blog

What is EPSS? A Comprehensive Guide to the Exploit Prediction Scoring System for vulnerability management

EPSS CVSS and how to use it in vulnerability management program

Organisations must remain vigilant to safeguard their digital assets in the rapidly changing cybersecurity landscape. The EPSS model is perfect for vulnerability management in application, cloud and infrastructure security. Vulnerability management is a systematic and proactive approach to identifying, assessing, prioritizing, and mitigating vulnerabilities within an organization’s IT infrastructure, applications, and systems. EPSS provides one of the elements used in Cyber Risk quantification, a pivotal element in a vulnerability management scoring system.

The Forum of Incident Response and Security Teams (FIRST) plays a pivotal role by offering guidance and best practices for security incident response. A crucial initiative spearheaded by FIRST is the Exploit Prediction Scoring System (EPSS) Model, a framework designed to improve product security in a systematic and quantifiable manner. This blog article will explore the EPSS Model, its objectives, components, and how it leverages machine learning to predict vulnerability exploitation.

Overview of EPSS Model

EPSS Exploit Prediction Scoring System

The EPSS Model is a machine learning-based system that predicts the likelihood of a vulnerability being exploited within 30 days. It represents the third iteration of the model, incorporating lessons learned from previous versions to enhance the design and efficacy of the scoring system.

The EPSS model is particularly good for vulnerability management in application, cloud and infrastructure security.

Development and Features

The authors of the EPSS Model combined exploit data with community insights to predict vulnerabilities. The model’s prediction performance improved by 82% compared to its predecessor by utilising a diverse feature set and state-of-the-art machine learning techniques.

EPSS scores all vulnerabilities published on MITRE’s CVE List (and the National Vulnerability Database), significantly reducing the effort required to patch critical vulnerabilities compared to strategies based on CVSS.

Advantages of EPSS Model

One of the primary benefits of the EPSS Model is its open-source nature, allowing for widespread access, transparency, and community contributions. Using vulnerable data to make predictions provides more accurate results than scoring systems relying solely on severity ratings.

What data does EPSS Utilize?

The data used in this research is based on 192,035 published vulnerabilities (not marked as “REJECT” or “RESERVED”) listed in MITRE’s

Common Vulnerabilities and Exposures (CVE) list through December 31, 2022. According to the latest paper

Some of the EPSS Variables and some of the data sources

The EPSS model in details

The Enhanced Product Security Standard (EPSS) Model predicts the likelihood of a vulnerability being exploited within 30 days. Although we don’t have access to the detailed inner workings of this specific model, following an overview on how the model works

  1. Data collection and preprocessing: The first step in building a machine learning model is to gather relevant data. For the EPSS Model, this includes data on known vulnerabilities, associated exploits, and other factors that may influence exploitability. Data sources can include the MITRE CVE List, the National Vulnerability Database, and various threat intelligence feeds. This data is then preprocessed and cleaned to ensure it is suitable for training the model.
  2. Feature engineering: The next step is identifying and extracting relevant features from the collected data. Features are individual measurable properties or characteristics of the vulnerabilities that can help the model predict exploit likelihood. Examples of features include the age of the vulnerability, the affected software or hardware, the type of vulnerability, the complexity of the exploit, and the availability of exploit code.
  3. Model selection and training: Once the features are identified and extracted, an appropriate machine learning algorithm is selected based on the problem and data characteristics. The EPSS Model likely utilizes a supervised learning algorithm, where the model is trained on a labelled dataset with known outcomes (whether a vulnerability was exploited or not). The training process involves adjusting the model’s parameters to minimize prediction errors.
  4. Model evaluation and validation: After training the model, its performance must be evaluated using a separate dataset that was not part of the training process. Common evaluation metrics for classification problems include accuracy, precision, recall, and F1 score. The model might also be validated using techniques such as cross-validation or bootstrapping to ensure its reliability and robustness.
  5. Prediction and scoring: Once the model is trained and validated, it can be used to predict the likelihood of exploitation for new, previously unseen vulnerabilities. The model assigns a score to each vulnerability, with higher scores indicating a higher probability of being exploited within the next 30 days.
  6. Continuous improvement: As new vulnerability and exploit data becomes available, the model must be updated and retrained to maintain accuracy and relevance. This can involve updating the feature set, refining the model’s parameters, or changing the underlying machine-learning algorithm if necessary.

The specific details of the EPSS Model, such as the exact features used and the machine learning algorithm employed, might be private. There are several whitepapers on the subject to disclose and clarify the sources.

