SSVC Configuration
This page explains how to configure SSVC.
SSVC functionality is only available with the CSIRT plan.
Organization Settings
Only organization administrators can perform this operation.
SSVC Configuration
Go to Organization Settings > SSVC.
First, select “Enable SSVC functionality.”
Trigger & Action for Priority Changes
When an SSVC Priority is derived, you can update the task status, priority, and response deadline based on the Priority.
For more information about SSVC Priority, please see here.
Task Status
When you set “Action > Task Status,” the content of unhandled, in-progress, and on-hold tasks will be updated when an SSVC Priority is updated.
If SSVC Priority is determined to have a higher priority than immediate or out of cycle, the task status can be automatically reset to “new.” Tasks marked as “new” are assigned to the “unhandled” status in the vulnerability list and task list submenus, so you can recognize them as tasks that require triage again.
For tasks with lower priority, such as scheduled or deferred, the task status can be automatically set to deferred or risk_accepted.
Task statuses that can be updated by SSVC are those other than the following statuses:
- NOT_AFFECTED
- RISK_ACCEPTED
- PATCH_APPLIED
For information on task status types, please see Task Status.
Priority
If you set a priority, the priority of the task will be automatically reflected at the time of SSVC Priority derivation.
Response Deadline
The task’s response deadline is automatically updated at the time of SSVC Priority derivation. Tasks that exceed the response deadline can be checked in lists and email notifications, preventing oversight.
For immediate and out of cycle priorities, which should be addressed with high priority outside of regular maintenance, please specify “X days after SSVC Priority derivation.” For scheduled and deferred, which are sufficient to be addressed during regular maintenance, please specify the maintenance cycle using cron format.
The response deadline will be updated if any of the following apply:
- There is no response deadline set.
- The current response deadline is not automatically set by Special Alert Tags, and the deadline is shorter than the currently set one.
Notes on Trigger & Action Function
Actions set in Trigger & Action for Priority changes will only be applied when there is a change in SSVC Priority due to scanning. For example, when a new immediate action is set, the new action will not be applied to tasks that already have an SSVC Priority of immediate.
If you want to execute Trigger & Action on a task that has already derived an SSVC, first reset the derived SSVC with the “Enable SSVC Function” setting turned off. Then turn it back on, set Trigger & Action, and run the scan again. The new Trigger & Action will be applied when the scan is executed.
Priority Customization
Customize the SSVC decision tree. The default decision tree is set up, but if you need to change the results of SSVC derivation in actual operation, please customize it.
If you customize the decision tree, the SSVC Priority of tasks will be reflected on the next scan. Please wait for the next regular scan, or if you are in a hurry, scan again from “Group Setting>Manually Scan All Servers”.
Group Setting
In the group setting, you can set the DecisionPoint (required) and override some of the items set in certain organizations (optional).
DecisionPoint
DecisionPoint is a setting value used for SSVC derivation. Set the Exposure level of vulnerable components, the Utility Density of the target system, and the Human Impact when attacked. Note that FutureVuls automatically sets values that can be determined from vulnerability information, so users do not need to set them.
DecisionPoint requiring manual user settings
There are three DecisionPoints that require manual settings by users to match the managed system environment:
- Exposure
- Utility Density
- Human Impact
We will explain how to set each of them.
If you change Exposure, Utility, or HumanImpact, the SSVC Priority of tasks will be reflected on the next scan. Please wait for the next regular scan, or if you are in a hurry, scan again from “Group Setting>Manually Scan All Servers”.
Setting Exposure
Exposure is a DecisionPoint that determines the level of internet exposure of the target system.
| Exposure Value | Description |
|---|---|
| small | Systems on local services or highly controlled networks |
| controlled | Controlled systems that can detect attacks and respond promptly |
| open | Systems that can be accessed without restriction from the internet |
Examples of thinking
- If access is possible from the Internet, but only from internal IP due to IP restrictions
- Although access is not unlimited, since there is an entrance from the Internet, selecting “small” based on IP control alone is dangerous, so “controlled” is appropriate.
- Additionally, if it is possible to immediately detect abnormalities with monitoring tools, and if automatic control or real-time response is possible, “small” can be selected.
- If access is possible from the Internet but being monitored by an intrusion detection tool
- If the tool sends notifications to the relevant parties when it detects intrusion and there is a mechanism to respond, “controlled” can be selected.
- If the detection system has become obsolete and there is a possibility of detecting intrusion only after a certain amount of time has passed since its occurrence, “open” is appropriate.
Setting Utility Density
Utility Density is a DecisionPoint that determines the value density of the target system.
| Utility Density Value | Description |
|---|---|
| diffuse | Systems where important information is not concentrated (e.g. employee PCs) |
| concentrated | Systems where important information is concentrated (e.g. servers, databases) |
Setting Human Impact
Human Impact is a DecisionPoint that determines the business impact when the system is attacked.
| Human Impact Value | Description |
|---|---|
| Low | Almost no impact (e.g. PCs, development environments) |
| Medium | No impact on core operations (e.g. attendance management systems) |
| High | Long-term impact on one core operation (e.g. one core system, one web service) |
| Very High | Critical systems where multiple core operations stop and the entire business becomes unable to continue or recover (e.g. online banking or trading systems) |
DecisionPoints automatically derived by FutureVuls
FutureVuls automatically derives two DecisionPoints: Exploitation and Utility Automatable. Here is an explanation of how each is derived.
Deriving Exploitation
Exploitation is a DecisionPoint that evaluates the presence and reliability of attack code. FutureVuls judges it with the following logic:
| Exploitation Value | Description |
|---|---|
| active | Vulnerabilities on CISA Known Exploited Vulnerabilities Catalog, where attack code is published and exploitation has occurred |
| poc | Attack code exists that does not fall under the above category |
| none | No attack code has been detected |
Utility Automatable Extraction Method
Utility Automatable is a DecisionPoint that determines whether an attacker can automate an attack. In FutureVuls, as of September 2022, the following conditions 1. and 2. are judged as automatable.
- First, list up candidate vulnerabilities for RCE.
- Those that are listed as Remote Code Execution in the description of the impact on the product when vulnerability information is published on MSRC.
- Those for which the vulnerability database’s overview describes the ability to execute arbitrary code remotely.
- Further filter the listed RCE candidate CVEs.
- Those that can be judged as automatable from the CVSS (v2/v3) vector. Specifically:
- CVSSv3
- Attack Vector (AV) is Network (N)
- Privileges Required (PR) is None (N)
- User Interaction (UI) is None (N)
- CVSSv2
- Attack Vector (AV) is Network (N)
- Privileges Required (PR) is None (N)
- Authentication (Au) is Not Required (N)
- CVSSv3
Trigger & Action for Priority Change (Group)
Generally, it is set by organization, but if it is necessary to set it individually for a specific group in actual operation, it is possible to override the organization setting at the group level. If you override the setting, you can confirm which group overrode which setting on the organization settings screen.
Priority Customization (Group)
Customize the SSVC decision tree. Basically, the decision tree of the organization will be reflected, but if it is determined that it is necessary to change the SSVC derivation result for each group in actual operation, customize it here.
Role Setting
In the role settings, override settings (optional) for each role of DecisionPoint are possible. If you set them, the DecisionPoint for the group belonging to that role will be overwritten with the set value. The default value is the value of each group’s DecisionPoint.
Default Value and Reset Button
By default, the value of each group’s DecisionPoint is reflected, as shown in the capture below, as the default value. After setting the DecisionPoint value for each role, you can reset the value for each group’s DecisionPoint by pressing the reset button displayed in the upper right corner.
