Meet us at RSAC 2024, May 6-9 Let’s Meet

×
×

Seemplicity secures a total of $32M to bring the future of work to security teams!

Seemplicity
Read More

Fixer-Upper Wisdom: Nailing Down CVSS Vector Strings, EPSS and CISA-KEV
Chris Rodgers, March 20th, 2024

The Common Vulnerability Scoring System (CVSS) is a pivotal tool in the field of cybersecurity that helps determine the severity of software vulnerabilities. There are few people who haven’t heard of this scoring system, however, there are many who only know it as a scoring model versus an actual vulnerability matrix that offers a consistent framework for communicating the traits and effects of different vulnerabilities. However, the collection of CVSS vectors is among the most important parts of the system.

This article outlines the importance of understanding what vector strings are, the relationship that vector strings provide to CVSS users, using an analogy that will help illustrate how these vectors are used in real life, and what other tools can be easily brought in to support vector string analysis.

 

CVSS Vectors: Decoding the DNA of Vulnerabilities

CVSS vectors are text strings that represent the values used to derive the CVSS score. These comprehensive descriptors divide a vulnerability’s components into easily understood sections.

CVSS consists of four metric groups: Base, Threat, Environmental, and Supplemental. Here’s how First.org describes the four metric groups that go into CVSS vectors:

The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments

The Threat group reflects the characteristics of a vulnerability that change over time

The Environmental group represents the characteristics of a vulnerability that are unique to a user’s environment.

The Supplemental group is used to provide additional insight into a vulnerability’s characteristics

In this article, we will be focusing on Base vectors as they are foundational for vulnerability definition and will always be noted in the CVSS Vector string nomenclature. Base metrics are broken into the following Core Base Scores and Impact Scores:

Core Base Scores (The information in the vectors do not change after they are created):

  • Attack Vector (AV): The method used to exploit vulnerabilities, such as locally or remotely.
  • Attack Complexity (AC): The degree of difficulty associated with exploiting a vulnerability. 
  • Scope (S): Indicates if resources outside of the exploit’s security scope are impacted. (Note, this was removed after CVSS 3.1 and not noted for the 4.0 scoring model)
  • Attack Requirements (AT): What conditions are needed to be met for the floorboard to be compromised. (This is a new metric added to CVSS Version 4.0 and is not a replacement for scope but instead a change of perspective to the scope.).
  • Privileges Required (PR): The degree of access required to take advantage of the weakness.
  • User Interaction (UI): Does the exploitation require user action?

Impact Scores (These vectors change as more information is made available):

  • Confidentiality (C): Can an attacker see private data?
  • Integrity (I): Can an attacker modify files? 
  • Availability (A): Can an attacker lock you out of your system?

 

The Significance of Scores and Vectors

The CVSS score, a numerical representation of vulnerability severity, offers a brief overview of the impact of a vulnerability, but it is not a complete picture.  The ‘how’ and ‘why’ behind the score are revealed by the vectors, which provide a more detailed perspective. They offer depth and context, which are crucial for figuring out the vulnerability’s actual nature and developing a successful response plan. A CVSS score without vector information is an imprecise representation of the threat landscape surrounding a vulnerability. It’s similar to a Grade Point Average (GPA) in the United States, which provides a broad overview of a student’s performance but lacks specificity. While a GPA is regarded by universities and most people to be a high-level measurement of the health of a student’s education, it does not outline the deficiencies and excellent grades they may or may not have. Some may say that assessing a student using a grade point average is sufficient, but there are many cases where a student with a mediocre GPA excels on a college placement test. Additionally, Advanced Placement (AP) courses may overcorrect the GPA scoring model (by giving some students a higher possible top score of 5.0 out 4.0  vs the traditional 4.0 out of 4.0), which can hide significant learning gaps. The GPA illustration shows how a score may or may not be an accurate metric of what we want to measure.

