Overview
According to the First.org website, "The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for predicting when software vulnerabilities will be exploited. It uses current threat information from CVE and real-world exploit data. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited."
Nucleus's internal team of vulnerability management experts has this to say about EPSS: "It is a risk-based scoring system. It attempts to tell you what the likelihood is of a finding being exploited. It is a useful data point when there is no Mandiant score on a finding because EPSS is much better to fall back on than CVSS."
Furthermore, "While your scanning tool will probably tell you if a vulnerability is exploitable, and may even tell you how many exploits the vendor knows to exist, EPSS tries to give a more nuanced answer. Rather than simply telling you if an exploit exists, or giving a count of the number of exploits that are known to exist, EPSS tries to measure how commonly those exploits get used. Exploits are software, which means some of them are easier to use than others, and some of them are more reliable than others. For those and any number of other reasons, some exploits get used more frequently than others.
A vulnerability with a low EPSS score are predicted to get exploited less frequently than one with a high EPSS score. So, all other things being equal, a vulnerability with a high EPSS score poses a greater risk than a vulnerability with a low score."
When to use
Since EPSS is a predictive scoring system, as opposed to a reactive scoring system, the confidence in the score should be valued slightly less than the data you get from evidence. For example, when looking at confirmed exploitation activity to prioritize vulnerabilities, you can say with confidence that the vulnerability exploitation has occurred because you’re looking backwards in time at exploitation that has already occurred. EPSS on the other hand is a forward-looking score, which means that the usage of it should slightly differ than other attributes you might use in vulnerability prioritization.
Example Prioritization Methodology
The power of Nucleus’ prioritization engine is that you can leverage 3 different categories of data normalized together to build a robust prioritization methodology: vulnerability, asset, and threat intelligence. In this simple example, let’s use a standard “Critical, High, Medium, Low” qualitative rating system but map our attributes to the system. So rather than taking the Severity from the scanning tool, we are going to create a mapping on what attributes add up to various severity levels.
Severity | Vulnerability Attributes | Threat Intelligence | Asset Attributes |
|---|---|---|---|
Critical | Scanner severity = Critical AND Exploit Available = True | Confirmed exploitation in the wild = True AND threat actors targeting my industry with this vuln = True | On a public-facing asset = True Asset is production = True |
Critical | Scanner severity = Critical AND Exploit Available = True | Confirmed exploitation in the wild = False AND EPSS Score greater than 50% | On a public-facing asset = True Asset is production = True |
High | Scanner severity = Critical AND Exploit Available = True | Confirmed exploitation in the wild = True AND threat actors targeting my industry with this vuln = True | On a public-facing asset = False Asset is production = False |
High | Scanner severity = Critical AND Exploit Available = True | Confirmed exploitation in the wild = False AND EPSS Score greater than 50% | On a public-facing asset = False Asset is production = False |
As you can see, using the simple table above we can easily map attributes to various severities based on any attributes we choose. EPSS in particular, as a predictive score, is leveraged when there is a vulnerability of high consequence but has not been exploited in the wild yet. We leverage it to determine where we should take the chance that it has a high likelihood of being exploited soon.
In Platform: where to find and how to use
EPSS Scores can be found, associated with specific CVEs, on the Vulnerability Intelligence tab of the detail view on any vulnerability or compliance finding.
Navigate to Global Dashboard > Project > Vulnerabilities > Active to view the Active Vulnerabilities page
On the Active Vulnerabilities page, click a vulnerability and click the Vulnerability Intelligence tab to view details.
You can also filter vulnerabilities for analysis and reporting based on EPSS score using the Filter button and query builder on the Vulnerabilities > Active view.
Additionally, EPSS Score can be used as criteria for triggering automation rules that create downstream events like Finding Processing and Notifications to create the mapping logic as described earlier in this article.
For additional questions, please reach out to your success team or the support team at [email protected].