Triaging Vulnerabilities with SSVC Framework

利用SSVC框架进行漏洞分类

Overview

概述

The Stakeholder-Specific Vulnerability Categorization (SSVC) framework, developed by Carnegie Mellon University's Software Engineering Institute (SEI) in collaboration with CISA, provides a structured decision-tree methodology for vulnerability prioritization. Unlike CVSS alone, SSVC accounts for exploitation status, technical impact, automatability, mission prevalence, and public well-being impact to produce one of four actionable outcomes: Track, Track*, Attend, or Act.

由卡内基梅隆大学软件工程研究所（SEI）与CISA合作开发的利益相关者特定漏洞分类（SSVC）框架，提供了一种结构化的决策树方法来进行漏洞优先级排序。与单独使用CVSS不同，SSVC会考虑利用状态、技术影响、可自动化程度、任务普及度和公共福祉影响，最终得出四种可执行的结果之一：跟踪、跟踪*、关注或立即处理。

Prerequisites

前提条件

Python 3.9+ with
```
requests
```
,
```
pandas
```
, and
```
jinja2
```
libraries
Access to CISA KEV catalog API and EPSS API from FIRST
NVD API key (optional, for higher rate limits)
Vulnerability scan results from tools like OpenVAS, Nessus, or Qualys

安装Python 3.9+及
```
requests
```
、
```
pandas
```
、
```
jinja2
```
库
可访问CISA KEV目录API和FIRST的EPSS API
NVD API密钥（可选，用于更高的请求速率限制）
来自OpenVAS、Nessus或Qualys等工具的漏洞扫描结果

SSVC Decision Points

SSVC决策点

1. Exploitation Status

1. 利用状态

Assess current exploitation activity:

None - No evidence of active exploitation
PoC - Proof-of-concept exists publicly
Active - Active exploitation observed in the wild (check CISA KEV)

bash

undefined

评估当前的漏洞利用活动：

无 - 没有活跃利用的证据
PoC - 公开存在概念验证代码
活跃 - 观察到野外存在活跃利用（可查看CISA KEV）

bash

undefined

Check if a CVE is in CISA Known Exploited Vulnerabilities catalog

curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" |
python3 -c "import sys,json; data=json.load(sys.stdin); cves=[v['cveID'] for v in data['vulnerabilities']]; print('Active' if 'CVE-2024-3400' in cves else 'Check PoC/None')"

undefined

curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" |
python3 -c "import sys,json; data=json.load(sys.stdin); cves=[v['cveID'] for v in data['vulnerabilities']]; print('Active' if 'CVE-2024-3400' in cves else 'Check PoC/None')"

undefined

2. Technical Impact

2. 技术影响

Determine scope of compromise if exploited:

Partial - Limited to a subset of system functionality or data
Total - Full control of the affected system, complete data access

确定漏洞被利用后的危害范围：

部分 - 仅影响系统的部分功能或数据
完全 - 可完全控制受影响系统，获取全部数据权限

3. Automatability

3. 可自动化程度

Evaluate if exploitation can be automated at scale:

No - Requires manual, targeted exploitation per victim
Yes - Can be scripted or worm-like propagation is possible

评估漏洞是否可被大规模自动化利用：

否 - 需要针对每个受害者进行手动、定向利用
是 - 可编写脚本实现，或具备蠕虫式传播能力

4. Mission Prevalence

4. 任务普及度

How widespread is the affected product in your environment:

Minimal - Limited deployment, non-critical systems
Support - Supports mission-critical functions indirectly
Essential - Directly enables core mission capabilities

受影响产品在你的环境中的部署范围：

极小 - 部署范围有限，非关键系统
支持 - 间接支持关键任务功能
核心 - 直接支撑核心任务能力

5. Public Well-Being Impact

5. 公共福祉影响

Potential consequences for physical safety and public welfare:

Minimal - Negligible impact on safety or public services
Material - Noticeable degradation of public services
Irreversible - Loss of life, major property damage, or critical infrastructure failure

