Creating custom NeXpose risk scoring strategies

Document created by techeditor on Apr 7, 2011Last modified by techeditor on Apr 10, 2011
Version 10Show Document
  • View in full screen mode

There is no "one size fits all" risk scoring algorithm that works for every organization. NeXpose 4.8 introduced the concept of "pluggable" risk scoring strategies. This allows power users to customize the way NeXpose calculates risk scores for assets, asset groups, and sites. This tutorial shows you how to customize the risk scoring strategy to suit your own organization.

 

Default risk scoring strategies

................................................................................ ................................................................................ ...................................................................

NeXpose ships with a choice of two risk scoring strategies out of the box:

 

  1. The temporal risk model based the age of a vulnerability and its CVSS vectors
  2. The (legacy) weighted risk model based on asset attributes including vulnerabilities, asset type, running services, and asset importance

 

You can study the algorithms behind these strategies by looking in the <nexpose-install-dir>/shared/riskStrategies/builtin/ directory. You will find two files there named vulnage-cvssbase.xml and vulnsev-svctype-devclass.xml.

 

vulnage-cvssbase.xml

................................................................................ ................................................................................ ...................................................................

Let's study vulnage-cvssbase.xml. The size of the XML file can be intimidating at first, but we will go through it step by step.

 

This file is broken down into 5 sections:

 

  • <name> - The short name of this risk strategy (showed in a dropdown list in the NeXpose web UI)
  • <description> - A longer description of this risk strategy (also showed in the NeXpose web UI)
  • <AssetRiskStrategy> - The algorithm used to calculate total risk score for a single asset
  • <CollectionRiskStrategy> - The algorithm used to calculate total risk for a collection of assets (Sites or Asset Groups)
  • <VulnerabilityRiskStrategy> - The algorithm used to calculate risk for a single instance of a vulnerability on an asset

 

In this strategy, the CollectionRiskStrategy is simply the sum of the risk scores of all the assets in the collection, hence:

 

1     <CollectionRiskStrategy>
2         <sum>
3             <assetRisk/>
4         </sum>
5     </CollectionRiskStrategy>

 

The AssetRiskStrategy is simply the sum of the risk score for each vulnerability on the asset, hence:

 

1     <AssetRiskStrategy>
2         <sum>
3             <assetVulnerabilityRisk/>
4         </sum>
5     </AssetRiskStrategy>

 

All of the complexity of this strategy is in the VulnerabilityRiskStrategy, which governs how to calculate each vulnerability's contribution to the risk score. The XML looks fairly complex. Let's render this as an equation first.

 

29.png

 

The "CVSS" values refer to the various base component vectors of the Common Vulnerability Scoring System, version 2. The CVSS base vector is broken down into 6 metrics, including:

 

  • Access Vector (AV) - Local (L), Adjacent Network (A), or Network (N)
  • Access Complexity (AC) - High (H), Medium (M), or Low (L)
  • Authentication Required (Au) - Multiple (M), Single (S), or None (N)
  • Confidentiality Impact (C) - None (N), Partial (P), or Complete (C)
  • Integrity Impact (I) - None (N), Partial (P), or Complete (C)
  • Availability Impact (A) - None (N), Partial (P), or Complete (C)

 

The risk strategy in vulnage-cvssbase.xml maps these various CVSS vector values onto numeric values using the <cvssBaseVector> property of the vulnerability and the <map> feature. For example:

 

1    <cvssBaseVector type="AV">
2
        <valueMap default="0.0">
3
            <map>
4
                <entry>
5
                    <key>A</key>
6
                    <value>1.0</value>
7
                </entry>
8
                <entry>
9
                    <key>N</key>
10                    <value>3.0</value>
11                </entry>
12            </map>
13        </valueMap>
14    </cvssBaseVector>

 

This snippet of XML means If the CVSS Access Vector (AV) equals "A" (Adjacent) return 1.0, otherwise if it equals "N" (Network) return 3.0, otherwise return 0.0, or in p if you're a programmer:

 

1 switch (CVSSAccessVector)
2 {
3    case 'A':
4       return 1.0;
5    case 'N':
6       return 3.0;
7    default:
8       return 0.0;
9 }

Creating a custom risk strategy

 

Let's say that your organization cares far more about Confidentiality impact than about Availability or Integrity impact. You can reflect this in NeXpose by creating a custom risk strategy and boosting the Confidentiality part of the score, leaving everything else the same. Here's how to do this.

