Security Copilot Promptbook: Vulnerability Impact Assessment

Every year, thousands of new vulnerabilities are discovered and announced across a wide range of different technologies. Not all of these vulnerabilities are equal, but the response tends to be the same within security operations––filter by highest impact, ones that our Internet-facing or affecting popular technologies, correlating to threat intelligence and overlaying it atop the company infrastructure.

For every major CVE that's announced, someone within the business is forming an impact assessment of the vulnerability and identifying the response steps, if any. Much of this work requires the collection of data about the vulnerability, the technologies it impacts, if it's being exploited and what steps are required to mitigate, making it a good use case to have generative AI assist with. In this post, I will walk through a Vulnerability Impact Assessment Promptbook within Security Copilot and demonstrate how GAI can reduce the workload of security practitioners.

Promptbook Demonstration

For those who prefer to see more of a live demonstration, I put together a brief video explaining the basic controls within Security Copilot and myself walking through the Promptbook that's been created.

Prompt Walkthrough

The first step within the Promptbook is to perform an initial summary of the CVE. For this example, I picked a recent CVE that was listed in CISA's exploited vulnerability list and is likely to gain more attention within organizations. The starter prompt used could be enhanced significantly to include more instructions, but the current form still yields what we are after. Our response contains accurate information for this CVE noting at a high-level the technology involved, versions impacted, indication of remote exploitation, publication date and notices of patches existing. Additionally, we have a citation reference to a Defender Threat Intelligence source which was used to get this information.

Here, we are more specific with the request to get the technologies impacted by the CVE and within a format that helps us read through the information. This curated prompt does a decent job, though I'd prefer to have the affected versions as independent bullet points to make them easier to read. This prompt can be further tuned or adjusted, but it still yields the correct information we requested.

This prompt is a great demonstration of the value of Security Copilot. Licensed users will get Defender Threat Intelligence included as part of the solution. Up until this point, if you were to ask ChatGPT, specifically the CVEs GPT, about this vulnerability, you would see similar results. However, when you begin asking for threat intelligence data, sources matter more. In this prompt, we are identifying if any threat intelligence articles have been published referring to this CVE. Our response includes helpful information to help us further prioritize the CVE including that exploitation has been observed in pre-ransomware activity.

Expanding on the prompt above, if there's any known threat actors exploiting this vulnerability, it would be helpful to know who. Again, Defender Threat Intelligence is consulted to inform the response. Within the summary, we identify two threat actors, Storm-1175 and Storm-0216, as having been observed in association with this CVE. Both threat actors have been observed exploiting this CVE as potential initial access methods.

As a final tactical step, we prompt Security Copilot for mitigations that can be used to defend against the CVE. The response indicates patches are available for the impacted technology and that by updating the software, we can remove the risk to our organization.

As a final step within our Promptbooks, we ask Security Copilot for a summary of the session details and have it write for a non-technical audience. Within our response, we have a basic summary of details noting the CVE, impacted technology, correlation to threat intelligence and mitigation steps. Each of these steps were automated using generative AI.

Follow-on Questions

The end of a Promptbook doesn't mean the end of the session. In fact, I'd argue it's the beginning! Now that we have a grounded session containing a bunch of information about this CVE, what additional follow-up questions could we ask? Here's a few that immediately come to mind for myself based on my past analyst experience.

• Provide me a threat actor profile for Storm-1175 and Storm-0216 [1]
• Are there any assets within my attack surface that are affected by this CVE? If so, list the details about them.
• Based on the session information, rate the severity of this CVE with confidence for an organization who is running the impacted software. Include justification in your response.
• My organization is unable to patch this software, though we are vulnerable. What other mitigating controls could we put in place to protect our business?

[1] These threat actors are great candidates for our Threat Actor Profile promptbook. This will be demonstrated in future posts.

Operationalizing this Work

As I previously noted in the introduction, the steps taken above are common amongst analyst working within a security operations group of an organization. While many of these steps may be automated today, they are often rigid in their design and don't offer flexibility that GAI does in answering questions or formatting responses.

One way to operationalize this Promptbook would be to attach it to every CVE published or those that match your organization preferences and have these steps run automatically. You can leverage the out-of-the-box Security Copilot version of this Promptbook or design your own to match your specific needs.

Imagine having all this context linked to all your CVE alerts or better yet, embedded directly within your SIEM, XDR or other security solution? What about running these promptbooks on a routine basis to continuously re-prioritized based on new intelligence. We know that some threat actors will leverage outdated vulnerabilities, but how often are defenders performing retroactive assessments? While far from being "end-to-end", this work gives analysts a better foundation to operate from, especially those without as much experience.