EPSS (Exploit Prediction Scoring System) Tutorial
Vulnerability management is a crucial component of an information security program dedicated to identifying and remediating vulnerabilities before attackers can exploit them. The primary challenge in vulnerability management lies in determining which of the growing number of vulnerabilities represents the most urgent risk so that organizations can appropriately elevate attention and allocate resources to remediation. Assessment of priorities typically relies on security analysts to analyze and categorize individual vulnerability alerts based on technical severity scoring. Not only is this approach inefficient when most security teams are overburdened, but the teams responsible for remediation need more context on which critical vulnerabilities to focus on first - resulting in generally only about 10% of identified vulnerabilities being addressed.
A pioneering model has emerged to help organizations tackle these challenges: the Exploit Prediction Scoring System (EPSS). This innovative system has the potential to become a valuable resource for organizations by providing a score on which vulnerabilities are most likely to be exploited, allowing for better prioritization output and remediation guidance.
While EPSS has limitations and pitfalls, it’s worth exploring how it fits into a vulnerability management program. In this article, we explain EPSS, analyze its capacity to augment vulnerability prioritization within organizations, and provide guidance on implementing EPSS within a comprehensive vulnerability management strategy.
Summary of key EPSS concepts
This article covers the following key concepts:
What is EPSS?
The Exploit Prediction Scoring System (EPSS), created and maintained by The Forum of Incident Response and Security Teams (FIRST), is a vulnerability scoring model that attempts to predict the likelihood that attackers will exploit a vulnerability.
FIRST uses the Poisson rate with exposure machine learning model to analyze input data detailed below to produce the score (first.org). FIRST estimates that attackers only exploit 2-7% of vulnerabilities in the wild (first.org). The fact that at least 93% of vulnerabilities are never exploited highlights the massive opportunity for organizations to efficiently and quickly prevent vulnerability-based incidents by identifying those vulnerabilities that are likely to soon be exploited.
EPSS creates a probability score from 0 to 1, representing a 0% to 100% likelihood of an exploit occurring in the next 30 days. The intended use of the output is to help prioritize remediation efforts, obviously by addressing higher scores first.
FIRST feeds MITRE’s CVE list to the EPSS model daily, where over 1,100 attributes are analyzed using machine learning to create a probability score for each vulnerability. Examples of the attributes include:
- How long has the CVE been published?
- Is there published exploit code in Metasploit, Github, or ExploitDB?
- Do popular vulnerability scanning tools identify the vulnerability?
- Have exploit attempts been seen in Fortinet or AlienVault?
- Does the type of vulnerability (e.g., SQL injection) have a history of exploitation?
The values of these attributes can be predictive, indicating that a vulnerability may be more or less likely to be exploited. For example, suppose vulnerability scanning tools already have a module for the vulnerability. If so, attackers don’t have to manually code exploits or scanners to find the vulnerability on the target’s network, which makes the vulnerability more likely to be exploited.
Let’s look at the EPSS data downloadable from first.org, which is published daily in a simple CSV file with three columns:
- CVE: The CVE identifier as specified by MITRE’s CVE list
- EPSS: The EPSS score representing the probability (0-1) of exploitation in the next 30 days
- Percentile: The percentile of the current score, representing the percentage of all scored vulnerabilities with the same or lower EPSS score
Here’s an example of entries from the file:
As you can see, it’s simply a list of CVE, EPSS, and percentile figures. Suppose I’m interested in a specific CVE, such as CVE-2023-23737 (a high-severity CVSS 9.3 SQL injection vulnerability). I can find it easily using grep:
This line shows that CVE-2023-23737 has a very low predicted likelihood of exploitation: 0.043% over 30 days starting on October 14, 2023. Furthermore, only 7.2% of vulnerabilities have the same or lower score. Note that this vulnerability will be rescored daily, so the EPSS score may change over time.
EPSS security value
Any security program, such as vulnerability management, aims to reduce risk. As security professionals, we must always keep risk in view to justify and prioritize our efforts. The most significant risks we are managing in infosec is business mission or operational risk. Examples of business risks are reputation, financial, and legal. An example of a financial risk could be when the company’s offline web storefront impacts the revenue stream due to an exploited vulnerability.
EPSS provides the likelihood that an attacker exploits the company storefront’s vulnerability, which elevates the risk represented by the un-remediated or unpatched vulnerability. However, we must also assess impact, which requires knowledge of the underlying asset’s value. These two elements combine to create a core information security concept:
The storefront asset is critical to sales revenue, so any disruption has a high impact. However, the same vulnerability on a different asset, such as the company’s intranet, won’t have the same impact and, therefore, doesn’t pose the same financial risk.
While EPSS provides one piece of the puzzle, a comprehensive vulnerability management program requires many activities, including filtering and sorting vulnerabilities and correlating them to assets to understand risk (this blog explains more). Another critical factor in reducing risk is how fast the highest-risk vulnerabilities can be remediated. Fast remediation can stop a breach before it happens, but fast operationalization relies heavily on automated, efficient assignment and tracking of remediation tasks through completion (read more on operationalization here).
EPSS has a few limitations that one must remember:
- Poor input data quality: EPSS scoring consumes several potentially inconsistent unstructured data sources, such as AlienVault logs, making the analysis vulnerable to data quality issues. For example, exploit attempts against a specific CVE found in these logs may not be correlated in the analysis, producing an incorrectly low score.
- Machine learning bias: Machine learning algorithms model past input data and outcomes to find patterns in the data to predict future outcomes based on similar input data. Bias is the difference between the predicted outcome versus the actual outcome. For any new vulnerability, the algorithm bias could vastly over- or underestimate the likelihood of exploit because bias ensures that the algorithm cannot be perfect at predicting the outcome.
