EPSS Explained: How to Strengthen Your Vulnerability Management Strategy

Effective vulnerability management is crucial for mitigating security risks. However, many organizations struggle to identify all security vulnerabilities, and this challenge has intensified as the National Vulnerability Database added over 24,000 new common vulnerabilities and exploits (CVEs) in 2023. This deluge of new vulnerabilities makes it increasingly difficult for companies to prioritize and address the most critical exposures within their environments.

Faced with a constant stream of newly discovered vulnerabilities, organizations need a comprehensive security tool that can assess the severity of these threats and predict the likelihood of exploitation.

What is EPSS in Cybersecurity?

The Exploit Prediction Scoring System (EPSS) is designed to help organizations prioritize which vulnerabilities to address first by assigning a score that reflects the likelihood of exploitation. It is a predictive analytics model that utilizes technical data, CVE lists, and threat intelligence to forecast whether threat actors are likely to exploit a specific vulnerability within the next 30 days.

The nonprofit organization, FIRST, initially published the EPSS model in 2019 with public scores released in 2021. Significant updates were made in February 2022 and March 2023 as the Forum of Incident Response and Security Teams continued to refine the model to provide near-real-time assessments of all publicly disclosed vulnerabilities. In addition to EPSS, FIRST also maintains the Common Vulnerability Scoring System (CVSS).

By expanding on the technical characteristics and severity data included in the CVSS score, the EPSS enables security and IT teams to make more informed decisions about which security weaknesses pose the greatest risk to their sensitive systems, networks, and data.

How Does EPSS Work?

EPSS employs machine learning (ML) techniques to analyze various data points and produce a probability score. The process generally consists of three key steps.

Data Collection

The ML model collects vulnerability data from multiple sources, including vulnerability databases, threat intelligence feeds, and internal vulnerability management systems.

• Threat Intelligence: The EPSS is a dynamic system that gathers threat intelligence from a variety of sources, including:
  • Published exploit code repositories such as Metasploit, ExploitDB, and GitHub
  • Security scanning tools like Jaeles, Intrigue, Nuclei, and sn1per
  • Real-time monitoring of in-the-wild exploitation activity from AlienVault and Fortinet
• Vulnerability Database: The EPSS leverages vulnerability data from various sources. By enriching and contextualizing the technical details of each vulnerability, the EPSS empowers organizations to assess the potential impact more accurately. Some examples of the vulnerability data utilized by the EPSS include:
  • MITRE's CVE List: Only CVEs in the "published" state are scored
  • Text-based "Tags": Descriptions and other sources discussing the vulnerability
  • Age: The number of days since the CVE was first published
  • References: The number of references listed for the CVE
  • Common Platform Enumeration (CPE): A structured naming scheme for IT systems, software, and packages as published in the NVD

Model Training

The core function of EPSS is to assess the likelihood of vulnerabilities being exploited. To do this, the model undergoes rigorous training on historical data to identify patterns and correlations between vulnerabilities and exploitation. Once trained, the model can then be applied to new vulnerabilities, generating a probability score to indicate their exploitation risk.

Performance Measurement

The performance of this model is evaluated using a look-back approach. The model is trained on a 14-month historical dataset, with the most recent two months held out as a "future" testing period.

The modeling process involves categorizing vulnerabilities into the following:

• True Positives (TP): prioritized vulnerabilities observed in active exploitation “in the wild”.
• False Positives (FP): vulnerabilities that were identified as priorities but ultimately not exploited. These FPs constitute potentially wasted resources.
• False negatives (FNs): unaddressed vulnerabilities that were not prioritized leading to false negatives, revealing missed opportunities to prevent exploitation.
• True negatives (TNs): vulnerabilities that were correctly identified as low priority and not exploited.

After this categorization, the process loops back to step one. The model obtains new vulnerability information and uses it to produce daily estimates of the exploitation probability of each published CVE for the next 30 days.

Key Metrics

The EPSS calculates a probability score that ranks the likelihood of a vulnerability being exploited on a scale from 0 (0% chance) to 1 (100% chance). This allows the teams responsible for vulnerability remediation to efficiently and effectively focus their efforts.

