Strategic Recommendation for Transitioning from CVSS to Risk-Based Vulnerability Prioritization

Many organizations have traditionally referred to CVSS scores to prioritize vulnerability mitigation. However, there is now a growing need to adopt a risk-based approach. In this blog, we will explore the reasons behind this shift, the metrics that should be used for prioritization, and the key points for transitioning to a risk-based approach.
 
Table of Contents
  1. The Increasing Number of Vulnerabilities and Evolving Paradigms in Vulnerability Management
    2. Two Major Misconceptions About Vulnerabilities
    3. The Importance of "Proof of Concept" (PoC) and "In The Wild" (ITW)
    4. Considering the integrity of vulnerable assets
    5. Emerging Trends: SSVC, CVSS 4.0, and EPSS

1. The Increasing Number of Vulnerabilities and Evolving Paradigms in Vulnerability Management

​Traditionally, many organizations have relied on CVSS (Common Vulnerability Scoring System) scores to prioritize vulnerability management. Organizations typically addressed vulnerabilities with a score of 7 or higher, or aimed to patch all reported vulnerabilities whenever possible. This approach was feasible when the number of vulnerabilities was relatively low.

The urgency around vulnerability management increased significantly around 2014 due to prominent vulnerabilities such as Heartbleed in OpenSSL and Shell Shock in Bash, both of which allowed for easy exploitation from remote locations. These events highlighted the importance of vulnerability management and the need for timely patching.

For a few years following these incidents, the number of vulnerabilities remained manageable, allowing organizations to maintain their strategy of addressing all vulnerabilities. However, around 2017, the number of vulnerabilities began to rise exponentially. By 2019, the threat posed by ransomware had become severe. Vulnerabilities that were not addressed could lead to critical incidents, and the growing volume made it challenging for many organizations to keep up.

Many of the vulnerability management practices based on CVSS were established between 2014 and 2016. However, It is clear that the situation has significantly changed since then, as demonstrated by the increase in both the number and the growth rate of vulnerabilities.

​In response to these changes, the standard approach to vulnerability management is evolving. Rather than attempting to address all vulnerabilities or prioritizing solely based on a CVSS score of 7 or higher, the focus is shifting toward prioritizing "high-risk vulnerabilities." This approach involves considering the location and business value of the assets, and utilizing specialized solutions to effectively manage the limited resources available.

​2. Two Major Misconceptions About Vulnerabilities
 
Before discussing what constitutes a "high-risk vulnerability" that should be prioritized, it is important to address two common misconceptions about vulnerabilities.

Misconception 1: All risks are inherently dangerous and should be addressed.

Nearly 30,000 vulnerabilities are published annually. However, many of these vulnerabilities have not been publicly proven to be exploitable. Only a small fraction of vulnerabilities pose a real-world risk and have the means to be exploited.

Exploitable vulnerabilities can be categorized into various risk levels, ranging from those with documented attack methods and proof-of-concept (PoC) code to those that can be successfully exploited under specific conditions. Although rarely, some vulnerabilities allow easy attacks by any threat actor, most remain theoretical. Studies from various research organizations suggest that only about 3% of disclosed vulnerabilities pose real-world risks.

Of the nearly 30,000 vulnerabilities disclosed each year, only about 3% require urgent attention. Most other vulnerabilities are unlikely to be realistically exploited, reducing the need for immediate mitigation. This reflects the current approach to vulnerability management. If sufficient resources were available to address all vulnerabilities, the situation would be different. However, given the substantial workload faced by those responsible, it is crucial to prioritize responses to realistic risks while optimizing resource allocation.

Misconception 2: CVSS scores are an effective indicator for determining which vulnerabilities to address.

Another common misconception is that CVSS scores effectively differentiate between vulnerabilities that need attention and those that do not. Many organizations use a CVSS score of 7 as a threshold for action. However, a white paper published in 2018 from the organizations that develop CVSS states that using CVSS scores for prioritization is a misuse.

CVSS scores indicate the theoretical severity of vulnerabilities rather than their real-world risk. Historically, over half of all vulnerabilities have CVSS scores above 7. Prioritizing based on CVSS leads to almost all vulnerabilities requiring urgent attention, which is impractical. Conversely, some high-risk vulnerabilities with scores below 7 may be exploited in attacks and thus could be overlooked using this method.

​The concept of prioritizing high-risk vulnerabilities is exemplified by the launch of the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021. As a key agency promoting cybersecurity measures across the U.S. federal government, CISA implemented a significant shift in its vulnerability response approach in 2021. Instead of addressing all vulnerabilities, the revised policy now focuses on vulnerabilities that are actively exploited, which represent 3% of the total, as previously mentioned.

The KEV catalog, maintained by CISA, lists vulnerabilities known to have been exploited. From 2021, this catalog became the primary reference for prioritizing vulnerabilities, with a legal mandate for federal agencies to address listed vulnerabilities typically within three weeks. CISA's adoption of this focused approach underscores its importance as a shift in vulnerability management strategy in a leading cybersecurity nation.

3. The Importance of "Proof of Concept" (PoC) and "In The Wild" (ITW)

When evaluating vulnerability information disseminated by web media and other sources, it is crucial to focus on certain key information. Two significant keywords to note are "PoC" and "ITW."

