Triaging Vulnerabilities with SSVC Framework

Overview

The Stakeholder-Specific Vulnerability Categorization (SSVC) framework, developed by Carnegie Mellon University's Software Engineering Institute (SEI) in collaboration with CISA, provides a structured decision-tree methodology for vulnerability prioritization. Unlike CVSS alone, SSVC accounts for exploitation status, technical impact, automatability, mission prevalence, and public well-being impact to produce one of four actionable outcomes: Track, Track*, Attend, or Act.

When to Use

• When managing security operations that require triaging vulnerabilities with ssvc framework
• When improving security program maturity and operational processes
• When establishing standardized procedures for security team workflows
• When integrating threat intelligence or vulnerability data into operations

Prerequisites

• Python 3.9+ with requests, pandas, and jinja2 libraries
• Access to CISA KEV catalog API and EPSS API from FIRST
• NVD API key (optional, for higher rate limits)
• Vulnerability scan results from tools like OpenVAS, Nessus, or Qualys

SSVC Decision Points

1. Exploitation Status

Assess current exploitation activity:

• None - No evidence of active exploitation
• PoC - Proof-of-concept exists publicly
• Active - Active exploitation observed in the wild (check CISA KEV)

# Check if a CVE is in CISA Known Exploited Vulnerabilities catalog
curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" | \
  python3 -c "import sys,json; data=json.load(sys.stdin); cves=[v['cveID'] for v in data['vulnerabilities']]; print('Active' if 'CVE-2024-3400' in cves else 'Check PoC/None')"

2. Technical Impact

Determine scope of compromise if exploited:

• Partial - Limited to a subset of system functionality or data
• Total - Full control of the affected system, complete data access

3. Automatability

Evaluate if exploitation can be automated at scale:

• No - Requires manual, targeted exploitation per victim
• Yes - Can be scripted or worm-like propagation is possible

4. Mission Prevalence

How widespread is the affected product in your environment:

• Minimal - Limited deployment, non-critical systems
• Support - Supports mission-critical functions indirectly
• Essential - Directly enables core mission capabilities

5. Public Well-Being Impact

Potential consequences for physical safety and public welfare:

• Minimal - Negligible impact on safety or public services
• Material - Noticeable degradation of public services
• Irreversible - Loss of life, major property damage, or critical infrastructure failure

SSVC Decision Outcomes

Workflow

Step 1: Ingest Vulnerability Data

import requests
import json

# Fetch CISA KEV catalog
kev_url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
kev_data = requests.get(kev_url).json()
kev_cves = {v['cveID'] for v in kev_data['vulnerabilities']}

# Fetch EPSS scores for context
epss_url = "https://api.first.org/data/v1/epss"
epss_response = requests.get(epss_url, params={"cve": "CVE-2024-3400"}).json()

Step 2: Evaluate Each Decision Point

def evaluate_exploitation(cve_id, kev_set):
    """Determine exploitation status from CISA KEV and EPSS data."""
    if cve_id in kev_set:
        return "active"
    epss = requests.get(
        "https://api.first.org/data/v1/epss",
        params={"cve": cve_id}
    ).json()
    if epss.get("data"):
        score = float(epss["data"][0].get("epss", 0))
        if score > 0.5:
            return "poc"
    return "none"

def evaluate_technical_impact(cvss_vector):
    """Parse CVSS vector for scope and impact metrics."""
    if "S:C" in cvss_vector or "C:H/I:H/A:H" in cvss_vector:
        return "total"
    return "partial"

def evaluate_automatability(cvss_vector, cve_description):
    """Check if attack vector is network-based with low complexity."""
    if "AV:N" in cvss_vector and "AC:L" in cvss_vector and "UI:N" in cvss_vector:
        return "yes"
    return "no"

Step 3: Apply SSVC Decision Tree

def ssvc_decision(exploitation, tech_impact, automatability, mission_prevalence, public_wellbeing):
    """CISA SSVC decision tree implementation."""
    if exploitation == "active":
        if tech_impact == "total" or automatability == "yes":
            return "Act"
        if mission_prevalence in ("essential", "support"):
            return "Act"
        return "Attend"
    if exploitation == "poc":
        if automatability == "yes" and tech_impact == "total":
            return "Attend"
        if mission_prevalence == "essential":
            return "Attend"
        return "Track*"
    # exploitation == "none"
    if tech_impact == "total" and mission_prevalence == "essential":
        return "Track*"
    return "Track"

Step 4: Generate Triage Report

# Run the SSVC triage script against scan results
python3 scripts/process.py --input scan_results.csv --output ssvc_triage_report.json

# View summary
cat ssvc_triage_report.json | python3 -m json.tool | head -50

Integration with Vulnerability Scanners

Import from Nessus CSV

# Export Nessus scan as CSV, then process
python3 scripts/process.py \
  --input nessus_export.csv \
  --format nessus \
  --output ssvc_results.json

Import from OpenVAS

# Export OpenVAS results as XML
python3 scripts/process.py \
  --input openvas_report.xml \
  --format openvas \
  --output ssvc_results.json

Validation and Testing

# Test SSVC decision logic with known CVEs
python3 -c "
from scripts.process import ssvc_decision
# CVE-2024-3400 - Palo Alto PAN-OS command injection (KEV listed)
assert ssvc_decision('active', 'total', 'yes', 'essential', 'material') == 'Act'
# CVE-2024-21887 - Ivanti Connect Secure (PoC available)
assert ssvc_decision('poc', 'total', 'yes', 'support', 'minimal') == 'Attend'
print('All SSVC decision tests passed')
"

References

• CISA SSVC Framework
• CERT/CC SSVC Documentation
• CISA SSVC Guide PDF
• FIRST EPSS API
• CISA Known Exploited Vulnerabilities