CERT Logo
i

Dryad - SSVC Calc App
(CISA Coordinator v2)

Exploitation choices
None:   There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability.
PoC:   (Proof of Concept)One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation. Some examples of condition (4) are open-source web proxies serve as the PoC code for how to exploit any vulnerability in the vein of improper validation of TLS certificates. As another example, Wireshark serves as a PoC for packet replay attacks on ethernet or WiFi networks.
Active:   Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting.
Virulence choices
Slow:   Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. Example reasons for why a step may not be reliably automatable include (1) the vulnerable component is not searchable or enumerable on the network, (2) weaponization may require human direction for each target, (3) delivery may require channels that widely deployed network security configurations block, and (4) exploitation may be frustrated by adequate exploit-prevention techniques enabled by default; ASLR is an example of an exploit-prevention tool.
Rapid:   Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows unauthenticated remote code execution (RCE) or command injection, the response is likely rapid.
Technical Impact
Partial:   The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. In this context, “low” means that the attacker cannot reasonably make enough attempts to overcome the low chance of each attempt not working. Denial of service is a form of limited control over the behavior of the vulnerable component.
Total:   The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability.
Mission Prevelance choices
Minimal:   Neither support nor essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component nor does it support (enough) mission essential functions.
Support:   The operation of the vulnerable component merely supports mission essential functions for two or more entities. EssentialThe vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity, and failure may (but need not) lead to overall mission failure.
Vulnerability Scoring Decisions
Track   The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.
Track *   Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
Attend   The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.
Act   The vulnerability requires immediate action by the relevant leadership. The action is a high-priority meeting among the relevant supervisors to decide how to respond.
Determining Mission & Well-being impact value

 

Public Well-Being Impact


Minimal

Material

Irreversible

Mission Prevalence

Minimal

Low

Medium

High

Support

Medium

Medium

High

Essential

High

High

High

Public Well-being Impact Decision Values

Impact

Type of Harm

Description

Minimal

All

The effect is below the threshold for all aspects described in material.

Material
(Any one or more of these conditions hold.)

Physical harm

Physical distress and injuries for users (not operators) of the system.

Operator
resiliency

If the operator is expected to be able to keep the cyber-physical system safely operating (that is, prevents one of the other types of harm), then select this option if one of these three apply: system operator must react to exploitation of the vulnerability to maintain safe system state but operator actions would be within their capabilities; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.

System
resiliency

Cyber-physical system’s safety margin effectively eliminated but no actual harm; OR failure of cyber-physical system functional capabilities that support safe operation.

Environment

Major externalities (property damage, environmental damage, etc.) imposed on other parties.

Financial

Financial losses that likely lead to bankruptcy of multiple persons.

Psychological

Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people.

Irreversible (Any one or more of these conditions hold.)

Physical harm

Multiple fatalities likely.

Operator
resiliency

Operator is incapacitated, where operator usually maintains safe cyber-physical system operations, and so other harms at this level are likely.

System
resiliency

Total loss of whole cyber-physical system of which the software is a part.

Environment

Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.

Financial

Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse.

Psychological

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)
version 2 (October 2020)

Introduction:

Our proposed SSVC approach for vulnerability prioritization takes the form of decision trees. This decision tree can be adapted for different vulnerability management stakeholders such as patch developers and patch appliers. In this instance of Drayd - SSVC calculator app, SSVC is being prototyped for CISA in their unique role as advisors to be able to provide decision support to various stakeholders and influence their prioritization of vulnerabilities.

Decision Tree Usage:

Click on the button to see the complete decision tree at a glance. Each circle represents a decision point or stage/fork in the decision tree. You can move your mouse over each circle to get a glimpse at the definition of the choices you can make after that stage/fork. The path (branch) leading to the next stage fork is labeled partial also as it leads you to the next stage/fork represented by a circle.


When using for a new SSVC calculation with
You can move your mouse over circle or on the text Exploitation that represents a stage/fork in the decision tree to get information on choices you can make for your next stage/fork of the tree. You will see each branch will also be be labeled partial that leads you to the next stage/fork. You can make the appropriate choice by clicking on the text "partial" or on the circle where your chosen path ends or terminates. Follow these steps on the decision tree. When prompted for more complex decision making like Mission & Well-Being Impact, you will be presented with more choices, you can click on ? to get more help in understanding and making the right choices.

Mission & Well-being is a cumulative decision that is comprised of Mission Prevelance and Public Well-Being Impact .


Include decision tree in export