EPSS: What is the probability of a vulnerability being exploited?

The EPSS indicator quantifies the probability of exploiting a given vulnerability in the next 30 days

Every day, new vulnerabilities emerge that, if exploited, can lead to security incidents affecting companies, administrations, and citizens around the world. Common Vulnerabilities and Exposures (CVE), a dictionary that compiles, systematizes, and standardizes the way of naming all vulnerabilities, currently includes more than 200,000. Of these, 10% are considered critical by the Common Vulnerability Scoring System (CVSS). Moreover, the number of vulnerabilities is increasing year by year. In 1999, 894 vulnerabilities were detected, while in 2022, the record was broken with the discovery of 25,227 vulnerabilities in those 12 months alone.

Given this scenario, the Forum of Incident Response and Security Teams (FIRST), an umbrella organization for cybersecurity and incident response teams worldwide, has developed the Exploit Prediction Scoring System (EPSS). A data-driven tool used to estimate the likelihood of a vulnerability being exploited within 30 days.

EPSS uses constantly updated threat and exploit data to give a probability score between 0 and 1, with 1 being a 100% probability of exploitation. In this way, EPSS helps cybersecurity professionals and companies worldwide know how likely a vulnerability will be exploited in the near term and can take steps to mitigate them before security incidents occur.

In the following, we will break down the key features of EPSS and explain why this tool can be helpful in vulnerability management, to prioritize actions aimed at correcting weaknesses in a company’s systems.

1. What is EPSS?

EPSS is a free indicator, available to all companies worldwide, that seeks to quantify the probability of a vulnerability being exploited. As we have just indicated, there are more than 200,000 known vulnerabilities (not counting all those that have yet to be discovered), and this number is growing yearly. However, not all of them have the same probability of being exploited at all times.

That is why EPSS is a system designed to measure the probability of exploitation of a particular vulnerability in real-time. How does it do this? By using one of the most popular areas of Artificial Intelligence today: Machine Learning.

Thanks to Machine Learning, it is possible to detect patterns in the data fed into the EPSS model and make predictions that make it possible to predict the probability of exploitation of each of the vulnerabilities published in CVE.

AI and data are the critical elements of the scoring system. These data combine two types of sources: threat information from CVEs and vulnerability exploitation data from the experience of thousands of companies and cybersecurity professionals.

1.1. Incorporation of up-to-date, real-world information

One of the critical features of the EPSS indicator is that the model on which it is based is continuously fed with permanently updated data from actual cases. The latest version of EPSS (v3), released in early 2023, has 1477 functions for predicting vulnerability exploitation activity. To build these functions, the EPSS model uses up to 11 sources of information.

The first of these is, of course, the list of CVEs published by MITRE. But we can also find other sources such as exploit code published on Metasploit, ExploitDB, and Github, information from security scanners such as Jaeles, Intrigue, or Nuclei, information from IT vendors published on the National Vulnerability Database (NVD), and even mentions of the vulnerability on social networks such as Twitter.

This variety of sources makes it possible to constantly update the information available on each of the known vulnerabilities and thus predict the probability of exploitation in a realistic manner, taking into account the new data generated. In such a way, the EPSS indicator scores are recalculated each time there is a change in the information.

1.2. A model to automate the prediction of exploitation in the next 30 days

As indicated above, the other key to the EPSS indicator is using Machine Learning to analyze the data, detect patterns and make operational predictions.

This means that the daily operation of EPSS is fully automated. So data sources are collected and aggregated into the model, and all published CVEs are scored daily, based solely on the data.

For what purpose? To predict, from 0 to 1, the probabilities that each of the vulnerabilities will be exploited during the next 30 days. So the EPSS indicator introduces a crucial issue in vulnerability management: time.

EPSS does not analyze the probabilities of exploitation in the medium or long term but within one month. Why is this relevant? It emphasizes the urgency and the short period companies have to mitigate a vulnerability that is about to be exploited.

At this point in the article, many readers will ask, “What exactly does the EPSS model consist of?”. FIRST does not explain the functions of the model one by one but instead argues that it is a model of real-world observations. Thus, the organization does not share the data used to make the operational predictions, the model, or the source code.

1.3. How the EPSS indicator is scored

In this lack of transparency in its operation, EPSS differs substantially from the CVSS scoring system, where the metrics and values used are public. Calculators have been developed so that companies can autonomously calculate the score for a given vulnerability.

While the EPSS score can only be obtained through two alternatives.

