SSVC is a system that helps to analyze vulnerabilities to make decisions that prevent security incidents and contain their consequences

The BBC, British Airways, the US Department of Energy, PwC, and Shell are some organizations affected by successfully exploiting a vulnerability in the MoveIt file transfer software. These companies and public administrations have dealt with data breaches and the theft of confidential customer and employee information. This massive attack highlights the importance of detecting, analyzing, and mitigating IT vulnerabilities in the companies’ infrastructure.

To help them in this complex task, companies, public institutions, and cybersecurity companies have indicators such as CVSS, EPSS, or SSVC at their disposal. The last system, created by the Cybersecurity & Infrastructure Security Agency of the United States (CISA) in collaboration with Carnegie Mellon University, one of the world’s top universities in the field of engineering, aims to facilitate decision-making on vulnerabilities. In such a way that organizations can determine when to:

• Track a vulnerability.
• Monitor it closely.
• Pay attention, involving internal staff, enlisting the help of specialists, and proceeding to mitigate it before standard update deadlines.
• Act to remediate the vulnerability as soon as possible.

In this article, we will explore the keys to the SSVC system to unravel why it can help make decisions regarding vulnerability management in IT infrastructures.

1. SSVC, qualitative data to manage IT vulnerabilities

Let’s start at the beginning. What does SSVC stand for? Stakeholder-Specific Vulnerability Categorization. The concept gives us a glimpse of a fundamental characteristic of SSVC: its objective is to assess vulnerabilities by focusing on how their successful exploitation can impact a company or a specific public administration to prioritize the mitigation of the different exposures.

Behind the acronym SSVC also hides a pivotal concept to understand this tool: stakeholders.

SSVC highlights three significant stakeholders: vendors who develop the patches, companies that acquire the software and must apply the security patches to protect their IT infrastructure, and coordinators of remediation actions. Depending on the software supply chain position, the same company can be either a supplier or an implementer. And even if an organization uses its software, both profiles coexist within the same company.

Furthermore, according to CISA, the SSVC system for analyzing IT vulnerabilities is based on three fundamental pillars:

1. The state of exploitation of a vulnerability.
2. The security impact of a successful exploitation.
3. The prevalence of the affected IT asset in a given enterprise system.

These three pillars will be translated into decision points that allow us to determine how each vulnerability is managed at a given time.

Just as the Forum of Incident Response and Security Teams (FIRST) has developed calculators to help companies use their CVSS and EPSS indicators, CISA has created a calculator that allows companies and public administrations to make a series of decisions to elucidate how to manage the vulnerability: tracking it, monitoring it, paying attention to it and requesting assistance or acting as quickly as possible.

2. Decision points that mark the decision-making process

While in CVSS, it is necessary to stipulate a value for each vector that makes up the indicator metrics, in the case of SSVC, a value must be chosen for each of the four nodes of the decision-making tree. The value selected at each decision point serves to configure the branch of the SSVC tree or vector, the graphical representation of all the matters set throughout the process. The ultimate goal is to help an organization decide how to act on a vulnerability in its IT infrastructure.

2.1. Exploitation

The first decision point of SSVC is the current exploitation status of the vulnerability being analyzed. Unlike the EPSS indicator, SSVC does not predict the probability of exploitation of the vulnerability in the short term but merely analyzes the information available on the exploitability of malicious actors. To do so, the organization must use public information sources, such as the National Vulnerability Database (NVD) and Threat Intelligence services, to detect the actual exploitation of the vulnerability.

At this SSVC decision point, organizations must choose between three values:

1. None. There is no evidence that exploitation of the vulnerability has occurred, nor of a public proof of concept to exploit the vulnerability.
2. Proof of concept. To choose this value, one of the following criteria must be met:
   • Private proofs of exploitation have been detected, which have yet to be shared publicly.
   • There are rumors in the cybersecurity community about the exploitation of this vulnerability.
   • Proofs of concept have been found in spaces such as Metasploit.
   • The methodology for exploiting the vulnerability is known.
3. Active. Reliable evidence of exploitation of the vulnerability by hostile actors has been collected and is publicly reported.

2.2. Automatable

This decision point of the SSVC tree seeks to answer a highly relevant question: Can a hostile actor successfully automate the implementation of cyberattacks to exploit this vulnerability?