Challenges and Limitations

Despite its advantages, the EPSS Model has some limitations you must consider when considering it in your vulnerability management program. Vulnerability scores can change rapidly as new information emerges, requiring organisations to continuously monitor their systems and update patching priorities. Furthermore, accurately forecasting real-time information remains complex due to the ever-evolving nature of cyber threats.

Credit EPSS model (preview paper)Jacobs, Jay, et al. “Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights.” arXiv preprint arXiv:2302.14172 (2023).

The model’s accuracy (precision) and coverage (Recall) have improved. There are some limitations like real timeliness and availability of vulnerabilities declaration (usually available quite a long time after a vulnerability is exploited). Nonetheless, when there are a sea of vulnerabilities to fix EPSS proves a very powerful tool for prioritizing vulnerabilities.

Precision

The algorithm’s precision is a measure (on a finite subset of vulnerabilities) of the accuracy of a threat intelligence system or the percentage of correctly identified threats out of all the threats identified by the system. 

For example, if a threat intelligence system identified 100 threats, 95 of them were threats, the system’s precision would be 95%.

Recall

This represents the completeness of a threat intelligence system or the percentage of actual threats identified by the system out of all the present threats. For example, if there were 100 threats present, and the threat intelligence system identified 95 of them, the system’s recall would be 95%.

Caveat

On some vulnerabilities, EPSS performs well in 1-2 weeks as the system stabilises a prediction score but might fail to raise the alarm immediately. Most exploited vulnerabilities will have most of their published exploits a month after publication. Few cases and examples if you consider using EPSS in vulnerability management program

EPSS scores are constantly changing, especially after initial exploitation

  • Log4shell CVE-2021-44228 only reached a score of over 50% after four days, and its final score of 96% after a full month.
  • CVE-2022-22954 started with 66.9% on the date of publication. A week later, EPSS dropped the score to 32.6% with no exploit found in the wild. However, an exploit was published almost a month after publication, and EPSS raised the score to 93%.

In those cases, EPSS can be compensated or replaced by more real-time cyber threat intelligence and alerting from various providers. In situations like this, First’s documentation for EPSS advises:

If there is evidence that a vulnerability is being exploited, then that information should supersede anything EPSS says.

On the other hand, the vulnerability score and probability of exploitation can vary over time. Using EPSS directly against CVSS can lead to variable risk. 

We recommend using a weighted value of EPSS against CVSS to compensate to the sharp variation of EPSS scores.

Credit EPSS article on log4j prioritization

Modern Cyber Risk Quantification.

Pillars of a cyber risk quantification system

Modern cyber risk quantification has evolved to rely on many weighted and time-bound factors to assess the probability of exploitation accurately, the dangerousness of an exploit, and the impact it has on an application based on its deployment context. The probability of exploitation is influenced by the location of the asset, where the vulnerability is present, the likelihood of exploitation, the dangerousness of the exploit, the availability of the exploit, and its presence in popular repositories. The base potential dangerousness of an exploit is generally conveyed through CVSS/CWSS scores. The overall impact of a vulnerability considers the number of users affected, the organization’s resilience to an application being compromised, the volume and nature of data at risk (e.g., sensitive or critical), and the level of privacy associated with the data within the application. By considering these multifaceted factors, modern cyber risk quantification enables organizations to make informed decisions about their security posture and prioritize remediation efforts effectively.

Integrating Contextual Cyber risk quantification in a modern vulnerability management program

Integrating contextual cyber risk quantification into vulnerability management is essential for organizations to prioritize remediation efforts effectively and allocate resources optimally. By considering the unique context of each vulnerability, including factors such as the criticality of the affected asset, the potential impact on the business, the likelihood of exploitation, and the organization’s overall risk tolerance, a more accurate and nuanced assessment of risk can be achieved. This context-aware approach to vulnerability management enables organizations to address the most pressing vulnerabilities first, ensuring that limited resources are utilized efficiently while providing the best possible protection against cyber threats. Ultimately, contextual cyber risk quantification enhances the decision-making process in vulnerability management, empowering organizations to make informed choices and improve their cybersecurity posture proactively.