 

First, we want to make a copy of vulnage-cvssbase.xml. Copy this file from the builtin folder to a new name under the custom folder:

 

$ cd /opt/rapid7/nexpose/
$ cp shared/riskStrategies/builtin/vulnage-cvssbase.xml shared/riskStrategies/custom/vulnage-cvssbase-high-confidentiality.xml

 

Then edit the new vulnage-cvssbase-high-confidentiality.xml file. At the top of the file, change the <RiskModel> id to match the base filename:

 

1 <RiskModel id="vulnage-cvssbase-high-confidentiality">

 

Change the <name> to:

 

1 <name>HIGH CONFIDENTIALITY temporal risk model based on vulnerability age, impact and exploitability</name>

 

Then on line 38, let's multiply the Confidentiality subscore by 2 by wrapping it in a <multiply> clause with a <static> <value> of 2.0:

 

1 <multiply>
2
    <cvssBaseVector type="C">
3
        <valueMap default="0.0">
4
            <map>
5
                <entry>
6
                    <key>P</key>
7
                    <value>0.5</value>
8
                </entry>
9
                <entry>
10                    <key>C</key>
11                    <value>1.0</value>
12                </entry>
13            </map>
14        </valueMap>
15    </cvssBaseVector>
16   <static>
17       <value>2.0</value>
18   </static>
19 </multiply>

 

When you are finished, you will have a new file called vulnage-cvssbase-high-confidentiality.xml under shared/riskStrategies/custom/.

 

Now restart NeXpose, log in, and browse to https://<nexpose-ip>:3780/admin/wizard/global-settings.html. You will see a setting called Risk Model with a drop-down list. If you performed the above steps correctly, you should be able to select "HIGH CONFIDENTIALITY temporal risk model based on vulnerability age, impact and exploitability". After selecting this option, click the Save button in the upper right side of the screen.

 

The UI will show a progress bar saying "Your changes are being applied. Please wait.". The NeXpose console window will show something like:

 

 RiskManager 3/20/10 3:20 PM: Updating vulnerability risk scores...
RiskManager 3/20/10 3:21 PM: Updated risk scores for 14029 vulnerabilities in 1 minute 3 seconds
RiskManager 3/20/10 3:21 PM: Updating historical asset risk scores...
RiskManager 3/20/10 3:21 PM: Updated historical risk scores for 1 assets in 0 seconds
RiskManager 3/20/10 3:21 PM: Updating asset risk scores...
RiskManager 3/20/10 3:21 PM: Updated risk scores for 1 assets in 0 seconds
RiskManager 3/20/10 3:21 PM: Updating historical scan risk scores...
RiskManager 3/20/10 3:21 PM: Updated risk scores for 2 scans in 0 seconds
RiskManager 3/20/10 3:21 PM: Updating site risk scores...
RiskManager 3/20/10 3:21 PM: Updated risk scores for 1 sites in 0 seconds
RiskManager 3/20/10 3:21 PM: Updating asset group risk scores...
RiskManager 3/20/10 3:21 PM: Updated risk scores for 0 groups in 0 seconds

 

Once this has finished, you can browse through the NeXpose assets and notice the updated scores, showing a much higher weight to Confidentiality than before.

Supported risk scoring operators

................................................................................ ................................................................................ ...................................................................

The following operators are supported in the risk scoring XML format:

 

  • Simple mathematical and value operators: 
    • <add>
    • <divide>
    • <factorial>
    • <multiply>
    • <power>
    • <squareRoot>
    • <static>
  • Aggregation operators (for collection risk strategy): 
    • <average>
    • <max>
    • <min>
    • <sum>
  • Vulnerability-specific operators (for vuln risk strategy): 
    • <cvssBaseScore>
    • <cvssBaseVector> (use with the <map> operator as seen in the above examples)
    • <vulnPublishedAge>
    • <vulnSeverity>
    • <vulnTag> (use with the <map> operator as seen in the above examples)
2 people found this helpful

Attachments

    Outcomes