LEV: What is the probability that a vulnerability has been exploited?

The LEV metric designed by NIST aims to help companies prioritize the mitigation of vulnerabilities affecting their digital assets

Just because a vulnerability has been detected does not mean that it has been or will be exploited. Therefore, when mitigating vulnerabilities in software or hardware, it is necessary to focus on those with a higher probability of exploitation. To facilitate this task, the US National Institute of Standards and Technology (NIST) has developed a new metric: Likely Exploited Vulnerabilities (LEV).

What is the difference between LEV and other indicators such as EPSS or CVSS and resources such as lists of known exploited vulnerabilities (KEV)? LEV measures the probability that a vulnerability has already been exploited. Why is this so important?

• According to one study, only 5% of known vulnerabilities have been exploited by malicious actors.
• Companies do not have infinite financial, technical, and human resources to undertake vulnerability mitigation.

Therefore, the LEV metric aims to help companies prioritize their efforts by first addressing vulnerabilities that are most likely to be exploited.

Below, we will break down the key elements of LEV, as well as its relationship with other critical tools for effective vulnerability management.

1. How does the LEV metric work?

The NIST team has developed equations that measure the probability that a vulnerability has been exploited in the past. What information do these equations use? The historical scores obtained by vulnerabilities in the EPSS metric. As such, improvements in LEV results are directly associated with EPSS performance.

How are the results of the LEV metric displayed? As with EPSS, LEV is based on a scale from 0 to 1. The higher the number produced by the metric, the more likely it is that the vulnerability has been exploited.

How can the LEV metric be used? NIST proposes four key use cases:

1. Obtain an estimate of how many vulnerabilities present in a company’s technology infrastructure have been exploited in the past.
2. Assess the completeness of the lists of exploited vulnerabilities used by organizations.
3. Expand lists of exploited vulnerabilities by incorporating vulnerabilities that pose a high risk of exploitation.
4. Compensate for the EPSS indicator’s tendency to underestimate the risk of already exploited vulnerabilities.

2. LEV will help expand lists of known vulnerabilities that have been exploited

Currently, many public and private organizations have lists of vulnerabilities that have been reliably exploited in the past.

What is the problem with KEV (Known Exploited Vulnerability Lists)? They do not provide a comprehensive list of all exploited vulnerabilities.

For example, the KEV of the Cybersecurity and Infrastructure Security Agency (CISA) in the United States only includes vulnerabilities that could affect US government systems or critical infrastructure and that already have a mitigation method in place.

As a result, there are 1,352 vulnerabilities in the CISA’s KEV. Meanwhile, the number of publicly disclosed vulnerabilities has already exceeded 280,000. If we consider that around 5% of these vulnerabilities have been exploited, we are actually talking about 14,000 exploited vulnerabilities.

Thanks to LEV, companies and public institutions can expand their KEV lists by incorporating vulnerabilities that are not included in them but have a high likelihood of being exploited.

This means that when managing vulnerabilities and prioritizing their mitigation, you can work with more comprehensive lists that offer a more accurate overview of the risks facing a company.

3. LEV and EPSS: Take into account past exploitation, not just future exploitation

The Exploit Prediction Scoring System (EPSS) metric, developed by the Forum of Incident Response and Security Teams (FIRST), is used by vulnerability management teams to estimate the likelihood that a vulnerability will be exploited in the next 30 days.

Thanks to EPSS, it is possible to prioritize the mitigation of vulnerabilities whose active exploitation may be imminent.

However, EPSS has a blind spot. According to NIST, the probabilities it returns are inaccurate for vulnerabilities whose exploitation has already been observed in the past. As a result, the probability shown would be lower than the actual probability.

The LEV metric sheds light on this issue by providing an estimate of the probability that a vulnerability has been exploited.

As is evident, LEV and EPSS are not mutually exclusive indicators but rather complementary ones. The LEV metric enables the refinement of results obtained from EPSS vulnerabilities.

This provides professionals in charge of vulnerability management at a company with quality information that enables them to develop an effective vulnerability mitigation strategy.

4. What information does the LEV metric provide?

It is important to highlight the data that the LEV metric provides to cybersecurity experts about each vulnerability:

• Name of the CVE (Common Vulnerabilities and Exposures).
• Date of publication of the CVE.
• Description of the vulnerability.
• The probability that it has been exploited in the past according to the LEV metric.
• The maximum score obtained by the vulnerability in EPSS within the evaluated time.
• The date on which this maximum score was recorded in EPSS.
• The score obtained in EPSS in each of the 30-day periods analyzed.
• The dates of these periods.
• The products affected by the vulnerability.

5. Prioritizing vulnerability remediation is key

Using the CVSS system, which measures the criticality of vulnerabilities, KEV lists, the EPSS indicator, and the LEV metric together makes it easier for vulnerability management professionals to design a mitigation strategy that takes into account:

• Whether the vulnerability has already been exploited or there is a high probability that it has already happened.
• The difficulty for malicious actors to exploit a vulnerability.
• The impact of a successful exploit on corporate assets.
• The likelihood that the vulnerability will be exploited in the short term.

As we pointed out earlier, vulnerability remediation requires companies to invest financial resources, technology, talent, and time. The tools we have just mentioned provide quality information to prioritize the vulnerabilities that pose the greatest threat and are most pressing. This ensures that resources are invested with maximum efficiency and that the security of corporate assets is strengthened.

6. Vulnerability management, a critical issue for companies

One of the key areas within a company’s cybersecurity strategy is vulnerability management.

In fact, pioneering regulations such as the future Cybersecurity Law impose a series of obligations on thousands of companies regarding vulnerability management.

Why is this so important? Vulnerability management services enable companies to:

• Minimize the risks to which their technological infrastructure is exposed.
• Manage the lifecycle of each vulnerability.
• Have a systematic inventory of assets that identifies who is responsible for each one.
• Permanently monitor the security of assets.
• Have an action plan to optimize the detection and mitigation of vulnerabilities.
• Prioritize mitigation tasks for weaknesses based on indicator data, such as EPSS, CVSS, or LEV.
• Detect vulnerabilities as quickly as possible and begin managing emerging vulnerabilities promptly.
• Comply with current regulations.

In short, NIST has developed the LEV metric to enable professionals responsible for managing vulnerabilities in organizations to determine the likelihood that a vulnerability has already been exploited, even if it is not listed.

Vulnerability management services can take this derivative into account when designing and implementing a vulnerability mitigation plan, thereby maximizing the resources available to address security deficiencies in assets.

The LEV indicator does not replace any existing metrics; rather, it provides a new layer of information for cybersecurity experts