As I noted in April, 2020:
“If EPSS [Exploit Prediction Scoring System[1]] is going to be of use, there must be some automation for organizations to periodically check scores. The threat landscape is dynamic, so any solution must be equally dynamic.”[2]
Huge news: FIRST.org has done it![3]
Anyone can automatically query the EPSS API for each of the CVEs in their unpatched queue for a prediction score. CVEs (Common Vulnerability Enumeration) whose prediction score exceeds the tolerance of the organization or system risk tolerance would then get patched. CVEs that fall below can be ignored until their prediction score has climbed sufficiently to be of concern.
In other words, dynamic vulnerability prioritization based upon solid research is within reach for everyone. Finally!
For my analyses on why CVSS shouldn’t be used to set patch priority, please see the following two articles:
As I wrote in my “Mismatch” post, “research from 2014 indicates that using the CVSS base score may be no better than ‘choosing at random.’[4]”
There are several problems with CVSS when used beyond its intended purpose, a “potential severity score”, say as a predictor of attacker use, or worse, as a risk rating. For those who would like more detail, I tried to note a few of those in the “Don’t Substitute CVSS for Risk” post as well as explain CVSS issues in greater detail in both Secrets Of A Cyber Security Architect and Building In Security At Agile Speed.
Exploit Prediction Scoring System (EPSS) is built on a body of research that indicates which exploits are likely to get used by attackers, and which not. The short crib: exploitation against real systems doesn’t necessarily map to a high CVSS. There are a lot of contributing factors. Please see Allodi & Massacci’s groundbreaking 2014 paper and the EPSS research (both cited in the endnotes, below).
As I noted in 2020, EPSS appears to me to be our “better mousetrap”. At that point (April 2020) only a web page existed, which couldn’t operationalize for organizations that have more than a few vulnerabilities to score. But now, an API has been published and it's dead simple to use.
I have no idea whether or not FIRST.org’s API infrastructure is sufficient to support 10’s of thousands of EPSS score requests a day. Still, assuming that they’ve geared up, a little Python code ought to work through even the biggest CVE queue to find those issues that need attention now and those that can wait.
The API provides a call for all CVE above a chosen threshold. The example call returns all CVE with a score .95 or higher:
My trivial Python to identify those CVE that currently hold a 50/50 chance of exploitation:
Each organization must determine its own risk tolerance. Perhaps yours can’t tolerate much possibility of exploitation? In that context, the best number might be low, say 20% (.20). Or, your organization may be able to survive some successful exploitation which then might lead to using a much higher prediction floor? The number to use will be entirely contextual. My Python example uses 50% (.50).
In my humble opinion, the EPSS API is truly a big deal. Anyone who has a significant open vulnerability queue should adopt EPSS immediately[5]. Of course, EPSS provides a “prediction”, a data-informed “guess” as to which CVE attackers might use at any particular moment. There are no guarantees.
As I’ve said many times, attackers are creative, adaptable, and innovative. The threat landscape is dynamic.
Just because a CVE doesn’t score a sufficiently high prediction value doesn’t mean it won’t actually be used. Attackers are resourceful people who may do the unexpected. No security is perfect. As always, a layered defense raises attack costs, limits exploit impacts, while also surfacing indicators of compromise so that the unexpected can be caught early enough to survive.
EPSS won’t save you the trouble of building security architectures. But it will help to manage unpatched vulnerability queues so that issues that have probability to be used get priority.
Let’s fix issues that have some probability of actually being exploited rather than chasing “all” or over-reacting to every hyped, logo-ed fire-drill.
[1] Prioritization to Prediction, Cyentia Institute, and Kenna Security: https://www.kennasecurity.com/prioritization-to-prediction-report/images/Prioritization_to_Prediction.pdf and “Exploit Prediction Scoring System (EPSS)” https://www.first.org/epss/
[2] Mismatch? CVSS, Vulnerability Management, and Organizational Risk
[3] Thanks to Walter Haydock for alerting me to the publish of the EPSS API
[4]Allodi, Luca & Massacci, Fabio. (2014). Comparing Vulnerability Severity and Exploits Using Case-Control Studies. ACM Transactions on Information and System Security. 17. 1-20. 10.1145/2630069. http://seconomicsproject.eu/sites/default/files/seconomics/public/content-files/downloads/Comparing Vulnerabilities and Exploits using case-control studies.pdf and NopSec, Inc’s 2016 and 2018 State of Vulnerability Risk Management Reports: http://info.nopsec.com/SOV-2016.html and http://info.nopsec.com/SOV-2018.html
[5] It would be great if organizations who use the EPSS API would contribute to subsidize FIRST.org EPSS efforts.