Below, we discuss how the Base vectors that make up the CVSS scoring model should be viewed.

 

Introducing the Analogy of the Remodeled House

I am a firm believer that anything complicated should be able to be explained as an analogy. For this analogy, let’s use the example of a mid-century (i.e., 1950’s) bungalow home that you have purchased to renovate. As any mid-century home goes, there are multiple weak floorboards that you will want to identify and prioritize for remediation. This home’s floorboards mirror the CVSS Base vectors, each of which represents a distinct cybersecurity vulnerability.

The state, placement, and consequences of every floorboard in this house offer a parallel to the variety of vulnerabilities that we interact with on a regular basis as security professionals. As someone looking to renovate the house, you must evaluate each flaw by looking beyond its raw condition (its “CVSS score”) and consider its location, accessibility, and possible impact on the house (e.g., a floorboard in the corner of a closet may not merit your full attention). Similarly, cybersecurity experts must analyze vulnerabilities by taking into account the comprehensive narrative that the vectors provide. A home’s score could be anything from “Move in ready” to “A real fixer-upper”. We put ranges on all sorts of things.

 

Identifying the Vulnerabilities: The Floorboards’ Tale

Mirroring the CVSS Base vectors, each floorboard in the house represents a distinct cybersecurity vulnerability:

Attack Vector (AV): Each floorboard’s placement—private rooms, high-traffic areas, and locked spaces—symbolizes the various access levels within a cyber system:

  • Network (N): Easily accessible in a high-traffic area, such as the living room.
  • Adjacent (A): In a less used but still reachable location, such as a hallway.
  • Local (L): In a separate space that is only open to those who have room access.
  • Physical (P): In a very private location that needs special access, such as a locked storage room.

 

Attack Complexity (AC): The complexity of exploiting a vulnerability is reflected by how easy or difficult it is to access and fix each floorboard:

  • Low (L): Fixable (exploitable) with standard tools, easily accessible.
  • High (H): Difficult to access or requires specific equipment or knowledge to fix (exploit).

 

Privileges Necessary (PR): The privileges required to access and fix various floorboards mirrors the privileges required to exploit specific vulnerabilities.

  • None (N): It is fixable (exploitable) by anybody.
  • Low (L): Only those with some kind of authorization can fix (exploit).
  • High (H): Special authorization is required to fix (exploit).

 

User Interaction (UI): Does someone need to take a particular action to cause or become aware of the floorboard problem (exploited vulnerability)?

  • None (N): The issue is apparent in the absence of any particular action.
  • Required (R): The problem is only noticeable in certain situations, such as when someone steps on a particular area of the floorboard (accesses the exploited system).

 

Scope (S): This is the extent of a vulnerability indicated by how each floorboard’s damage affected other areas of the house.

  • Unchanged (U): Only the floorboard is affected.
  • Changed (C): The issue affects not just one area but also other areas, such as the electrical wiring underneath.

 

Attack Requirements (AT): This is how certain conditions are needed for a floorboard to become vulnerable. The focus is to capture the specificity of exploitation conditions which helps add another level to assessing the prioritization of the vulnerability.

  • None (N): This would mean that the floorboard would be weak or strained under normal conditions. Nothing special is required for it to break and it is likely going to fail under normal conditions. The vulnerability is easy to exploit and doesn’t depend on additional factors to pose a threat.
  • Present (P): This identifies that the vulnerability to the floorboard would only exist under certain For instance, this outlines if the home is in a climate where it is humid or there are termites, an issue would be much more prevalent than in a standard situation.

 

Impact on Confidentiality: Suppose that something, such as a safe or secret compartment, is hidden beneath a weak floorboard. The floorboard may reveal this secret area to unauthorized individuals if it is readily removed or clearly damaged. Because something that was intended to be private is now possibly accessible to others, this constitutes a breach of confidentiality.