对人身安全和公共福利的潜在影响：

极小 - 对安全或公共服务无明显影响
显著 - 公共服务出现明显退化
不可逆 - 造成人员伤亡、重大财产损失或关键基础设施故障

SSVC Decision Outcomes

SSVC决策结果

Outcome	Action Required	SLA
Track	Monitor, remediate in normal patch cycle	90 days
Track*	Monitor closely, prioritize in next patch window	60 days
Attend	Escalate to senior management, accelerate remediation	14 days
Act	Apply mitigations immediately, executive-level awareness	48 hours

结果	所需操作	服务水平协议（SLA）
跟踪	监控，在常规补丁周期内修复	90天
跟踪*	密切监控，在下一个补丁窗口中优先处理	60天
关注	上报至高级管理层，加快修复进度	14天
立即处理	立即应用缓解措施，需管理层知晓	48小时

Implementation Steps

实施步骤

Step 1: Ingest Vulnerability Data

步骤1：导入漏洞数据

python

import requests
import json

python

import requests
import json

Fetch CISA KEV catalog

kev_url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" kev_data = requests.get(kev_url).json() kev_cves = {v['cveID'] for v in kev_data['vulnerabilities']}

Fetch EPSS scores for context

epss_url = "https://api.first.org/data/v1/epss" epss_response = requests.get(epss_url, params={"cve": "CVE-2024-3400"}).json()

undefined

epss_url = "https://api.first.org/data/v1/epss" epss_response = requests.get(epss_url, params={"cve": "CVE-2024-3400"}).json()

undefined

Step 2: Evaluate Each Decision Point

步骤2：评估每个决策点

python

def evaluate_exploitation(cve_id, kev_set):
    """Determine exploitation status from CISA KEV and EPSS data."""
    if cve_id in kev_set:
        return "active"
    epss = requests.get(
        "https://api.first.org/data/v1/epss",
        params={"cve": cve_id}
    ).json()
    if epss.get("data"):
        score = float(epss["data"][0].get("epss", 0))
        if score > 0.5:
            return "poc"
    return "none"

def evaluate_technical_impact(cvss_vector):
    """Parse CVSS vector for scope and impact metrics."""
    if "S:C" in cvss_vector or "C:H/I:H/A:H" in cvss_vector:
        return "total"
    return "partial"

def evaluate_automatability(cvss_vector, cve_description):
    """Check if attack vector is network-based with low complexity."""
    if "AV:N" in cvss_vector and "AC:L" in cvss_vector and "UI:N" in cvss_vector:
        return "yes"
    return "no"

python

def evaluate_exploitation(cve_id, kev_set):
    """Determine exploitation status from CISA KEV and EPSS data."""
    if cve_id in kev_set:
        return "active"
    epss = requests.get(
        "https://api.first.org/data/v1/epss",
        params={"cve": cve_id}
    ).json()
    if epss.get("data"):
        score = float(epss["data"][0].get("epss", 0))
        if score > 0.5:
            return "poc"
    return "none"

def evaluate_technical_impact(cvss_vector):
    """Parse CVSS vector for scope and impact metrics."""
    if "S:C" in cvss_vector or "C:H/I:H/A:H" in cvss_vector:
        return "total"
    return "partial"

def evaluate_automatability(cvss_vector, cve_description):
    """Check if attack vector is network-based with low complexity."""
    if "AV:N" in cvss_vector and "AC:L" in cvss_vector and "UI:N" in cvss_vector:
        return "yes"
    return "no"

Step 3: Apply SSVC Decision Tree

步骤3：应用SSVC决策树

python

def ssvc_decision(exploitation, tech_impact, automatability, mission_prevalence, public_wellbeing):
    """CISA SSVC decision tree implementation."""
    if exploitation == "active":
        if tech_impact == "total" or automatability == "yes":
            return "Act"
        if mission_prevalence in ("essential", "support"):
            return "Act"
        return "Attend"
    if exploitation == "poc":
        if automatability == "yes" and tech_impact == "total":
            return "Attend"
        if mission_prevalence == "essential":
            return "Attend"
        return "Track*"
    # exploitation == "none"
    if tech_impact == "total" and mission_prevalence == "essential":
        return "Track*"
    return "Track"

python

def ssvc_decision(exploitation, tech_impact, automatability, mission_prevalence, public_wellbeing):
    """CISA SSVC decision tree implementation."""
    if exploitation == "active":
        if tech_impact == "total" or automatability == "yes":
            return "Act"
        if mission_prevalence in ("essential", "support"):
            return "Act"
        return "Attend"
    if exploitation == "poc":
        if automatability == "yes" and tech_impact == "total":
            return "Attend"
        if mission_prevalence == "essential":
            return "Attend"
        return "Track*"
    # exploitation == "none"
    if tech_impact == "total" and mission_prevalence == "essential":
        return "Track*"
    return "Track"

