Analysis of Vulnerability Data and Patch Triage Strategy using DHS CISA Known Exploited Vulnerabilities Catalog

セキュリティ運用において，脆弱性情報の収集・分析・対応は重要である．しかしながら，近年報告される脆弱性の数は年々増加しており，そのすべてに対応することは困難である．このため，一般的組織では共通脆弱性評価システム CVSS スコア等を活用したり，各種組織から公表される注意喚起を参照して，対策優先度を決定する．その一方で，CVSS スコアが高く，緊急性が高いとされる脆弱性がすべて実際の攻撃で悪用されるとは限らず，より優先すべき脆弱性を絞り込める戦略が取れることが望ましい．現在，米国国土安全保障省（DHS）の傘下にある組織 CISA（Cybersecurity and Infrastructure Security Agency）は，2021 年度より実際に攻撃に悪用された脆弱性を脅威カタログ（Known Exploited Vulnerabilities Catalog）の提供を始めている．本論文では，当該脅威カタログと脆弱性データベースの分析を行い，パッチトリアージ戦略の評価を行う．

In security operations, it is important to collect, analyze, and respond to vulnerability information. However, the number of vulnerabilities reported in recent years has been increasing year by year, and it is difficult to respond to all of them. For this reason, organizations generally determine the priority of patch application by utilizing CVSS (Common Vulnerability Scoring System) score and threat advisory published by various organizations. On the other hand, not all vulnerabilities with “Critical” or “high” vulnerabilities by CVSS scores are exploited in actual attacks, and it is desirable to narrow down the number of vulnerabilities that should be prioritized. Currently, the Cybersecurity and Infrastructure Security Agency (CISA), an operational component of the U.S. Department of Homeland Security, has begun providing "Known Exploited Vulnerabilities Catalog" that shows been exploited in attacks. In this paper, we analyze the Known Exploited Vulnerabilities Catalog and the vulnerability database and evaluate patch triage strategy.