The EPSS provides two key metrics:

• Probability - The overall likelihood that attackers will exploit the vulnerability within the next 30 days.
• Percentiles - Contextual information that helps determine the relative threat level and rank ordering of vulnerabilities.

EPSS vs CVSS: What is the Difference?

While EPSS and CVSS are both vulnerability scoring methods, they differ in several key ways.

Firstly, they focus on different aspects of vulnerabilities. CVSS measures the inherent severity of a vulnerability based on its technical characteristics, such as attack vectors, complexity, and impact. In contrast, EPSS predicts the likelihood that a vulnerability would actually be exploited in the real world.

Another key difference is that CVSS scores are static and remain constant unless the underlying vulnerability changes. EPSS scores, on the other hand, are dynamic and can fluctuate over time based on evolving threat intelligence and observed exploitation patterns. For example, an EPSS score may suddenly increase when new exploitation attempts are detected.

Finally, the qualitative thresholds also differ between the two systems. CVSS uses defined severity ratings of "low," "medium," "high," and "critical," whereas EPSS does not employ these types of categorical labels.

In summary, while EPSS and CVSS are both vulnerability scoring methodologies, they evaluate and represent vulnerability risk in quite different ways, with CVSS focused on technical severity and EPSS on real-world exploitability. Integrating both CVSS and EPSS data enables organizations to better understand the risks posed by vulnerabilities and prioritize remediation efforts more effectively.

EPSS Limitations

1. EPSS is a Point solution

EPSS is designed specifically to estimate the likelihood of exploitation within 30 days. However, it has limitations and should not be treated as a comprehensive solution for assessing an organization's overall cyber risk. EPSS does not account for various other important factors that contribute to a complete cyber risk assessment, such as specific environmental factors or compensating controls within an organization's network. Additionally, EPSS does not attempt to estimate the potential impact if a vulnerability were to be successfully exploited.

By focusing solely on the threat component of risk, EPSS provides one piece of the puzzle in a comprehensive, risk-based approach to vulnerability management. As such, relying on EPSS alone would provide an incomplete and potentially misleading picture of an organization's true cyber risk profile.

2. Scores Evolve and Are Not Static

The dynamic nature of EPSS scores can present challenges. As new data becomes available, EPSS scores continuously evolve, rather than remaining static. This can lead to situations where the EPSS may not accurately reflect the current threat landscape in a timely manner.

For example, the infamous Log4Shell vulnerability (CVE-2021-44228) initially had a relatively low EPSS score, but it took several days for the score to reach a more accurate level that reflected the true severity of the threat.

Similarly, EPSS scores have been observed to fluctuate significantly within short periods, due to the discovery of new exploit code or updated intelligence.

3. Scores Lack Context

The EPSS metric does not account for an organization's specific network conditions or implemented security controls. As a result, vulnerabilities with high EPSS scores may not actually pose a significant risk if the organization has appropriate mitigations in place.

Additionally, EPSS does not analyze or estimate the potential impact if a vulnerability were to be successfully exploited. However, impact assessment is a critical component of effective risk management - an area that EPSS alone cannot adequately address.

Improve Your Security Posture with Zerofox 

Integrating EPSS, a powerful tool, into a comprehensive cyber risk management program is essential. While EPSS offers valuable insights into the likelihood of exploitation, it should be complemented by other strategies and tools that address critical factors such as environmental context, compensating controls, and impact assessment.

The ZeroFox external cybersecurity platform combines the power of AI, full-spectrum intelligence services, and takedown and incident response capabilities. Our External Attack Surface Management (EASM) solution adds powerful continuous discovery, identification, and inventory capabilities to protect your expanding external attack surface, including:

• Discover and inventory digital assets
• Analyze and prioritize exposures and vulnerabilities
• Combat asset sprawl and shadow IT
• Detect data leakage
• Reduce phishing and social engineering attacks
• Adhere to regulatory compliance requirements
• Visualize your external digital risk from one view

Contact ZeroFox today to discover how to prioritize and address the most critical vulnerabilities within your external attack surface.

Tags: External Attack Surface Management