Step 4: Generate Triage Report

步骤4：生成分类报告

bash

undefined

bash

undefined

Run the SSVC triage script against scan results

python3 scripts/process.py --input scan_results.csv --output ssvc_triage_report.json

View summary

cat ssvc_triage_report.json | python3 -m json.tool | head -50

undefined

cat ssvc_triage_report.json | python3 -m json.tool | head -50

undefined

Integration with Vulnerability Scanners

与漏洞扫描器集成

Import from Nessus CSV

从Nessus CSV导入

bash

undefined

bash

undefined

Export Nessus scan as CSV, then process

python3 scripts/process.py
--input nessus_export.csv
--format nessus
--output ssvc_results.json

undefined

python3 scripts/process.py
--input nessus_export.csv
--format nessus
--output ssvc_results.json

undefined

Import from OpenVAS

从OpenVAS导入

bash

undefined

bash

undefined

Export OpenVAS results as XML

python3 scripts/process.py
--input openvas_report.xml
--format openvas
--output ssvc_results.json

undefined

python3 scripts/process.py
--input openvas_report.xml
--format openvas
--output ssvc_results.json

undefined

Validation and Testing

验证与测试

bash

undefined

bash

undefined

Test SSVC decision logic with known CVEs

python3 -c " from scripts.process import ssvc_decision

CVE-2024-3400 - Palo Alto PAN-OS command injection (KEV listed)

assert ssvc_decision('active', 'total', 'yes', 'essential', 'material') == 'Act'

CVE-2024-21887 - Ivanti Connect Secure (PoC available)

assert ssvc_decision('poc', 'total', 'yes', 'support', 'minimal') == 'Attend' print('All SSVC decision tests passed') "

undefined

assert ssvc_decision('poc', 'total', 'yes', 'support', 'minimal') == 'Attend' print('All SSVC decision tests passed') "

undefined

triaging-vulnerabilities-with-ssvc-framework

Original

Translation

Triaging Vulnerabilities with SSVC Framework

利用SSVC框架进行漏洞分类

Overview

概述

Prerequisites

前提条件

SSVC Decision Points

SSVC决策点

1. Exploitation Status

1. 利用状态

Check if a CVE is in CISA Known Exploited Vulnerabilities catalog

Check if a CVE is in CISA Known Exploited Vulnerabilities catalog

2. Technical Impact

2. 技术影响

3. Automatability

3. 可自动化程度

4. Mission Prevalence

4. 任务普及度

5. Public Well-Being Impact

5. 公共福祉影响

SSVC Decision Outcomes

SSVC决策结果

Implementation Steps

实施步骤

Step 1: Ingest Vulnerability Data

步骤1：导入漏洞数据

Fetch CISA KEV catalog

Fetch CISA KEV catalog

Fetch EPSS scores for context

Fetch EPSS scores for context

Step 2: Evaluate Each Decision Point

步骤2：评估每个决策点

Step 3: Apply SSVC Decision Tree

步骤3：应用SSVC决策树

Step 4: Generate Triage Report

步骤4：生成分类报告

Run the SSVC triage script against scan results

Run the SSVC triage script against scan results

View summary

View summary

Integration with Vulnerability Scanners

与漏洞扫描器集成

Import from Nessus CSV

从Nessus CSV导入

Export Nessus scan as CSV, then process

Export Nessus scan as CSV, then process

Import from OpenVAS

从OpenVAS导入

Export OpenVAS results as XML

Export OpenVAS results as XML

Validation and Testing

验证与测试

Test SSVC decision logic with known CVEs

Test SSVC decision logic with known CVEs

CVE-2024-3400 - Palo Alto PAN-OS command injection (KEV listed)

CVE-2024-3400 - Palo Alto PAN-OS command injection (KEV listed)

CVE-2024-21887 - Ivanti Connect Secure (PoC available)

CVE-2024-21887 - Ivanti Connect Secure (PoC available)

References

参考资料