Using EPSS for Vulnerability Enrichment
Earlier this year, Nucleus released our CISA KEV Enrichment Dashboard — a free tool that enables vulnerability researchers to quickly analyze trends of known and exploitable vulnerabilities identified by CISA in order to layer intelligence-led prioritization into their vulnerability management program.
One of the things that truly sets our Enrichment Dashboard apart from the straight out of the box information provided in the CISA KEV catalog is the multiple columns of enrichment data we have brought in from sources like CVSS, FIRST.org, and GreyNoise Threat Intelligence which add further information and context to the known vulnerabilities populated in the KEV list.
Today, we want to specifically deep dive into the enrichment data that FIRST.org provides through EPSS, which aims to help vulnerability researchers better estimate the likelihood that a software vulnerability will be exploited in the wild. Let’s dive in!
What is EPSS?
EPSS, or Exploit Prediction Scoring System (EPSS), is an open standard, administered by the Forum of Incident Response and Security Teams (FIRST.org), that uses machine learning to attempt to rate the probability of a vulnerability being or becoming widely exploited within 30 days.
This rating makes it a natural companion to the CISA KEV list because it answers a simple question: Did we see this vulnerability coming?
When an EPSS score is high, that tells us that the likelihood of that vulnerability appearing on CISA’s Known Exploited Vulnerabilities list was high. We saw it coming that that vulnerability was likely to be exploited in the wild. However, when the score is low, that tells that we did not see that exploitation coming.
How to Use EPSS Alongside the CISA KEV List
In addition to using EPSS as a way to better predict what software vulnerabilities are likely to be exploited, we can also infer certain things from an EPSS score. For example, while you can look at the EPSS score as the probability of exploitation, you can also look at it as a similarity score, simply because of the way that the scoring system works. How similar is one CVE to other CVEs that have seen exploit activity?
CISA doesn’t tell us a lot about why a vulnerability is or is not on their KEV list. They don’t tell us when the activity was observed, and they don’t tell us if it is widespread or very narrowly targeted. However, EPSS helps to close that information gap. When the score is very high, that is a good indicator of recent widespread exploitation activity. When it is very low, that tells us that it’s probably not widespread.
Another useful thing about EPSS is that all CVEs are scored, so it is a good measure of general exploitation activity. GreyNoise, one of the other enrichment vendors featured on our CISA KEV Enrichment Dashboard, gives excellent insight into network-based activity. However, it has limited visibility into vulnerabilities that exist on products that don’t listen on a network port, such as a vulnerability in Microsoft Word. So, in cases when GreyNoise doesn’t have any activity, EPSS can be an indicator whether anyone else is seeing any activity.
It’s also important to note that a low EPSS score does not necessarily indicate that CISA got it wrong. Fewer than 10% of all CVEs have an EPSS score above zero. Therefore, don’t think of EPSS as a second opinion or a replacement to threat intelligence, but rather additional context.
To learn more about using CISA KEV as part of your intelligence-led vulnerability management program, be sure to check out Nucleus’s full Guide to CISA KEV Enrichment linked below.