The organization that is using SSVC to make IT vulnerability management decisions should answer this question and select the following:

• No. When the first four steps of the Cyber Kill Chain (reconnaissance, preparation, distribution, and exploitation) cannot be automated to exploit the vulnerability. Among the possible reasons, SSVC includes the existence of barriers in the system to be attacked, such as network security configurations that block delivery or the use of exploit prevention techniques.
• Yes, when the first four stages of the Cyber Kill Chain can be successfully automated. SSVC indicates that this can happen when the vulnerability allows remote code execution or command injection.

How do you determine if automating the exploit is feasible? The cybersecurity analyst performing the vulnerability assessment using SSVC must carefully analyze the first four stages of the Cyber Kill Chain to track viable attack paths in the scenario being explored and with the information available on the vulnerability and exploitation status.

2.3. Technical impact

The SSVC guide equates this decision point with the base metrics of CVSS since both pivot around the severity of exploitation of a vulnerability. In the case of SSVC, the objective is to elucidate the extent of exploitation. Or, in other words, the level of control over the system acquired by the hostile actor who successfully exploits the vulnerability being assessed.

As in the previous decision point, the cybersecurity analyst must choose between two values:

• Partial. Exploitation gives the attacker limited control or information about the behavior of the vulnerable software. In addition, the hostile actor has a meager chance of gaining complete software control. An example of limited control over the behavior of a component with a vulnerability is a denial-of-service attack.
• Total. By exploiting the vulnerability, the hostile actor can gain full control over the behavior of the software or access all information on the system where the exposure is present.

2.4. Mission and public welfare

Although it may seem a truism, at the last decision point, there are two decisions to be made that will lead to the final decision.

2.4.1. prevalence of the mission

First, it is necessary to analyze what SSVC calls mission prevalence. That is, whether the vulnerability affects a critical component for business continuity or fulfilling essential missions such as protecting critical infrastructure.

In terms of mission prevalence, security analysts can decide between three values:

• Minimal. The component affected by the vulnerability is not essential to a mission.
• Support. The component only supports essential missions.
• Essential. The component directly provides capabilities that constitute at least one critical mission. A failure in this component can lead to mission failure. For example, it is ensuring business continuity.

2.4.2. Public Welfare

Second, it is necessary to determine how exploitation of the vulnerability may affect people. In this case, the values to choose are:

• Minimal. The effects of a security incident are minor at the level of physical, environmental, financial, and psychological damage.
• Material. When some relevant damage is caused in the areas mentioned above.
• Irreversible. Severe damage may occur, such as fatalities, threats to public health, environmental damage leading to the collapse of an ecosystem, or destabilization of elections and financial systems.

The values of these two decisions are accumulated to make the last decision and choose between three values:

• Low. When the impact on welfare and mission prevalence is minimal.
• Medium. When the component affected by the vulnerability supports an essential mission, the impact of exploitation can be rated as material.
• High. The component is essential to mission prevalence, and/or the impact on public welfare is irreversible.

3. The 36 branches of the SSVC tree to avoid getting lost in the forest of decisions

The decision points function as nodes of the SSVC tree, giving way to its branching. In its version 2, the SSVC tree comprises 36 branches. That is 36 different scenarios that are configured as decisions are made. At the end of each of the branches is the action to be taken to manage the vulnerability, which, as mentioned above, can be of four types, ranging from mere tracing to the need to act immediately to mitigate the vulnerability in the shortest possible time.

3.1. Is it necessary to update immediately?

SSVC version 2, released at the end of 2022, includes four colors to visualize the level of danger of a vulnerability for a particular company or public administration:

• Green – Track. Up to 18 branches of the SSVC tree conclude in this action. 15 of these branches arise from the assessment that the exploit is either not automatable or proof of concept exists. Still, no evidence has yet been collected that attacks capable of automating the first four phases of the Cyber Kill Chain have been launched.
• Yellow – Monitor closely. This action is recommended for four branches of the SSVC tree or vectors.
• Orange – Attend. For 10 of the 36 SSVC decision-making scenarios, it is recommended to address the vulnerability, involving internal personnel and requesting external assistance if necessary.
• Red – Act immediately. In only four scenarios, acting as quickly as possible is recommended. How do you arrive at this final decision? After finding out that the exploitation of the vulnerability can be automated and has a high technical impact that affects essential operations of the company or the welfare of people, the technical implications are only partial. Still, the consequences for the organization and public interest are high.

If the organization is an IT provider, if immediate action is recommended, it should develop a patch in the shortest possible time to mitigate the vulnerability. If the recommendation is orange, it must accelerate the usual update rates. On the other hand, if a company or institution uses third-party software, if the assessment recommends immediate action, it must immediately apply the patch that mitigates the vulnerability.