A modern cyber risk score would rely on the following factors

  • Probability of exploitation – how likely is an exploit to manifest? This information can be derived from a mix of
    • Cyber threat intelligence like EPSS, Vulnerability real-time cyber threat intelligence 
    • Location – where an asset is located in the network 
    • Context – how is the system connected and deployed, and what other vulnerabilities are deployed in the environment where the asset is deployed
    • Dangerousness of an exploit – this is usually described well by the CVSS or CWSS base vulnerability information
    • Public availability of an exploit for the vulnerability
  • Impact analysis – this describes the vulnerabilities impact in the application/environment where it manifests, for example, how much downtime a vulnerability exploitation could cause 
Phoenix Security Cyber risk quantification of vulnerabilities
Phoenix Security Cyber risk quantification of vulnerabilities

An example of those factors:

  • The Probability of exploitation can be derived from
    • Location of an asset (internal/ external) where the vulnerability is manifested
    • Likelihood of exploitation
      • EPSS and the likelihood of exploitation
      • Cyber threat intelligence like VulnDB, CISA KEV, Local Advisories
  • Dangerousness of the exploit
    • Is the exploit a Remote Code Execution (RCE)
    • Is there an exploit available for the vulnerability?
    • Is the exploit module automated / readily available in exploitdb, github, nuclei, and metasploit
  • The base danger of the exploit is generally communicated by CVSS/ CWSS score
  • The impact of a vulnerability overall
    • How many users it impacts
    • How much can the organization survive with an application compromised
    • How much data is there to compromise 
    • How private is the data in the application (sensitive, critical etc…) 

Phoenix cyber risk Scoring

Phoenix uses EPSS to predict the vulnerabilities, the location of assets, the impact it can cause, and compensating controls. 

Each variable is introduced with controlled weights and time windows to control a sharp increase or decrease in the risk scoring (unless all the variables change sharply, the event happens with a rarity of 0.09%).

If using EPSS in your system, we recommend using a weighted value of EPSS against CVSS to compensate for the sharp variation of EPSS scores.

Phoenix Security Platform integrates and provides EPSS scoring in the risk quantification system.

Cyber risk quantification and prioritization visualization in Phoenix Security Platform
Cyber risk quantification and prioritization visualization in Phoenix Security Platform

In case you want to rely on real-time information, the phoenix security platform can provide connections to more real-time scoring like vulnerability db, vulndb, recorded futures and other integrations.

Conclusion

The EPSS Model is invaluable for organizations prioritising patching efforts based on vulnerability exploitation likelihood. Although some disadvantages exist, its open-source approach and reliance on vulnerable data make it a reliable option for many organizations. By implementing the EPSS Model, organizations can enhance their cybersecurity measures and protect their digital assets more effectively.

Phoenix Perspective

Relying on cvss and only on severity is a receipt for burnout. Phoenix security is here to help with automated prioritization and contextualization. Phoenix uses a combination of scoring, prioritization, selection and alerting that enables the team to focus on the 10% of vulnerabilities that matters in the context of the organization

Cyber Risk quantification visualization in Phoenix Security Platform
Cyber Risk quantification visualization in Phoenix Security Platform

Leveraging the power of EPSS and other cyber threat intelligence without the need of configuration, you can focus on 10% of the vulnerabilities that really matter.

Cyber Risk quantification visualization in Phoenix Security Platform
Cyber Risk quantification in phoenix for individual Vulenrabilities

Phoenix security also integrates with Cyber threat intelligence providers like CISA, alerting when a vulnerability appears in the Known Exploit Vulnerability database (CISA-KEV)

CISA KEV alerting in Phoenix

In conclusion, leveraging on EPSS together with other factors enables the cyber security team and development team to focus on cyber risk quantification and, what’s more essential and prevents burnout.

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Explore ASPM’s role in modern application security, offering a panoramic view that extends beyond code vulnerabilities. This guide demystifies concepts like traceability, reachability analysis, and asset lineage, pivotal for securing digital assets. Learn how ASPM empowers organizations with actionable insights for precise vulnerability management. #Cybersecurity #ASPM #ApplicationSecurity
Francesco Cipollone
Explore the transformative role of ASPM in cybersecurity. Uncover how Application Security Posture Management aligns business and security objectives for effective vulnerability management and risk reduction. Discover Phoenix Security’s innovative approach to tackling the staggering challenge of CVEs with a strategic focus on prioritization. #ASPM #Cybersecurity #VulnerabilityManagement
Francesco Cipollone
Explore the critical insights into the latest container security vulnerabilities named leaky vessels, including CVE-2024-21626, CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, BuildKit flaws, with our comprehensive guide on mitigation strategies, best practices for application security, and tips for robust vulnerability management in Docker and Kubernetes environments. Stay ahead in securing your container deployments against potential threats with ASPM help
Francesco Cipollone

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.