  • None (N): No secret or private areas are revealed by a compromised floorboard.
  • Low (L): A floorboard reveals a fairly private space, such as a storage area that isn’t well-known but doesn’t hold any sensitive material.
  • High (H): There are serious privacy violations when a floorboard reveals a very private space, such as a secret safe or a personal journal.

 

Impact on Integrity: Consider the structural and aesthetic integrity of the home. This is similar to data being changed or corrupted if the damaged floorboard causes additional floor deterioration or compromises the structural integrity of the building. Furthermore, since the original state is changed, compromising the floor’s aesthetic appeal (for example, by using a mismatched wood type, grain, etc., in a repair) is equivalent to compromising data integrity.

  • None (N): No hidden or private areas are revealed by a compromised floorboard.
  • Low (L): A floorboard discloses a relatively private space, such as a storage area that isn’t well-known but doesn’t hold any sensitive material.
  • High (H): There are serious privacy violations when a floorboard reveals a very private space, such as a secret safe or a personal journal.

 

Impact on Availability: A damaged floorboard is comparable to a service being unavailable if it makes a room or hallway in the house unsafe or unusable. For example, if the floorboard problem is so bad that a room needs to be sealed off until the problem is fixed, this is similar to a scenario in which a system malfunction or cyberattack prevents access to data or services.

  • None (N): The floorboard problem has no bearing on how the house is used.
  • Low (L): There is a small annoyance due to the damaged floorboard, such as a small detour in the hallway.
  • High (H): A badly damaged floorboard seriously impairs the functionality of the house by rendering a room or section of it unsafe or inaccessible.

 

Strategic Prioritization of Repairs: Enhancing Your Approach

As a homeowner, similar to a cybersecurity specialist, developing a prioritization plan for repairs is crucial. Considerations should extend beyond the mere location of a compromised floorboard to include the complexity of the repair, necessary access levels, and the potential impacts on your home’s confidentiality, integrity, and availability. While useful, CVSS scores provide a foundational yet incomplete picture, serving primarily as a baseline for understanding the nature and severity of vulnerabilities. These scores indicate the potential severity of a vulnerability but don’t account for external factors such as the motivations or capabilities of potential attackers.

In our analogy, floorboards exposed to the external environment represent vulnerabilities accessible from outside the digital perimeter, underscoring the need to prioritize such external threats due to their higher risk of exploitation. The risk isn’t inherently greater in terms of the damage to the physical structure, but the likelihood of external threats leading to consequential outcomes, such as legal liabilities from injuries on your property, significantly increases.

Thus, the emphasis is on prioritizing vulnerabilities that could impact a broader audience, whether by compromising your system’s security or placing individuals in harm’s way.

 

Incorporating EPSS and KEVs for Informed Decision-Making

In this extended analogy, as the stewards of your home, you must leverage two pivotal tools mirroring essential cybersecurity practices: one akin to CISA’s Known Exploited Vulnerabilities (KEVs) and the other to the Exploit Prediction Scoring System (EPSS).

 

Addressing Vulnerabilities with Insights from KEVs:

The KEV list from CISA is a compilation of vulnerabilities that have been actively exploited, serving as a critical guide for prioritizing fixes. Analogously, imagine having a repair manual that highlights which types of floorboards in homes like yours are most prone to issues. This guide, much like the KEV list, allows you to tackle the most historically problematic floorboards first, drawing parallels to how cybersecurity professionals focus on vulnerabilities known to be exploited.

This manual doesn’t necessarily indicate current damage but points out materials and designs prone to failure, helping you preemptively identify and reinforce potentially weak points before they become evident issues.

 

Employing EPSS for Forward-Looking Floorboard Fixes

Within the realm of cybersecurity, the Exploit Prediction Scoring System (EPSS) provides a probabilistic assessment that gauges the likelihood of a vulnerability being exploited, offering insights into emerging threats. This predictive mechanism is invaluable for anticipating and circumventing potential exploits before they occur.

