SSVC Configuration

This page explains how to configure SSVC.

Organization Settings

SSVC Configuration Screen

SSVC Configuration

Go to Organization Settings > SSVC.
First, select “Enable SSVC functionality.”

Trigger & Action for Priority Changes

When an SSVC Priority is derived, you can update the task status, priority, and response deadline based on the Priority.
For more information about SSVC Priority, please see here.

Task Status

When you set “Action > Task Status,” the content of unhandled, in-progress, and on-hold tasks will be updated when an SSVC Priority is updated.

If SSVC Priority is determined to have a higher priority than immediate or out of cycle, the task status can be automatically reset to “new.” Tasks marked as “new” are assigned to the “unhandled” status in the vulnerability list and task list submenus, so you can recognize them as tasks that require triage again.

For tasks with lower priority, such as scheduled or deferred, the task status can be automatically set to deferred or risk_accepted.

Priority

If you set a priority, the priority of the task will be automatically reflected at the time of SSVC Priority derivation.

Response Deadline

The task’s response deadline is automatically updated at the time of SSVC Priority derivation. Tasks that exceed the response deadline can be checked in lists and email notifications, preventing oversight.
For immediate and out of cycle priorities, which should be addressed with high priority outside of regular maintenance, please specify “X days after SSVC Priority derivation.” For scheduled and deferred, which are sufficient to be addressed during regular maintenance, please specify the maintenance cycle using cron format.

Notes on Trigger & Action Function

Actions set in Trigger & Action for Priority changes will only be applied when there is a change in SSVC Priority due to scanning. For example, when a new immediate action is set, the new action will not be applied to tasks that already have an SSVC Priority of immediate.

If you want to execute Trigger & Action on a task that has already derived an SSVC, first reset the derived SSVC with the “Enable SSVC Function” setting turned off. Then turn it back on, set Trigger & Action, and run the scan again. The new Trigger & Action will be applied when the scan is executed.

Priority Customization

Customize the SSVC decision tree. The default decision tree is set up, but if you need to change the results of SSVC derivation in actual operation, please customize it.

Group Setting

SSVC Setting Screen

In the group setting, you can set the Decision Point (required) and override some of the items set in certain organizations (optional).

Decision Point

Decision Point is a setting value used for SSVC derivation. Set the Exposure level of vulnerable components, the Utility Density of the target system, and the Human Impact when attacked. Note that FutureVuls automatically sets values that can be determined from vulnerability information, so users do not need to set them.

Decision Point requiring manual user settings

There are three Decision Points that require manual settings by users to match the managed system environment:

  • Exposure
  • Utility Density
  • Human Impact

We will explain how to set each of them.

Setting Exposure

Exposure is a Decision Point that determines the level of internet exposure of the target system.

Exposure Value Description
small Systems on local services or highly controlled networks
controlled Controlled systems that can detect attacks and respond promptly
open Systems that can be accessed without restriction from the internet

Examples of thinking

  • If access is possible from the Internet, but only from internal IP due to IP restrictions
    • Although access is not unlimited, since there is an entrance from the Internet, selecting “small” based on IP control alone is dangerous, so “controlled” is appropriate.
    • Additionally, if it is possible to immediately detect abnormalities with monitoring tools, and if automatic control or real-time response is possible, “small” can be selected.
  • If access is possible from the Internet but being monitored by an intrusion detection tool
    • If the tool sends notifications to the relevant parties when it detects intrusion and there is a mechanism to respond, “controlled” can be selected.
    • If the detection system has become obsolete and there is a possibility of detecting intrusion only after a certain amount of time has passed since its occurrence, “open” is appropriate.

Setting Utility Density

Utility Density is a Decision Point that determines the value density of the target system.

Utility Density Value Description
diffuse Systems where important information is not concentrated (e.g. employee PCs)
concentrated Systems where important information is concentrated (e.g. servers, databases)

Setting Human Impact

Human Impact is a Decision Point that determines the business impact when the system is attacked.

Human Impact Value Description
Low Almost no impact (e.g. PCs, development environments)
Medium No impact on core operations (e.g. attendance management systems)
High Long-term impact on one core operation (e.g. one core system, one web service)
Very High Critical systems where multiple core operations stop and the entire business becomes unable to continue or recover (e.g. online banking or trading systems)

Decision Points automatically derived by FutureVuls

FutureVuls automatically derives two Decision Points: Exploitation and Utility Automatable. Here is an explanation of how each is derived.

Deriving Exploitation

Exploitation is a Decision Point that evaluates the presence and reliability of attack code. FutureVuls judges it with the following logic:

Exploitation Value Description
active Vulnerabilities on CISA Known Exploited Vulnerabilities Catalog, where attack code is published and exploitation has occurred
poc Attack code exists that does not fall under the above category
none No attack code has been detected

Utility Automatable Extraction Method

Utility Automatable is a Decision Point that determines whether an attacker can automate an attack. In FutureVuls, as of September 2022, the following conditions 1. and 2. are judged as automatable.

  1. First, list up candidate vulnerabilities for RCE.
  • Those that are listed as Remote Code Execution in the description of the impact on the product when vulnerability information is published on MSRC.
  • Those for which the vulnerability database’s overview describes the ability to execute arbitrary code remotely.
  1. Further filter the listed RCE candidate CVEs.
  • Those that can be judged as automatable from the CVSS (v2/v3) vector. Specifically:
    • CVSSv3
      • Attack Vector (AV) is Network (N)
      • Privileges Required (PR) is None (N)
      • User Interaction (UI) is None (N)
    • CVSSv2
      • Attack Vector (AV) is Network (N)
      • Privileges Required (PR) is None (N)
      • Authentication (Au) is Not Required (N)

Trigger & Action for Priority Change (Group)

Generally, it is set by organization, but if it is necessary to set it individually for a specific group in actual operation, it is possible to override the organization setting at the group level. If you override the setting, you can confirm which group overrode which setting on the organization settings screen.

Priority Customization (Group)

Customize the SSVC decision tree. Basically, the decision tree of the organization will be reflected, but if it is determined that it is necessary to change the SSVC derivation result for each group in actual operation, customize it here.

Role Setting

SSVC Settings Screen

In the role settings, override settings (optional) for each role of Decision Point are possible. If you set them, the Decision Point for the group belonging to that role will be overwritten with the set value. The default value is the value of each group’s Decision Point.

Default Value and Reset Button

By default, the value of each group’s Decision Point is reflected, as shown in the capture below, as the default value. After setting the Decision Point value for each role, you can reset the value for each group’s Decision Point by pressing the reset button displayed in the upper right corner.

SSVC Settings Screen