PoC, or Proof of Concept, involves detailed explanatory information regarding the existence and potential exploitation of a vulnerability. It refers to the steps necessary to actually manifest the vulnerability. There is a significant gap in risk between the public announcement of a vulnerability and the release of a PoC. Once a PoC is available, it provides information on how the vulnerability can be exploited, greatly increasing the risk of it being used in attack activities. Therefore, it requires careful attention.

ITW, which stands for "exploit in the wild," refers to actual attack activities that have been observed using the vulnerability. This term is already commonly used as an idiomatic expression in the English-speaking countries. Even if a PoC exists, exploiting the vulnerability might require tricking a system administrator into specific actions, or the necessary settings for exploiting the vulnerability might not be enabled by default, making real-world exploitation impractical in many cases. However, when information indicating ITW is released by vendors or the media, it means the vulnerability has already been exploited in real attacks, necessitating maximum caution and prompt response.

​4. Considering the integrity of vulnerable assets
​
In addition to prioritizing realistic risks, there is a growing recognition that the nature of the assets containing the vulnerabilities should also be considered when addressing vulnerabilities.

For example, if a server with vulnerabilities is directly accessible from the internet, attackers can access it at any time, making it highly risky. In contrast, if the server is accessible only from within the organization, the risk is lower because attackers would need to infiltrate the organization's internal network first. If the device operates in a standalone mode and is not connected to any network, the risk of attack is almost negligible.

Additionally, the business value of the assets must be considered. For instance, whether the asset holds critical business information, personal data, or if it is just a test server significantly affects the risk evaluation. Prioritizing vulnerability mitigation should account for the nature of the asset.

5. Emerging Trends: SSVC, CVSS 4.0, and EPSS
 
Three significant keywords have emerged in recent years in response to the trends discussed earlier: "SSVC," "CVSS 4.0," and "EPSS." Let’s take a closer look at each.

• SSVC
  • The theoretical understanding of prioritizing vulnerabilities based on realistic risks and the nature of assets may be clear, but implementing this in organizational operations and rules might not be straightforward for everyone. SSVC (Stakeholder-Specific Vulnerability Categorization) is a framework designed to assist in this implementation. Developed to address the global challenge of having to deal with nearly all vulnerabilities if prioritization is based solely on CVSS scores, SSVC guides prioritization through decision trees.
  • The decision trees in SSVC include three types: "Supplier Tree," "Deployer Tree," and "Coordinator Tree," based on the user’s role. Most companies would use the "Deploy Decision Tree," which evaluates four broad criteria: presence of exploit code or PoC, the asset’s location, its usefulness to attackers, and the impact if the asset is compromised. By selecting from these criteria, the vulnerability’s priority for mitigation is output in four levels. SSVC is a framework requiring no specific tools, and several resources demonstrate decision tree structures graphically for better understanding. 
    • SSVC Demo Site
      • [https://certcc.github.io/SSVC/ssvc-calc/](https://certcc.github.io/SSVC/ssvc-calc/) ​​

Note: As of the latest SSVC version 2.1 at the time of this article’s publication, the “Utility” decision point has been replaced by “Automatable.”

• SSVC has benefits, such as narrowing down the number of vulnerabilities needing urgent action and enabling decisions that avoid subjective judgment and inconsistency. However, there are also drawbacks. As SSVC was initially developed in 2019 and is still relatively new, few companies have successfully integrated it into their operations, and guidance on its practical use is limited. Additionally, selecting criteria in the decision trees requires a certain level of expertise.
  CISA recently launched the Vulnrichment project to address these challenges, offering critical vulnerability data necessary for SSVC, such as exploitation status and automation possibilities, free of charge.
  • Vulnrichment
    • [https://github.com/cisagov/vulnrichment](https://github.com/cisagov/vulnrichment)
• CVSS 4.0 
  • CVSS, first introduced in 2005, has undergone several revisions, with the most recent update being version 4.0 released in November 2023. Changes in version 4.0 include slight adjustments in the basic metrics and the addition of names to score ranges, making it easier to understand the scope of the scores. CVSS 4.0 will be used alongside CVSS 3.1 for the next few years, with gradual adoption expected.

​​

• EPSS
  • EPSS (Exploit Prediction Scoring System), developed by FIRST (the organization behind CVSS), uses a unique machine learning model to predict the likelihood of a vulnerability being exploited within the next 30 days. Comparable to a weather forecast, EPSS scores are accessible on websites like CVEDetails. The percentile ranking shows the position of the vulnerability's EPSS score relative to the entire dataset, indicating its risk level. However, the practical reliability of EPSS may vary, and it is currently advisable to use caution when making decisions based solely on its scores.
    As machine learning models continuously improve, EPSS is expected to become more accurate and applicable in real-world operations. Organizations should keep an eye on its development. 

In conclusion, risk-based prioritization is becoming a major trend in vulnerability management. As keywords such as SSVC and EPSS gain attention, organizations still reliant solely on CVSS for prioritization should consider transitioning to a risk-based approach to address challenges in vulnerability management effectively.

If you are interested in more details, please feel free to contact us.

​SOURCE

Contact Us