- Single data point: EPSS only considers the likelihood of an exploit. Other environmental factors, such as the accessibility of the vulnerability from the Internet and how much access is provided by exploiting the vulnerability often are more critical factors in determining risk. For this reason, EPSS shouldn’t be used as a standalone risk assessment methodology.
- Score changes over time: EPSS scores will change from day to day, so when incorporating EPSS data into a vulnerability management program, one should plan to update the scores to ensure that the most accurate values are always used in risk scoring, reports, dashboards, etc.
- Model updates: First.org will likely update the machine learning model over time, and updates can introduce changes in how features contribute to the EPSS score. Stay updated on First.org announcements to understand any changes, ensure downstream scoring models or metrics are resilient to EPSS score changes, and architect downstream vulnerability management processes so that EPSS can be quickly turned off or de-emphasized if sudden changes negatively impact scores.
Despite these limitations, EPSS is a worthwhile metric to incorporate into a comprehensive program alongside CVSS, asset value, and business risk.
EPSS vs. CVSS
Most security professionals know the Common Vulnerability Scoring System (CVSS), which produces a score from 0.0 to 10.0, with 10 being the highest severity. While this seems superficially similar to EPSS, it is different because CVSS ranks vulnerabilities to assess “how bad” a vulnerability may be compared to others.
CVSS considers the following:
- Attack vector: How an attacker can reach the vulnerable system (e.g., over the Internet or from within the local network).
- Attack complexity: How easy it is for a bad actor to exploit the problem. Lower values suggest it’s more complicated, while higher values mean it’s easier.
- Privileges required: How much access a hacker needs to the system to take advantage of the vulnerability. Lower values mean they don’t need much access, while higher values mean they need more.
- Impact: What could go wrong if someone does exploit the vulnerability. Higher values mean it could cause more harm, like stealing sensitive data or taking control of a computer.
You can learn more about CVSS here, but for the purposes of this article, notice how CVSS measures many characteristics of the vulnerability and the environment where the vulnerability occurs, while EPSS focuses on a single dimension: likelihood of exploit.
FIRST actually compares the performance of EPSS vs. CVSS when used for a remediation strategy. To measure performance, two metrics are used:
- Efficiency: What percentage of the prioritized vulnerabilities were exploited? High efficiency means that resources are being spent on exploited vulnerabilities.
- Coverage: What percentage of all exploited vulnerabilities were prioritized? Low coverage indicates that the prioritization scheme exposes an organization to many exploitable vulnerabilities.
As shown in the table below, FIRST tested efficiency and coverage in 2021 by scoring all vulnerabilities and then measuring exploitation in a 30-day period.
Comparison of CVSS and EPSS by coverage (source)
As the table shows above, prioritizing remediation based on EPSS required significantly less effort to cover roughly the same number of exploited vulnerabilities, yielding a much higher efficiency in remediating exploitable vulnerabilities. This illustrates the promise of EPSS as a prioritization scheme, but only when considering exploitable vulnerabilities; many other factors should also be examined when determining risk. As mentioned, organizations must integrate CVSS, EPSS, and other inputs into a comprehensive asset-centric program to manage vulnerability-related risk.
EPSS best practices
We’ve outlined the benefits of EPSS above and shown an example of how EPSS can outperform other prioritization schemes like CVSS. Now we’ll review some best practices.
Implement a risk and asset-centric program first
Think of EPSS as another raw data point that can only be used once put in a risk context. For example, an exploitable vulnerability may not pose a higher risk if the asset resides on an isolated network or has a low business value, so avoid sounding the alarm based solely on a high EPSS score. While maturing a vulnerability program, prioritize consolidating vulnerability information into a single view/platform for better correlation to assets and a comprehensive understanding of scope and risk before focusing on using EPSS scores to prioritize remediation.
Educate stakeholders on EPSS
Train security team members and IT asset owners on EPSS. Training the organization on EPSS through methods such as internal blog posts or security newsletters is a great way to start getting the benefits of EPSS even without integrating it into official prioritization scores. Training also provides a forum where the vulnerability management team can gather feedback from stakeholders on how they view EPSS integrating into the program.
Note that EPSS can be applicable outside the vulnerability management program. For example, incident response teams can use the EPSS score to influence containment actions when responding to an incident. EPSS could also add transparency and explainability for communicating with operations teams on why one fix was prioritized over another.
Slowly integrate EPSS into the vulnerability management program
Given the results of FIRST’s tests, it may be tempting to throw CVSS out and replace it with EPSS. However, every organization has a unique mix of vulnerabilities, so the results will shift when tested against a single organization.
Since EPSS provides a likelihood of exploitation, identify areas of the current vulnerability management program where likelihood can help improve prioritization. For example, if a vulnerability has been deprioritized due to a low CVSS score, EPSS could raise its prioritization on a critical asset. Replacing CVSS and other internal scoring metrics with EPSS could also result in a shift in the number of vulnerabilities ranked higher or lower, upsetting stakeholders or suddenly changing trends in executive-level reporting and causing a storm of questions.
Changes in prioritization or metrics can erode confidence in the vulnerability management program if not properly tested and socialized. Look to add EPSS to existing scoring with lower weighting and run what-if scenarios to understand the impact of adding EPSS into the existing scoring. Take a systematic approach to ensure that all stakeholders and consumers of reports smoothly transition to the improved prioritization scheme.
EPSS offers a promising approach to improving the efficiency of prioritization for vulnerability management by enriching technical severity scores with an assessment of how likely the vulnerability will be exploited. EPSS’s effectiveness is maximized when integrated into a broader risk-based strategy within an organization.