Automatic Triage
FutureVuls’ automatic triage function consists of three functions, which are recommended to be used in combination.
-
- automatic triage function using SSVC decision trees
-
- rule-based alerting function
-
- rule-based auto-hide function
Automatic triage functionality is available in the CSIRT plan.
1. automatic triage with SSVC decision tree
Vulnerability management based on CVSS basic values alone has the problem of not being able to make decisions on an “actual risk basis. The CVSS Base Score is not a reliable measure of the actual risk of a vulnerability.
- CVSS Base Score is a score of the vulnerability itself and does not reflect the actual attack situation.
- The system environment and the attack situation are not properly evaluated.
- Guidelines for decision making are not provided.
The latest framework for vulnerability management designed to address the above issues of CVSS is the Carnegie Mellon University paper「SSVC」(Stakeholder-Specific Vulnerability Categorization) and FutureVuls implements and incorporates the latest SSVC triage engine.
SSVC can derive the “actual risk” using a decision tree based not only on the vulnerability itself, but also on the following four pieces of information, and automatically determine the response in four steps.
Four input information to the SSVC decision tree (Decision Point)
- NW environment of the system
- Business impact of the system
- Actual attack situation
- Usage value from the attacker’s perspective
By tracing the decision tree using these four pieces of information and vulnerability information as variables, the following four response levels (SSVC Priority) are derived as output.
| SSVC Priority | Contents |
|---|---|
| Immediate | Respond as quickly as possible by focusing all resources and suspending normal operations of the organization if necessary. |
| Out-of-Cycle | Act more quickly than usual and implement mitigation or remediation measures for unplanned opportunities |
| Scheduled | Respond during scheduled maintenance |
| Defer | Not supported at this time |
How to set up SSVC function
To start using the SSVC triage engine in FutureVuls, configure two different pieces of information for each system from the group settings.
- Select the Internet Exposure level of the relevant system.
- Select the Human Impact of the attack on the system in question.
By simply setting these two different characteristics for each system, SSVC’s automatic triage engine will run and automatically classify the detected vulnerabilities into four levels.
For details on configuration, please refer to manual>How to configure SSVC The SSVC decision tree can also be customized.
Check the results of SSVC derivation
The SSVC Priority derived from the SSVC Decision Tree has the advantage that the basis for the decision is clear, and FutureVuls displays the derivation process of the SSVC Decision Tree in a way that is easy to understand at a glance. The derivation process is displayed on the task detail screen as shown in the figure below.
The “SSVC Priority” column has also been added to the most screens, such as the Vulnerability tab and the Tasks tab, so that filter operations, such as displaying only “immediate” results, can be performed on the list screen.
Advanced automated triage triggered by SSVC results
FutureVuls allows you to set actions triggered by the four SSVC Priorities output by SSVC.
For example, an Immediate task can have its Priority set to High and its Task Due Date set to 2 weeks later, or a Scheduled task can have its Task Status set to defer, its Priority set to Low and its Task Due Date set to the CRON expression, for example, next You can also set the Task Due Date to the CRON expression, for example, Wednesday of the 2nd week of December, which is the next maintenance day. Please refer to manual for specific settings.
Ongoing daily vulnerability management using SSVC functionality
How does the SSVC functionality improve day-to-day operations?
It is an image of managing tasks triaged by SSVC by continuously responding to them with daily differences.
Tasks that are deemed “immediate” or “out-of-cycle” will be assigned to the “Vulnerabilities Tab > Critical Unaddressed”. By setting up SSVC Triggers & Actions, you can automatically instruct your operators to automatically set deadlines, status, and priorities.
In addition, tasks that are determined to be “scheduled” or “defer” can be set to be automatically triaged to “pending” or “responded to” by automatically setting the task status to “defer” or “risk_accepted” using the SSVC Trigger & Action function.
In this way, the SSVC function can be used to
- Automatic determination of response priority based on risk
- Automatically set task status according to priority (automatic triage, instructions to operators)
- Tasks classified as “critical unaddressed” are handled with differentials.
In this way, SSVC can automate the tasks from priority determination -> task operation -> instructions to operators, which is a costly part of daily operations that requires expert knowledge.
For more information on SSVC, youtube at the Vuls festival.
The content explained on this page is a simplified version of the content presented at “Vuls Festival#6” If you want to know more details about SSVC and how to derive it in an actual system, please refer to “Youtube Vuls Festival#6” for more details on SSVC and how to derive it in real systems.
The video explains the process of deriving SSVC decision tree using the following 5 patterns of systems as examples. (Movie 27:00~)
-
- a “super” important system published on the Internet
-
- critical web service published on the Internet
-
- mission-critical systems in the internal NW
-
- internal systems with small business impact
-
- “Ultra” critical mission-critical systems on the closed network
The results of actual automatic classification of vulnerabilities detected on FutureVuls using SSVC decision tree are also presented. (Video 31:10~)
As shown in the slide above, for a total of 4,716 vulnerabilities
- Filtering by “CVSS basic value ≥ 7” yielded 2,863 hits.
- When filtered by “CVSS basic value ≥ 8,” 990 hits were found.
- When actually classified by SSVC assuming “Pattern 2: Critical Web services published on the Internet,” 16 cases of “immedia” (immediate response) and 50 cases of “out-of-cycle” (unplanned response) can be narrowed down.
Compared to CVSS basic score-based triage, SSVC has overwhelming filtering performance (15 times or more narrowing depending on the system environment), and the result shows that SSVC can narrow down the number of “actual risk-based” cases to those that are realistically feasible in daily vulnerability management.
For more information on SSVC and FutureVuls’ automated triage, please refer to the following blogs and manuals.
- Blog>SSVC useful for vulnerability response and how to apply it
- manual>What is SSVC
- Youtube>Overview of the latest vulnerability triage framework “SSVC” and example implementation in FutureVuls Vuls Festival #6
2. rule-based automatic alert function
The Danger Functioncan be used to alert other operators. Dangerous CVEs are highlighted in red. Operators in other groups will be aware of the alerted vulnerability and can view the topic to learn more information about the alert. For example, this function can be used as a complement to SSVC to alert the organization of a vulnerability that is not currently “Immediate” as a result of SSVC, but has a CVSS score of 10, just in case.
3. rule-based auto-hide functionality
The Auto-hide functionis a function to predefine a rule “deemed low risk” and automatically hide low-risk tasks that fall under the rule (detection is done, but the task is automatically put into hidden status).