On the one hand, it publishes daily model-generated data on all vulnerabilities and a report in which the most relevant information on the overall threat landscape can be viewed at a glance from CVEs published in the last 48 hours, 30 days, or 90 days, sorted by their EPSS score. The CVEs have experienced the most significant variation in EPSS score, both because the probability of being exploited has increased and because the likelihood of being used has decreased significantly.

In addition, FIRST has developed an API that allows cybersecurity professionals and companies worldwide to easily query EPSS data to secure all IT assets from design and throughout their lifecycle. This API can also be used to integrate EPSS data into other databases to obtain a broader picture to optimize vulnerability management.

1.4. Scaling EPSS to predict a company’s overall threat and analyze its evolution

While cybersecurity managers and companies cannot autonomously obtain EPSS indicator scores, EPSS does facilitate their scalability. What do we mean by this?

The EPSS indicator provides a score that quantifies the probability of a particular vulnerability being exploited. But it is also possible to make a prediction of exploitation activity for a network, a system, or a specific company. How? Considering all the vulnerabilities present in a company’s IT assets and the probability of exploitation of each.

FIRST offers in its user guide a mathematical formula to quantify, from the individual scores of each CVE, the probability that at least one of the company’s vulnerabilities will be exploited in the next 30 days.

This data provides an overview of the threats facing an organization in the short term.

But it can also become another metric for assessing the organization’s defensive security layers over time. Why? By scaling EPSS, one proceeds to obtain a probability of exploitation at a specific time. Suppose the operation is repeated three months later. In that case, it will be possible to know whether the overall threat has decreased or, on the other hand, has increased and it is convenient to take the necessary measures to secure IT assets.

2. EPSS, an indicator at the service of vulnerability management

From our description of the EPSS indicator, this scoring system cannot be the only element to be considered when prioritizing vulnerability remediation. Why?

It only focuses on the risk of exploitation in the short term. Still, it does not consider crucial aspects of vulnerability management, such as the business relevance of the assets presenting vulnerabilities and the impact that successful exploitation of a vulnerability could have on the organization and business continuity.

Put more prosaically, a vulnerability that has a high probability of being exploited in the next 30 days but affects an asset of low value or whose impact on the company’s business is expected to be very limited may be of less concern for risk management than another vulnerability with a lower probability of exploitation.

Vulnerability management is an extraordinarily complex area of cybersecurity where many factors come into play. EPSS is not intended to be the only tool used to make decisions and prioritize weakness remediation measures.

FIRST itself warns that EPSS only focuses on the first element of the classic formula for measuring risk: Threat x Vulnerability x Impact.

Therefore, professionals providing cybersecurity services and companies cannot base vulnerability management on this indicator but must use it in conjunction with other tools and actions, such as CVSS.

3. EPSS and CVSS: X-raying vulnerabilities

When EPSS was launched in 2019, there was some debate as to whether this indicator would replace CVSS, a vulnerability scoring system used around the globe to assess CVEs. However, there is no fundamental dichotomy between EPSS and CVSS. On the contrary, the two indicators are complementary. Why?

As we have pointed out throughout this article, the EPSS indicator measures the probability of a vulnerability being exploited. At the same time, CVSS quantifies (from 0 to 10) the impact of the exploitation of a vulnerability on a given organization.

Thus, if a CVE scores 0.8 on the EPSS indicator, it means there is an 80% probability that it will be exploited in the next 30 days. On the other hand, if the identical CVE scores 8, we can consider its severity level to be high. In other words, each indicator provides different information about the vulnerability, and both are useful for X-raying the exposure and making decisions to optimize vulnerability management.

3.1. Crossing indicators to prioritize vulnerabilities

The two indicators can be crossed to analyze a company’s vulnerabilities and prioritize remediation. This can result in four primary scenarios:

• Vulnerabilities with a low probability of exploitation in the short term (e.g., 0.1) and which, if exploited, would have a low impact on the company’s IT infrastructure (e.g., 1.6). These vulnerabilities would not be a priority; therefore, other weaknesses should be prioritized.
• Vulnerabilities that have a high probability of being exploited in the coming days (0.9 in EPSS) but whose impact would be limited (e.g., a 2 in CVSS). These vulnerabilities should be analyzed since if more than one is exploited to launch a more sophisticated attack, the criticality level could be much higher.
• Vulnerabilities can be highly critical to the organization if exploited but are unlikely to be used in the short term. These vulnerabilities require close monitoring to detect any changes in the threat landscape that could significantly increase the likelihood of exploitation.
• Critical vulnerabilities that are highly exploitable in the short term. As is evident, these are the vulnerabilities that need to be patched first, as it is highly plausible that they will be exploited in the coming days. The effects of this malicious activity can be devastating.