Translating this to our floorboard analogy, envision utilizing a predictive tool that assesses the risk of future floorboard compromises. This tool would analyze various factors such as the type of material, the wear and age of the floorboards, their placement within your home, and even the frequency and severity of similar incidents in other houses. By identifying floorboards that are at a heightened risk of future problems, you’re able to take preemptive action, either by replacing or reinforcing these areas, mirroring the proactive stance taken by cybersecurity professionals leveraging EPSS to address vulnerabilities.

The EPSS model integrates a broad spectrum of data, including insights from the software vendors about vulnerabilities, the age of the vulnerability (with older vulnerabilities more likely to have known exploits), MITRE’s advisories, information from the Common Vulnerabilities and Exposures (CVE) list, identified weaknesses from the Common Weakness Enumeration (CWE), CVSS metrics, intelligence from threat databases, exploit code from platforms like Metasploit and Google’s Project Zero, and data from various security scanners.

 

A Quick Note on all Methods Spoken about

When you look at CVSS, CISA KEV, and EPSS, the founding organizations (First.org & CISA) explicitly mentions that CVSS is meant for vulnerability demographics, whereas EPSS and CISA KEV is meant for vulnerability behavior analysis, making them complementary to each other vs competing.

 

A Comprehensive Approach for Enhanced Security

The parallel drawn between homeowners in our analogy and cybersecurity experts underscores the necessity of a comprehensive, multifaceted approach to maintaining security and integrity. By combining CVSS scoring with the forward-looking analysis offered by an EPSS-like tool and  the historical insights provided by a KEV-like manual, homeowners can formulate a robust maintenance plan for their property. This mirrors the strategic depth cybersecurity professionals employ to fortify digital environments against potential threats.

The analogy of the renovated house with its vulnerable floorboards vividly illustrates a key principle in managing cybersecurity vulnerabilities: the importance of an integrated approach to prioritization. Just as homeowners must use diverse methods to assess and prioritize necessary repairs, cybersecurity practitioners must adopt a holistic strategy for addressing digital vulnerabilities.

Relying solely on quick, score-based assessments can be informative but insufficient for capturing the complex dynamics at play. Scores provide a useful summary but lack the depth needed to fully understand the nuances of each vulnerability. This limitation highlights why a deeper dive into the context and specific challenges posed by each vulnerability is essential.

The house analogy emphasizes the need to consider a variety of factors, such as the location and accessibility of each floorboard (akin to the Attack Vector in cybersecurity), the complexity of making repairs (Attack Complexity), the level of access required (Privileges Required), and the potential impacts on the home’s confidentiality, integrity, and availability. This detailed examination, which delves into the “how” and “why” behind each vulnerability, reflects the critical need for cybersecurity professionals to thoroughly analyze CVSS vector strings.

Moreover, the analogy sheds light on the value of leveraging diverse tools that provide both historical context and predictive insights, thereby enhancing the prioritization process. In the cybersecurity domain, this dual approach is crucial, balancing the proactive management of vulnerabilities expected to pose future risks with the remediation of those already known to be exploited.

 

Conclusion

Deciding which floorboard repairs to prioritize serves as a potent analogy for efficient vulnerability management in cybersecurity. It emphasizes that rather than depending solely on unidimensional scores, prioritization should be the result of a variety of datasets, insights and context. This all-encompassing approach guarantees system integrity and security right away, as well as ongoing resistance to new and emerging threats.

The analogy highlights that preserving safety, security, and functionality requires a comprehensive, context-aware, and forward-looking approach in both the physical and digital domains. Cybersecurity professionals can guarantee a more resilient and adaptable defense against the constantly shifting landscape of cyber threats by adopting this multifaceted methodology.

Read More From Our Blog

Different Approaches For Vulnerability Prioritization

Read Now

The Power of Collaboration: Uniting AppSec and CloudSec

Read Now

Cracking the Code With Communication: The Catalyst for DevSecOps Success

Read Now