Network Evaluation: Taking vulnerability prioritization beyond CVSS

It can be overwhelming to be tasked with remediation following a pentest or even after the expected recurring vulnerability scans that have become part of a routine. Each time there’s a new wave of vulnerabilities they’re most likely mixed in with some previously made aware of. This post will focus on how to evaluate a network to decide how to prioritize using more than just the provided CVSS score.

It can be overwhelming to be tasked with remediation following a pentest or even after the expected recurring vulnerability scans that have become part of a routine. Each time there’s a new wave of vulnerabilities they’re most likely mixed in with some previously made aware of. This post will focus on how to evaluate a network to decide how to prioritize using more than just the provided CVSS score.

Asset Management

An essential part of vulnerability management is keeping track of the assets in a network. Without this information, there is no way to know how the network is affected by vulnerabilities and which devices need to be remediated first. Remediation also depends on knowing the asset owners as well so that once vulnerabilities are found action can be taken.

Consider a few things as you analyze your assets:

  1. How many hops away the devices are from the edge of the network.
  2. Any mitigating controls to access devices (2FA, Jumphosts, VPN, Firewall rules, etc).
  3. Which users have access and how easy it would be to compromise them. Consider that the more users you have, the more likely you are to find one that can be compromised.
  4. The type of data that sits on the devices and if there are any measures to protect its removal and/or integrity.
  5. The importance of availability of the data or service the device is providing. For example, if there was a Denial of Service attack, or data was lost, how difficult would it be for business to continue?

I suggest a scale of 1-3: Low, Medium, High. If you have more devices and you want to avoid too many in the same bucket, you could expand this to a scale of 1-5 and still achieve the same results, but it’s always better to keep things as simple as possible. Once you have your most critical devices established, you might even want to set up a scanning schedule just for them so that you are more quickly aware of any issues.

There are vendors that will help with asset management, and it’s important to include professionals in the discussion. It can be an exhausting effort but must be thorough to be effective. Use scheduled discovery scans and be aware that you won’t have a complete view of your network to begin with.

We’ll look over some scoring examples at the end, but let’s take a look at how to analyze the vulnerabilities that you might encounter.

Why can’t I rely on the CVSS score?

When you get your penetration test results or scan data back, you’ll probably notice a CVSS score, unless the company providing the data has devised their own method of scoring (if that is the case, you may want to discuss with them how they determined this score so you can learn what has already been considered). CVSS scores are on a 0 to 10 scale. You should still include this score in your database as a point of reference, but also so that when it is re-evaluated the CVSS score can be considered. Include the vectors as well, because these are important to include and give context to the reasoning behind the CVSS score.

When a vulnerability is initially released, there may be a lack of information that is cleared up later; there might be additional information never considered. This changes the chance of it affecting your network. You’ll find that your assessment of hyped up vulnerabilities can change after a few days. It's also possible that you might look over a vulnerability and consider it unimportant then change your mind once more information is released or more people have had a chance to experiment with the vulnerability. 

The CVSS score, although just a suggestion, is a combination of many elements that are considered and is a very good starting point for your analysis. However, once you add in other elements that can not be considered due to variation in networks, you will find that the CVSS score isn’t always going to be accurate.

How Scary is That Vulnerability?

Once you have identified the vulnerabilities you will be assessing from the report you have, make a list of what you’ll be evaluating and find the CVE for each one. This is often listed in your report and can be found on MITRE’s website. Read over the CVE and try to get an understanding of the vulnerability. There should be some links in the “references” section as well, and you also may need to go to your favorite search engine and search the CVE. If you’re not very familiar with some of the terms used to describe it, at first it can be overwhelming but if you keep at it and work through each one, you’ll find that after a while it starts to become easier. Check the end of this post for recommended reading.