4. Strategies for prioritizing vulnerability remediation

So far, we have argued that the EPSS indicator can be a valuable tool for anticipating threats and prioritizing vulnerability remediation, but how do we put this idea into practice? By designing remediation strategies. That is, by putting plans in place to remediate specific vulnerabilities. For example, a company may decide to remediate those that exceed a score of 0.2 on the EPSS indicator. Or set a certain percentage of effort (i.e., the number of vulnerabilities to be remediated).

To design these remediation strategies using EPSS, it is essential to consider not only the vulnerability score threshold and the effort to be made by the organization but also the efficiency in the use of resources and coverage.

4.1. Efficiency in resource management

Companies’ resources are limited. And cybersecurity strategies must be designed and implemented based on the security objectives being pursued and the resources available to achieve them.

Hence, prioritizing vulnerability remediation is a central activity within an organization’s vulnerability management. How? By measuring the percentage of vulnerabilities prioritized by the company that malicious actors finally exploited.

This metric is obtained through a simple formula: Number of exploited vulnerabilities prioritized by the company ÷ Total number of prioritized vulnerabilities.

Thus, if the result of the division is high, the company will have efficiently prioritized vulnerability remediation. On the other hand, if the division yields a low impact, it means that the organization has prioritized many vulnerabilities that, in the end, were not exploited.

4.2. Coverage of remediation activities

Another metric derived from the EPSS indicator is coverage, the percentage of exploited vulnerabilities that the company proceeded to remediate beforehand. The formula for this data is the Number of exploited vulnerabilities prioritized by the company ÷ Total number of exploited vulnerabilities.

In this case, if the coverage ratio is low, the company will not be able to respond to vulnerabilities exploited by malicious actors. On the other hand, if it is high, the coverage will have been optimal and the remediation strategy effective.

Given the above, what should companies prioritize: efficiency or coverage?

The answer to these questions will depend on each organization’s characteristics, resources, and objectives. Smaller companies, with fewer resources available for securing their IT infrastructure, will prefer to implement strategies focused on resource management efficiency.

On the other hand, larger companies with a higher level of cyber exposure and higher security requirements will probably decide to build their remediation strategies around a broad coverage to reduce the chances of a successful attack as much as possible.

4.3. EPSS v3, an indicator that optimizes remediation strategies

A study published in February 2023 analyzing the performance of EPSS v3 simulates different decision strategies using the three versions of EPSS and CVSS v3.x. The researchers’ objective was to test both the companies’ resource management efficiency and the level of coverage of remediation activities.

To this end, the researchers carried out two comparative tests. First, they designed remediation strategies with a similar percentage of effort. In the second, they established practically identical coverage for each simulated approach using the four indicators to be compared.

In both cases, they concluded that the EPSS v3 indicator offers better coverage and efficiency rates than its predecessors and the latest version of CVSS.

Does this imply that a company’s vulnerability management professionals can design remediation strategies based on EPSS alone? As we have already pointed out, no. Since EPSS merely quantifies the probability of a vulnerability being exploited without considering the environment of each organization or the impact of the exposure.

5. Vulnerability management, an essential service for the defensive security of companies

Throughout this article, we have emphasized that the EPSS indicator is a valuable tool for the vulnerability management of a company’s IT infrastructure. But what does it consist of?

The vulnerability management service offered by Tarlogic Security aims to minimize risks in a company’s IT infrastructure. To this end, an integrated management of the entire vulnerability lifecycle is carried out:

• Discovery
• Analysis
• Reporting
• Remediation
• Verification

Vulnerability management thus becomes an important activity in a company’s defensive security strategy, serving to assess the overall security status based on the following actions:

• Security risk management
• A permanent monitoring of the IT infrastructure
• Elaboration of a vulnerability detection and remediation plan
• Optimizing the ability to detect new vulnerabilities
• Design of weakness mitigation strategies
• Monitoring vulnerability remediation
• Compliance with current regulatory requirements

In short, the EPSS indicator can be a valuable tool for IT vulnerability management. It prioritizes the vulnerabilities detected, considering the probability that they will be exploited in the short term.

In such a way, EPSS scores can be considered to design efficient mitigation strategies to leverage the organization’s resources and effectively protect the company’s assets against known vulnerabilities.