4. Assessing the difficulty of mitigating a vulnerability

Beyond the decision points that mark the evolution of the SSVC decision tree, the guide developed by CISA focuses on another aspect to be taken into account: vulnerability mitigation status.

CISA points out that the difficulty of mitigating a vulnerability should not be an element to be taken into account when making decisions to manage it. Still, it is essential to assess this issue, as it will directly influence the organization’s ability to act.

Three factors are therefore considered to assess the level of difficulty involved in mitigating a vulnerability:

1. Availability. Is the patch or way to mitigate the vulnerability publicly available or not?
2. Difficulty of changing the system. Does the system have an integrated update process, and does the mitigation not involve disrupting the normal function of the vulnerable component? If so, the difficulty will be low. If, on the other hand, any of these conditions are met, the difficulty will be high:
   • a. The system does not have an integrated update process.
   • b. Applying mitigation will lead to downtime of the vulnerable component.
   • c. After mitigation, the functionality of the system will be reduced.
   • d. The regulatory environment may prevent mitigation.
3. Type of mitigation: Is the comfort an official patch that remediates the vulnerability? Or, instead, does it only serve to prevent exploitation without patching the vulnerability itself, or does it consist of reconfiguring the vulnerable component?

5. SSVC, CVSS, and EPSS: Global standards for assessing and acting on IT vulnerabilities

SSVC is not the definitive system for categorizing vulnerabilities but a tool for cybersecurity analysts, companies, and public administrations. Researchers at Carnegie Mellon University’s Software Engineering Institute argue in an article focused on presenting SSVC version 2 that this system aims to complement the CVSS indicator, a global standard in IT vulnerability assessment.

While CVSS focuses on measuring the technical severity of a vulnerability, SSVC seeks to dissect the decision-making process to optimize it and manage exposures successfully. This translates into the fact that in CVSS, the environment and threat metrics are the only options, so the CVSS score can be obtained by completing only the base metrics. In contrast, in SSVC, the environment and the current state of the threat are an intrinsic part of the decision-making process.

However, it should be noted that CVSS v4, which has just been made public, emphasizes the need for organizations to use the environment and threat metrics when using the standard to measure the severity of a vulnerability.

On the other hand, the use of CVSS can also be combined with the management of another indicator developed by FIRST, EPSS, focused on assessing the probability of exploitation of a vulnerability in the next 30 days. Just as CVSS can be very useful for determining the technical impact of an exposure, EPSS facilitates the assessment of its exploitation status.

Thus, both CVSS and EPSS can enrich decision-making through the SSCV tree.

6. IT vulnerability management is a must for today’s enterprises

The existence of methodologies such as SSVC is evidence of the relevance that IT vulnerability management services have acquired today. So much so that managing vulnerabilities affecting corporate infrastructures has become essential to any company’s defensive layers.

After all, almost 15,000 new vulnerabilities have been discovered so far this year. However, not all of them have the same level of severity, nor does their potential exploitation affect all companies or administrations in the same way. Therefore, they must manage technical, economic, and human resources efficiently and prioritize mitigating the vulnerabilities that can most affect each organization and its business model.

The vulnerability management service must continuously monitor the technological infrastructure’s security status, prioritizing mitigation tasks and drawing up action plans to minimize a company’s exposure to threats.

6.1. From discovery to verification

Tarlogic’s cybersecurity professionals undertake all phases of vulnerability management:

• Active discovery of vulnerabilities affecting the company’s IT assets by continuously monitoring and gathering information on emerging vulnerabilities.
• Analysis of vulnerabilities using a proprietary methodology results from over a decade of experience. In this phase, indicators such as SSVC, CVSS, or EPSS are used to optimize and standardize the vulnerability assessment.
• Reporting. Reports are prepared with the analysis results, proposing prioritizing mitigation measures for the vulnerabilities detected.
• Remediation. The necessary actions are implemented to mitigate the vulnerabilities.
• Verification. Verification that the mitigation has been carried out successfully.

In short, vulnerability management is a central activity within the security strategy of any company in the digital era. That is why global reference organizations such as FIRST or CISA have developed tools and indicators such as SSVC that help cybersecurity professionals and companies assess vulnerabilities and optimize decision-making to mitigate them effectively and prevent security incidents that can generate economic, legal, and reputational damage and even affect people’s well-being.