CERTCC / SSVC

Stakeholder-Specific Vulnerability Categorization
https://certcc.github.io/SSVC/
Other
132 stars 33 forks source link

Strengthen links between SSVC and CERT RMM #486

Open ahouseholder opened 9 months ago

ahouseholder commented 9 months ago

This issue was prompted by my going looking for references about vulnerability response process governance in the service of starting to address

Describe the solution you'd like

We should highlight the connection between SSVC and the CERT RMM.

Specifically, this section sort of maps onto the Bootstrapping guidance.

VAR:SG2.SP3 Analyze Vulnerabilities

Vulnerabilities are analyzed to determine whether they have to be reduced or eliminated. The mere identification of a vulnerability is not sufficient for determining whether the organization should act to counter it. With the number of vulnerabilities growing exponentially (particularly for technology assets), no organization can (or would want to) address all of them. The organization must analyze vulnerabilities to determine which ones require additional attention.

Through vulnerability analysis, the organization seeks to understand the potential threat that the vulnerability represents. The structure of the vulnerability—what it can do, how it is exploited, the potential effects—must be carefully considered in the context of the potentially affected assets and services. Vulnerability analysis includes activities to

  • understand the threat and exposure
  • review trend information to determine whether the vulnerability has existed before and what actions were taken to reduce or eliminate it
  • identify and understand underlying causes for exposure to the vulnerability
  • prioritize and categorize vulnerabilities for appropriate action to reduce or eliminate them
  • refer vulnerabilities to the organization’s risk management process when more extensive consideration of the impact of the potential threat must be performed to determine an appropriate mitigation strategy

As a result of analysis, some vulnerabilities will be determined to be of no relevance to the organization (i.e., the organization is not exposed to them or the exposure is negligible). Other vulnerabilities will have to be addressed through a simple fix (such as a software patch or by turning off unnecessary services), and some will have to have a formal strategy developed. The organization should assign a course of action to each vulnerability.

Typical work products

  1. Vulnerability prioritization guidelines
  2. Vulnerability analysis
  3. List of vulnerabilities prioritized for disposition
  4. Updated vulnerability repository

Subpractices

  1. Develop prioritization guidelines for vulnerabilities.

Prioritization guidelines should help the organization to sort and prioritize vulnerabilities consistently according to their relevance to the organization. The relevance to the organization may be characterized either in qualitative terms (high, medium, or low) or quantitative terms (through a numerical scale). The prioritization will provide the organization a structured means for determining the appropriate categorization for resolution actions.

  1. Analyze the structure and action of the vulnerability.

This may require the vulnerability to be decomposed into other artifacts such as threat, threat actor, motive, and potential outcome. In addition, relationships between vulnerabilities may be identified that could indicate similar root causes or origins that must be considered in resolution actions.

  1. Prioritize and categorize vulnerabilities for disposition.

Based on the organization’s prioritization guidelines and the results of vulnerability analysis, vulnerabilities must be categorized by disposition. These are examples of categories for vulnerability resolution:

  • Take no action; ignore.
  • Fix immediately (typically the case for vendor updates or changes).
  • Develop and implement vulnerability resolution strategy (typically the case when the resolution is more extensive than simple actions such as vendor updates).
  • Perform additional research and analysis.
  • Refer the vulnerability to the risk management process for formal risk consideration.

Vulnerabilities that are referred to the risk management process are typically those that cannot be resolved without more extensive decomposition and consideration of organizational consequences and impact.

  1. Update the vulnerability repository with analysis and prioritization andcategorization information.

And

VAR:GG2.GP1 Establish Process Governance

Establish and maintain governance over the planning and performance of the vulnerability analysis and resolution process.

This whole section has relevance for parts of SSVC.

Additional context

CERT® Resilience Management Model, Version 1.2 Vulnerability Analysis and Resolution (VAR) https://insights.sei.cmu.edu/documents/1338/2016_009_001_514965.pdf

ahouseholder commented 9 months ago

I've included a sidebar mention of RMM in

But I think we might want to consider doing more. Maybe something like a crosswalk of the relevant RMM (esp. VAR) sections with SSVC things. The goal being to weave SSVC into an existing fabric of prior vulnerability response process improvement work.