The reason you’re re-assessing the vulnerability’s CVSS score is because how your network is impacted by the vulnerability is going to be subject to different factors that are not part of the CVSS score. Consider the following:

  1. Are you using any workarounds or do you have controls that will prevent the attack from occurring or reduce its likelihood?
  2. Is exploit code public or is there a tool released? (This can change quickly, so be aware).
  3. Can you reproduce the vulnerability? Even if you received a penetration test, you should still try to reproduce it and check their work.
  4. What’s your worst case scenario?
  5. Are there other low risk vulnerabilities that chained together can create a larger effect on your network or assets? While you don’t want to spend too much time on low risk items, you might want to if there are several that can be used together to create a larger problem.
  6. Do you have a plan in place that would affect the outcome of that particular vulnerability being exploited?

Once you have answered these questions, think about the likelihood and impact of the particular vulnerability you are assessing. You may need to get some risk management people involved or speak to other departments about impact. Now on a scale of 1 to 10, rate how scary the vulnerability is to your organization. Filter out any vulnerabilities that you can’t reproduce (make sure you’ve done your due diligence and document what you did). A good penetration test or vulnerability scan will have details on how to reproduce it; don’t spend too much time on it, but go through this step if it is possible. Please do include your incident response and risk professionals in the discussion. Additionally, getting other people involved in the assessment will make it more resilient to criticism. If you are worried about making a wrong decision, you still have the CVSS score if anyone wants to disagree and re-evaluate. The impact of this decision, if other measures are in place to avoid compromise, is most likely not as much as you would think and it only gets easier with more experience.

You have an asset score and you’ve re-assessed the CVSS score for your company and network. Once you multiply the asset score and the new score for the vulnerability, you can see how to prioritize the remediation. The higher the number, the more urgent and important it is to remediate that vulnerability.

Examples

  1. Your company keeps customer data such as names, addresses, phone numbers, credit card data, and shopping history stored in a database which can be accessed by the web server, from within the network, or by VPN. The company providing the scanning of your network reports that the KRACK Wi-fi vulnerability, which only applies to WPA2 wi-fi networks when the attack is within range, has a CVSS score of 7.5 for Windows desktops. Considering that there is no tool released yet to facilitate the attack and the attacker would need to be within range of your network, the probability that the attack can be successfully pulled off is low. If they do manage to get inside the network, access to the database would also require authentication including 2FA. Additionally, your company is following best practices for wi-fi security already, and you know that the WSUS server will soon receive a patch and deploy it to affected machines. You’ll make sure to monitor many different sources in order to be aware of new exploits. In this case, you decide to set the adjusted score to 3 and re-assess the vulnerability for new developments if it appears in the next scan result.
  2. In this example, you are working for a company in which sales only occur online. Any compromise of users or damage to the website would result in immediate financial loss. The scanner results show that there is a Brute Force Vulnerability present on the company’s website, and rates it as having a CVSS of 4. In order to resolve this, you know that what needs to be done is to limit the amount of invalid logins that are allowed in a short amount of time. You decide to raise the score to 8 because there is a lot of information stored in user accounts that you wouldn’t want compromised; you want your customers to feel safe logging into the website or they will not use the service at all. Because of the importance of the website and the financial impact to business, you would need to raise the score whereas with any other type of company that does not rely so heavily on online business, you may not need to.

Having a number to prioritize remediation is great for plugging into code and/or data visualization tools. Ideally, it’s best to be able to categorize vulnerabilities and assets by descriptive words (low, medium, high, critical, etc…), but there is some value in attaching a number in order to let machines work with the data.

Recommended Reading

I had a wonderful opportunity to work on a new vulnerability management program a few years ago and learned a lot from my manager. There were a lot of issues that came up that I had to resolve, and a lot of research for each new vulnerability. The best experience is hands-on. As you start to assess and read about vulnerabilities it may be a challenge, but it only gets easier with each one. If you aren’t a fan of just diving in, here’s some resources:

OWASP has a list of web application attacks and more information on each one.

Defensive Security Handbook by Amanda Berlin and Lee Brotherston. There are chapters dedicated to asset management, network infrastructure, and vulnerability management however the entire book is a comprehensive guide to defending networks.

Common Vulnerability Scoring System Guide for Version 3 is another useful reference when it comes to the official CVSS v3.0 specifications. 

Of course, if you have any additional questions for me please comment on this article or send me an e-mail at roxy@hurricanelabs.com.