EPSS – or Exploit Prediction Scoring System – estimates the likelihood of a vulnerability being exploited. It assigns it a probability score between 0 and 1 (0% and 100%), with a higher score meaning a greater likelihood that the vulnerability will be exploited in the next 30 days.
The goal is to better prioritize the large amounts of vulnerabilities organizations face. And, by some metrics, it seems to be effective when compared to CVSS.
To evaluate the success of a threat intelligence system, we must consider two key metrics:
Precision
This is a measure of the accuracy of a threat intelligence system or the percentage of correctly identified threats out of all the threats identified by the system. For example, if a threat intelligence system identified 100 threats, and 95 of them were actually threats, the system’s precision would be 95%.
Recall
This represents the completeness of a threat intelligence system or the percentage of actual threats that were identified by the system out of all the threats that were present. For example, if there were 100 threats present, and the threat intelligence system identified 95 of them, the system’s recall would be 95%.
EPSS in action
Here’s an example:
A group of patched vulnerabilities with a remediation strategy based exclusively on CVSS v3.1 and a score threshold set at 8.8 or higher, returned 5.7% precision and recall at 34%.
Meanwhile, a strategy based on the newly released EPSS scores and a threshold of 0.149 or higher, resulted in a 19.9% precision rate and 72.4% recall.
Smaller organizations are less able to achieve a high recall, but can still get a good level of precision. Organizations with more resources can achieve both better recall and precision with EPSS.
Ostensibly, shifting to a prioritization strategy referencing EPSS yields more reliable results than other existing methods like CVSS.
But this comparison to CVSS can be misleading.
For most of the organizations participating in the research, only the CVSS Base score was considered. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments. Neither temporal nor environmental metrics are usually used, which renders the assessment somewhat incomplete.
The Temporal metric reflects the characteristics of a vulnerability that change over time. For example, this can be the maturity of available exploitation code or the effort required for remediation. Meanwhile. the Environmental group looks at the characteristics of a vulnerability that are unique to a user’s environment.
People don’t configure the Temporal and Environmental bases because of the difficulties involved. The challenges are both on the informational side, but also operational (the lack of tools and the scale of the vulnerabilities).
Both EPSS and CVSS seek to help network defenders better prioritize vulnerability management. FIRST- the organization behind EPSS – states that high severity and high probability vulnerabilities should be the first priority. Accordingly, low-severity and low probability vulnerabilities can be deprioritized.
Still to be addressed are the unclassified vulnerabilities that require additional consideration of a user’s environment, systems, and information. These are most vulnerabilities.
The challenge with EPSS
Like the CVSS base metric, EPSS can’t be a standalone metric – it doesn’t represent risk, but it’s a good temporal indicator.
EPSS relates only to the threat component. It does not account for any specific environmental or compensating controls, and it doesn’t make any attempt to estimate the impact of a vulnerability being exploited. EPSS is estimating the probability of exploitation activity. This is just one of many considerations in a risk-based approach to vulnerability management. Because of that, EPSS alone cannot be treated as the sole indicator of cyber risk.
Other factors often must also be considered when prioritizing vulnerabilities. For example:
- How accessible vulnerable assets are to attackers
- The type of weakness the vulnerability presents
- The asset’s purpose and value
- How easy it is to fix or patch
We’ve seen evidence that, at critical moments, EPSS can still struggle to ring the alarm bells. Most exploited vulnerabilities will have most of their published exploits a month after publication. As we observe, EPSS scores are constantly changing:
- Log4shell CVE-2021-44228 only reached a score of over 50% after four days, and its final score of 96% after a full month.
- CVE-2022-22954 started with 66.9% on the date of publication. A week later, EPSS dropped the score to 32.6% with no exploit found in the wild. However, almost a month after publication, an exploit was published, and EPSS raised the score to 93%.
Moreover, EPSS is only calculated for published CVEs. Recently, Google released an urgent patch for CVE-2022-3075, a new zero-day vulnerability in the Chrome web browser. Ten days later, it is no longer a zero-day threat, but has still not been published in NVD. As a result, the vulnerability still does not have an EPSS score, despite having been seen exploited in the wild.
so in reality we see evidence of the vulnerability being exploited while its EPSS is low, and what is advised in First’s EPSS documentation is:
In situations like this, First’s documentation for EPSS advises:
If there is evidence that a vulnerability is being exploited, then that information should supersede anything EPSS has to say.
The bottom line
EPSS is certainly helpful for initial prioritization or when you don’t have threat intelligence available. In cases where it is available, it’s better to first act upon the concrete information at your disposal. In fact, FIRST suggests that organizations work with CVSS and EPSS in edge cases – vulnerabilities with either very low or very high scores. This can be effective, but the reality is that there remains a large number of vulnerabilities in the middle. With EPSS not providing enough clarity on its own, customers will struggle to prioritize these vulnerabilities.
As we’ve seen, EPSS can be a valuable addition to the cyber security practitioner’s toolkit. But while teams should take advantage of all the tools and resources available to them in today’s fast-moving threat landscape, they must marry these solutions with an holistic cyber risk management program, to ensure that all pertinent threats are addressed, and all bases covered.
