Organizations can benefit significantly from using the Exploit Prediction Scoring System (EPSS) in combination with other inputs and contextual information to prioritize and remediate vulnerabilities, a study of the program has shown.
EPSS is a data-driven model for predicting the likelihood of a vulnerability being exploited in the wild. Since becoming available in 2021, a growing number of organizations have used it to get daily updated predictions of the probability that any particular vulnerability will be exploited over the next 30 days. The probability scores range from 0 to 1, with a 1 indicating 100% probability.
Many experts say EPSS is a helpful mechanism for prioritizing vulnerabilities, especially when used alongside the Common Vulnerability Scoring System (CVSS) and contextual information about the organization's specific environment, architecture, and technology stack. Recently, the Cyentia Institute and the Forum of Incident Response and Security Teams (FIRST) which manages CVSS, analyzed current and historical vulnerability exploit activity to get a sense for how well EPSS is performing.
Here are the key takeaways from the first review of EPSS' effectiveness — and what it means to your software security posture in the software supply chain security era.
[ See RL's new Essential Guide: Software Supply Chain Security for Dummies ]
Vulnerability management has evolved
The new research shows that EPSS performs better than other prioritization approaches when it comes to telling which vulnerabilities organizations need to prioritize and in making accurate predictions. For instance, organizations that chose to remediate vulnerabilities with an EPSS score of more than 0.6 remediated 60% of all vulnerabilities that EPSS had indicated needed to be prioritized. And about 80% of vulnerabilities with a score greater than 0.6 ended up getting exploited just as EPSS had predicted they would.
Cyentia and FIRST found that while EPSS is not perfect, it is better than both the CVSS and the Known Exploited Vulnerabilities Catalog (KEV), developed by the Cybersecurity and Infrastructure Security Agency (CISA), when it comes to identifying vulnerabilities that need immediate attention. Vulnerability prioritization has become a critical issue for organizations because of the sheer volume of disclosed vulnerabilities, which continues to grow. There are currently some 237,687 disclosed vulnerabilities, of which nearly 14,000, or roughly 6%, have known exploit activity associated with them. This year, experts expect that researchers and vendors will disclose a record 30,000 new CVEs.
Ray Carney, research director at Tenable, one of the sponsors of the report, said EPSS has strong ability to predict the likelihood of exploitation activity. "The number of CVEs published annually keeps growing, which means it is increasingly crucial to predict which ones require the attention of vulnerability management teams," he said.
EPSS, KEV, and CVSS: Better together
When the authors of the study looked at effectiveness of using CVSS scores to prioritize vulnerabilities, they found that EPSS delivers much better results. For instance, when organizations prioritized vulnerabilities with a CVSS severity score of 9.0 or higher out of 10, they ended up addressing fewer than 38% of all vulnerabilities that actually needed prioritization compared to nearly 93% for vulnerabilities with an EPSS score of 0.8 or higher, Carney said.
EPSS focuses more on the threat component of risk, estimating a vulnerability’s likelihood of exploitation in the wild, whereas CVSS looks more at the primary characteristics of vulnerabilities and their corresponding severity impact.
"CVSS is not an efficient predictor of exploitation, which isn’t surprising given that CVSS was not built to be [one]. CISA’s KEV, on the other hand, is efficient for prioritizing remediation effectively with little wasted effort. But as with both EPSS and CVSS, it shouldn’t be used as the only input for vulnerability prioritization efforts."
—Ray Carney
The study revealed or confirmed several other aspects around vulnerabilities and exploit activity that organizations might consider when doing vulnerability prioritization. One of them is that, while new vulnerabilities tend to get the most attention, attackers exploit older vulnerabilities far more often. Just 6% of the 8.6 million daily vulnerability exploit attempts that the researchers analyzed were targeting vulnerabilities that were less than one year old. In contrast, 38% of exploit attempts involved CVEs that were more than 10 years old. The exploitation rate for unpublished CVEs — which include zero-day bugs — was just 1%, the same as it was 20 years ago.
The key is how the vulnerability is exploited
One important takeaway from the study is that exploit activity tends to vary widely by vulnerability. "Don’t treat 'exploited' as a binary variable; intensity and duration matter for prioritization," the report noted
For some CVEs, exploit activity is short-lived and sparse. In other instances, it can be sporadic but regular; some are targeted daily, others weekly, and some on a sustained, unrelenting basis. The study also found that older vulnerabilities won't be exploited forever. Eventually, attackers will drop older vulnerabilities and move on to new ones. In fact, 25% of exploited vulnerabilities that the researchers analyzed for the study had seen no exploit activity for more than a year.
The research also showed that attackers are quick to attack new vulnerabilities. For example, about 40% of all exploited CVEs were targeted in the first month after vulnerability disclosure. "A strong majority (70%) of vulns see initial attack activity in a year or less," the study noted. "It levels out quickly from there. Just 7% of published CVEs go three years before being exploited." Significantly, instances of vulnerabilities are exploited on a mass scale less often than might be expected. Just 4.5% of exploited CVEs impact more than one in every 10 organization; half impact one in 4,500 organizations, and 9.1% hit one in 100.
"When we as an industry think about the phrase “exploited in the wild,” we generally think a vulnerability has been exploited everywhere. The report found that exploited vulnerabilities impacting more than one in 10 organizations are incredibly rare. This does not mean we can brush off exploited in the wild vulnerabilities; instead, it suggests that we cannot treat all exploitation reports equally."
—Ray Carney
Mayuresh Dani, manager of security research at Qualys Threat Research Unit, said other key takeaways from the report are that exploit activity is often spread across time, targets, and volume and that vulnerabilities in older, unpatched endpoints give attackers the best return. Also noteworthy is that 70% of all vulnerabilities see exploit activity in a year or less but then the attacks level off quickly, Dani noted.
Dani suggested that organizations use the predictive nature of EPSS and include additional environmental attributes of a vulnerability to prioritize which vulnerabilities need immediate attention for remediation. "This data should then be curated and overlayed with actual exploitation intelligence to come up with a custom prioritization," he said.
"EPSS acts as one of the inputs to enable security teams to efficiently prioritize vulnerability remediation by assigning a probability score to each CVE. [But] EPSS does not account for environmental and organizational factors that affect the criticality of an asset."
—Mayuresh Dani
EPSS is a step forward, but not infallible
Daniel Arrugueta, senior forensic examiner at managed detection and response provider Critical Start, said organizations that use EPSS should realize that its scores are not infallible.
"Scores do not always align perfectly with trends observed. EPSS is dependent on the data it receives and the associated analysis. Less-than-optimal qualities in either will lead to less-than-optimal outcomes."
—Daniel Arrugueta
Ideally, organizations should use EPSS scores alongside CVSS and KEV measures to enhance a vulnerability management strategy and to have a more reliable and contextual security posture, he said.
"Overall, while EPSS is not a single element on which to rely, its effectiveness makes it a valuable addition to vulnerability management. EPSS can be integrated with other vulnerability management tools and processes, which synergizes the overall security posture by including exploitation scoring into the broader risk management strategy."
—Daniel Arrugueta
