Building a Common Language - CVSS (Common Vulnerability Scoring System)

As our complex societies, business environments and economies work together to exchange and secure data, build ideas and solve problems so that we may protect and improve quality of life, our human workflows are often thwarted by not using a common industry language.   Sometimes we do not even have a common language to use. 

When we think of risk, vulnerability management and threat intelligence, the standard frameworks in active development come to mind.  

In Vulnerability Management, the Common Vulnerability Scoring System (CVSS) has become the widely adopted standard, solidified in 2005 (now almost 17 years ago) by the National Infrastructure Advisory Council (NIAC). Initially, the NIAC passed ownership of the CVSS standard to the Forum of Incident Response and Security Teams (FIRST), a non-profit organization established in 1990 in response to the cyber risk exposed by the Wank Worm just a few years earlier.

Now FIRST Maintains and grows this standard and encourages feedback from the information security community. 

A link to the final report by the NIAC can be accessed from the Cybersecurity & Infrastructure Security agency (CISA):  https://www.cisa.gov/publication/niac-common-vulnerability-scoring-final-report 

Since 2007, Europe has, year over year has taken the lead in FIRST membership growth.  Asia and the United States membership grow have both been increasing but at different rate.  As of this year Asia has caught up with the United States in membership numbers.  South America has also dramatically increased its regional membership numbers year after year.  Asia and Europe have had the most impressive increased since 2015.  

FIRST Membership growth by year:  https://www.first.org/about/history

CVSS Industry Use Cases 

To onlookers outside of the industry, there is much needed translation.  Use cases are often the best ways to help in our understanding something that initially seems so abstract.

• National Vulnerability Database Analysts: These analysts use the CVSS to attribute scores to newly disclosed and discovered vulnerabilities.  The vulnerabilities and their assigned CVSS score can be found in the National Vulnerability Database (NVD).
• Security Analysts, Security Researchers, Auditors, Pen-testers, Threat Actors:  Red-teamers, blue-teamers, and threat actors alike have access to rely on CVSS scoring in order to understand system vulnerability, plan attacks and implement countermeasures.  (choose the light)
• Makers and providers of vulnerability scanning, and  Endpoint Detection and Response Platforms:  They can leverage the NVD feed to provide CVSS scoring for host and device scans.
• Makers, providers, users of SIEM and Log Collection platforms:  They can attempt to detect CVEs being actively exploited and apply a severity score that correlates to a perceived vulnerability to address countermeasures during and after attack.

A link to resources to detailed information can be found here:

• CVSS Current Specification: https://www.first.org/cvss/specification-document 
• CVSS User Guide: https://www.first.org/cvss/user-guide

CVSS Versions and Release Dates 

Like some people say, "Nothing is perfect".  I think we all know by now, how right that is.  It definitely goes without saying, but I'll say it anyway!

Historically CVSSv1-3 however, seem to lack the ability to describe, in sufficient detail, vulnerabilities related to Internet-of-Things (IoT) like medical devices, grid, automobile, aircraft, drone and generally -  embedded systems.  In CVSSv3.1 released in 2019 contains a framework for extending CVSS.

The CVSS does not have specialized scoring for industry verticals, thus does not have the language or the scope to accurately measure risk, only severity ratings of software vulnerabilities.

CVSS Version	Year Released	Limitations
CVSSv1	2005	Had not been peer reviewed when released.
CVSSv2	2007	Questions of accuracy due to lack of granularity in several metrics, weak definitions that resulted in less accurate scoring. Slow to accommodate the changing landscape of modern risk. Of a scoring range that had levels 0-10, only had 3 levels of severity - Low/Medium/High.
CVSSv3.0	2015	Accounted for the physical attack layer, but still did not address major issues with scoring for confidentiality of data amongst other unresolved issues. Levels of severity increased from 3 to 5 levels of a 0-10 scoring range - None/Low/Medium/High/Critical.
CVSSv3.1	2019	Includes updates to the user guide, a framework for extending the CVSSv3 to provide flexibility for industry verticals including healthcare, automotive and industrial sectors. Formulation and scoring improvements.

Mapping CVSS to MITRE ATT&CK

The intertwining of  Vulnerability Management and Cyber Threat Intel is uncontestable.  It is natural when thinking about security weaknesses that we should easily imagine that lurking in the obfuscated digital shadows is a threat actor, an attacker, waiting to exploit those weaknesses. 

The great work that MITRE has accomplished in describing the tactics, techniques and procedures (TTPs) of real-world attacks, and then being able to corelate those with attack groups (nation state attackers, cybercriminals and hacktivists) builds a dossier that allows us, the security community,  to threat map based on victim-profile (Industry Segment) to anticipate the anticipated modus operandi of attack groups that typically target a given industry.

Some brilliant work from Aditya Kuppa, Lamine Aouad, Nhien-An Le-Khac that can be found on the ACM Digital Library describes in detail about how to programmatically correlate CVSS to MITRE Att&ck techniques.  

A link to their work can be found here:  https://dl.acm.org/doi/fullHtml/10.1145/3465481.3465758 

Additionally, in October 2020, MITRE released a rubric (xlsm on github)  for effectively applying CVSS to medical devices.  The U.S. Food and Drug Administration has officially qualified this rubric as one of several Medical Device Development Tools (MDDTs) on its website.   

MITRE CVSS Rubric for Medical Devices:  https://github.com/mitre/md-cvss-rubric-tools 

US FDA MDDTs: https://www.fda.gov/medical-devices/science-and-research-medical-devices/medical-device-development-tools-mddt 

Common Languages Change and Evolve

As common languages like CVSS and ATT&CK continue to evolve and change to meet industry requirements they don't need to be perfect, they just need to be adaptive.