Is EPSS Lying About Your Vulnerability Risk?

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Jacob Baines of VulnCheck examines how expanding the KEV catalog can fill in the blanks left by the EPSS (Exploit Prediction Scoring System).

The time to attackers using known vulnerabilities — those vulnerabilities in software, firmware, or connected products that are publicly disclosed — has shrunk to eight days. Cybersecurity teams need to be quicker than their adversaries, or they put their networks at risk of exploitation.

The challenge is knowing which vulnerabilities attackers will use and, therefore, which vulnerabilities are most worthwhile to remediate. While teams can take some small comfort in the fact that only 2.25 percent of vulnerabilities end up being associated with active attacks or weaponized exploits, they still don’t have a reliable way to effectively and efficiently prioritize those vulnerabilities.

The Common Vulnerability Scoring System (CVSS) has been assigning severity scores to vulnerabilities for nearly two decades. CISA’s KEV catalog is the most frequently referenced repository designed to help manage vulnerabilities – but it still doesn’t completely solve the prioritization challenge due to curation lag and a lack of context or attribution.

One option getting a lot of attention is the Exploit Prediction Scoring System (EPSS), which uses machine learning to produce probability-of-exploit scores for all published Common Vulnerabilities and Exploits (CVEs). Because EPSS combines threat information from CVEs with newer information on exploits to come up with data-driven assessments, some have touted it as a better way to assess threats.

However, I would argue that a closed-source model is not the right step forward. Especially one that doesn’t take reality into consideration and is not a good predictor. With EPSS, scores need to be regularly recalculated as new information comes in. That’s not really predictive, it’s reactive.

A better solution would be to build on KEV, developing ways to use its information faster and better.

Is EPSS Lying About Your Vulnerability Risk?

What EPSS Overlooks

EPSS was first presented to the cybercommunity at Black Hat in the summer of 2019 and began releasing public scores in January 2021, rating the probability that a software vulnerability would be exploited in the wild on a scale of 0 percent (unlikely) to 100 percent (very likely).

But the model misses some obvious threats. Consider the Citrix ADC and Gateway CVE-2020-8196, which is listed in the KEV catalog. Our data also shows public exploits of the vulnerability, links to the threat actor Fox Kitten— which has been tied to the Iranian government and used in multiple attacks in industrial sectors—as well as China-based threat actors, and multiple source links to ransomware.

Based on the evidence, it should be a “patch immediately” vulnerability. Yet EPSS gives it a probability score of only around 57 percent, which is far too low for something that we know is being exploited.

There are many other examples.

• CVE-2008-3431 has been used by hacker groups such as the Chinese group Winnti, users of the Iranian data wiper Dustman, and the Russian hacking group Turla. But it has an EPSS probability score of just seven percent, for some reason.
• The more recent CVE-2023-32439 has been exploited as a zero-day in the wild, but still has an EPSS score of just 40
• Even more recently, CVE-2023-20198 and CVE-2023-20273, have been used to exploit Cisco IOS XE switches and routers all over the globe. Immediate response to that crisis is imperative for anyone who relies on that hardware. However, CVE-2023-20273 didn’t have an EPSS score as of October 24 despite Cisco publishing it on October 20– showing a significant gap.

Build on the KEV Catalog

We don’t need to reinvent the wheel. A more effective approach is just to make how security teams use the KEV catalog better and faster. Organizations need a solution that takes the information available in the KEV and applies automation and real-time analysis, combining vulnerability intelligence with information on current exploit activity. It would give security teams what they need to make better-informed decisions on which threats to tackle first.

The right solution would crawl online forums, public databases, Git repositories and other available sources. It would look to identify proof-of-concept (PoC) code, which reveals weaknesses in advance of an actual attack, as well as evidence of exploitation in the wild. It also would scour other essential information to help prioritize vulnerability management, including:

• Public exploits of a vulnerability, which makes the exploit code available to other hackers.
• If the vulnerability has been exploited in the wild, indicating the exploit is active.
• If the vulnerability is being used by APTs, indicating a prolonged, targeted attack.
• If the vulnerability is internet-exposed.

The critical element in this solution is that it does this work in real-time and at machine speed. It should have easy-to-use, open APIs, performing analysis without the need for human involvement. Instead, it swiftly supplies human analysts with the information they need to make better decisions more quickly.

A More Secure Future

Vulnerability management has made significant strides in recent years, with the KEV catalog representing a genuine leap forward. But there is no time for defenders to stand still. Attackers are steadily refining their own skills and tactics, as evidenced by how quickly they are weaponizing exploits.

EPSS is an attempt to improve defenses, but its closed predictive model falls short, too often failing to take current realities into account. What the cybersecurity community doesn’t need is another solution that creates further confusion on vulnerability prioritization. Rather, we need to build together on what we have, adding threat intelligence and real-time analysis to the information in the KEV catalog to make defenses more effective.