible for management

totally agreed um as an analyst i was one of the ones who was scoring previously uh with the old scoring system and i knew how cumbersome it was i can tell you that ssbc decision tree is a lot easier and it really allows us to score more vulnerabilities with more context whereas the previous one did not and i had to explain a lot of things uh during the old system uh hey trevor have you considered incorporating a transformers f story in your future talks no but i will say this i was able to explain the concept of ssvc to my wife earlier this morning using plants so i was able to explain the decision tree

based off of how you would apply it if you were talking about plant diseases so uh hurry i would like to better understand how the scoring system works for ssvc if you can provide more information on that sure we can provide the slides or if you want to um talk with us one on one we'd be more than happy to have a discussion with you um in the coming weeks if we want a um a better description of how we have used um ssvc um i'm sorry if i'm messing up all of your names but uh uh uh sorry i knew i know just to give you an idea people mess up my name all the time sometimes they call

me cardboard uh instead of codwo so thanks for your presentation i may have missed this at the beginning but could you do uh describe what led system to develop ssvc as an alternative sure cvss we're looking at it you have a huge number um you have a number 9.9 vulnerability thanos snap everything's going bad but there's no context behind it when we are scoring vulnerabilities and we're trying to assess the um vulnerability the risk of a vulnerability with regards to the us government um it doesn't really give us a lot of context we were looking for alternate ways for scoring and that's how we came across ssvc because sti came to us and say hey

uh we created this alternate scoring system would you like to check it out we're like sure let's test it out and we've tested it out for a year and there have been a lot of good things that have come out from it so happy to have further discussions with you um either offline or uh in another form and and and and thank you uh gavinder it it was a little difficult for a second to explain that in in plant format but um thankfully i pulled it off so does anyone have any other questions um and more more than happy to and and i want to say that i also want to say just like thank you for all

of you uh for attending um this information doesn't work without an audience without someone to actually hear it and to even consider it so i'm grateful that you guys have come in and you've um taken the time out to hear this talk and i will be available for a while after the talk is over if you want to reach out to me on slack uh i will give you my email address dot dhs.gov if you want to reach out to me directly so are the plants in track attack attend or act it really depends on what affects the plants so it it it really depends the way that i explained it was that let's say you have let let's say you

have news of of a disease that affects a plant um that's a um uh a tr uh a tree a disease that affects the tree but okay i don't know what tree it is okay it's a pine tree we don't have any pine trees okay this is what you need if you have a pine tree this is how you spray it so i was able to kind of explain ssvc um in that format uh it is not a gundam behind me the transformers that you see behind you are as follows that is a ghostbuster optimus prime that is starscream the green thing in the black is devastator and the one in front of that is a

dinobot so what are the next steps for sizza on the ssdc project um we're currently putting together a white paper we will release that white paper in the coming months and that will incorporate a lot of our other works and discoveries when it comes to discovering ssvc uh we will make that public um we're also working with other agencies companies um both with it and ics and just explaining our findings and trying to figure out how we can make things better at the end of the day we want a safer ecosystem i'm pretty sure everyone attending wants the same thing we want to make things safer for our customers for our colleagues for our friends

family everyone we want to make things safer and this is one way that we think that we can get closer to the goal so that's part of the reason why we are pushing out this ssvc now do we think that it's supposed to be a replacement for cvss we're not going that far because we still have to get to the white paper and we still have to do all that but i will tell you one other thing is that we are planning on automating this so that when you run um decisions through ssvc it'll be automated so that your decisions will come out based off of the information that you've already put in and uh merlot thank you very much like i

said thank you for attending i know we're almost that time so if you guys have any questions i'll hang around i'll be around slack i'll be in the lobby um like i said anything any other questions please let me know and thank you all for attending thank you very much