VulnCheck<\/a> examines how expanding the KEV catalog can fill in the blanks left by the EPSS (Exploit Prediction Scoring System).<\/em><\/strong><\/p>\nThe time to attackers using known vulnerabilities — those vulnerabilities in software, firmware, or connected products that are publicly disclosed — has shrunk to eight days. Cybersecurity teams need to be quicker than their adversaries, or they put their networks at risk of exploitation.<\/p>\n
The challenge is knowing which vulnerabilities attackers will use and, therefore, which vulnerabilities are most worthwhile to remediate. While teams can take some small comfort in the fact that only 2.25 percent of vulnerabilities end up being associated with active attacks or weaponized exploits, they still don\u2019t have a reliable way to effectively and efficiently prioritize those vulnerabilities.<\/p>\n
The Common Vulnerability Scoring System (CVSS) has been assigning severity scores to vulnerabilities for nearly two decades. CISA\u2019s KEV catalog is the most frequently referenced repository designed to help manage vulnerabilities – but it still doesn\u2019t completely solve the prioritization challenge due to curation lag and a lack of context or attribution.<\/p>\n
One option getting a lot of attention is the Exploit Prediction Scoring System (EPSS), which uses machine learning to produce probability-of-exploit scores for all published Common Vulnerabilities and Exploits (CVEs). Because EPSS combines threat information from CVEs with newer information on exploits to come up with data-driven assessments, some have touted it as a better way to assess threats.<\/p>\n
However, I would argue that a closed-source model is not the right step forward. Especially one that doesn\u2019t take reality into consideration and is not a good predictor. With EPSS, scores need to be regularly recalculated as new information comes in. That\u2019s not really predictive, it’s reactive.<\/p>\n
A better solution would be to build on KEV, developing ways to use its information faster and better.<\/p>\n
Is EPSS Lying About Your Vulnerability Risk?<\/strong><\/h2>\n
\nWhat EPSS Overlooks<\/strong><\/h3>\nEPSS was first presented to the cybercommunity at Black Hat in the summer of 2019 and began releasing public scores in January 2021, rating the probability that a software vulnerability would be exploited in the wild on a scale of 0 percent (unlikely) to 100 percent (very likely).<\/p>\n
But the model misses some obvious threats. Consider the Citrix ADC and Gateway CVE-2020-8196, which is listed in the KEV catalog. Our data also shows public exploits of the vulnerability, links to the threat actor Fox Kitten\u2014 which has been tied to the Iranian government and used in multiple attacks in industrial sectors\u2014as well as China-based threat actors, and multiple source links to ransomware.<\/p>\n
Based on the evidence, it should be a \u201cpatch immediately\u201d vulnerability. Yet EPSS gives it a probability score of only around 57 percent, which is far too low for something that we know is being exploited.<\/p>\n
There are many other examples.<\/p>\n
\n- CVE-2008-3431 has been used by hacker groups such as the Chinese group Winnti, users of the Iranian data wiper Dustman, and the Russian hacking group Turla. But it has an EPSS probability score of just seven\u00a0percent, for some reason.<\/li>\n
- The more recent CVE-2023-32439 has been exploited as a zero-day in the wild, but still has an EPSS score of just 40<\/li>\n
- Even more recently, CVE-2023-20198 and CVE-2023-20273, have been used to exploit Cisco IOS XE switches and routers all over the globe. Immediate response to that crisis is imperative for anyone who relies on that hardware. However, CVE-2023-20273 didn’t have an EPSS score as of October 24 despite Cisco publishing it on October 20– showing a significant gap.<\/li>\n<\/ul>\n
Build on the KEV Catalog<\/strong><\/h3>\nWe don\u2019t need to reinvent the wheel. A more effective approach is just to make how security teams use the KEV catalog better and faster. Organizations need a solution that takes the information available in the KEV and applies automation and real-time analysis, combining vulnerability intelligence with information on current exploit activity. It would give security teams what they need to make better-informed decisions on which threats to tackle first.<\/p>\n
The right solution would crawl online forums, public databases, Git repositories and other available sources. It would look to identify proof-of-concept (PoC) code, which reveals weaknesses in advance of an actual attack, as well as evidence of exploitation in the wild. It also would scour other essential information to help prioritize vulnerability management, including:<\/p>\n
\n- Public exploits of a vulnerability, which makes the exploit code available to other hackers.<\/li>\n
- If the vulnerability has been exploited in the wild, indicating the exploit is active.<\/li>\n
- If the vulnerability is being used by APTs, indicating a prolonged, targeted attack.<\/li>\n
- If the vulnerability is internet-exposed.<\/li>\n<\/ul>\n
The critical element in this solution is that it does this work in real-time and at machine speed. It should have easy-to-use, open APIs, performing analysis without the need for human involvement. Instead, it swiftly supplies human analysts with the information they need to make better decisions more quickly.<\/p>\n
A More Secure Future<\/strong><\/h3>\nVulnerability management has made significant strides in recent years, with the KEV catalog representing a genuine leap forward. But there is no time for defenders to stand still. Attackers are steadily refining their own skills and tactics, as evidenced by how quickly they are weaponizing exploits.<\/p>\n
EPSS is an attempt to improve defenses, but its closed predictive model falls short, too often failing to take current realities into account. What the cybersecurity community doesn\u2019t need is another solution that creates further confusion on vulnerability prioritization. Rather, we need to build together on what we have, adding threat intelligence and real-time analysis to the information in the KEV catalog to make defenses more effective.<\/p>\n","protected":false},"excerpt":{"rendered":"
Solutions Review\u2019s\u00a0Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Jacob Baines of VulnCheck examines how expanding the KEV catalog can fill in the blanks left by the EPSS (Exploit Prediction Scoring System). The time to attackers using known vulnerabilities — those vulnerabilities in software, firmware, or […]<\/p>\n","protected":false},"author":752,"featured_media":5900,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1,21],"tags":[],"acf":[],"yoast_head":"\n
Is EPSS Lying About Your Vulnerability Risk?<\/title>\n<meta name=\"description\" content=\"Jacob Baines of VulnCheck examines how expanding the KEV catalog can fill in the blanks left by the EPSS (Exploit Prediction Scoring System).\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Is EPSS Lying About Your Vulnerability Risk?\" \/>\n<meta property=\"og:description\" content=\"Jacob Baines of VulnCheck examines how expanding the KEV catalog can fill in the blanks left by the EPSS (Exploit Prediction Scoring System).\" \/>\n<meta property=\"og:url\" content=\"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/\" \/>\n<meta property=\"og:site_name\" content=\"Best Network Monitoring Vendors, Software, Tools and Performance Solutions\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-24T22:07:19+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-24T22:10:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/EPSS-Vulnerability.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"786\" \/>\n\t<meta property=\"og:image:height\" content=\"393\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jacob Baines\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jacob Baines\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/\",\"url\":\"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/\",\"name\":\"Is EPSS Lying About Your Vulnerability Risk?\",\"isPartOf\":{\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/EPSS-Vulnerability.jpg\",\"datePublished\":\"2024-01-24T22:07:19+00:00\",\"dateModified\":\"2024-01-24T22:10:42+00:00\",\"author\":{\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/#\/schema\/person\/324a0f30f7e1e47f6c7d714fd0531a01\"},\"description\":\"Jacob Baines of VulnCheck examines how expanding the KEV catalog can fill in the blanks left by the EPSS (Exploit Prediction Scoring System).\",\"breadcrumb\":{\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/#primaryimage\",\"url\":\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/EPSS-Vulnerability.jpg\",\"contentUrl\":\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/EPSS-Vulnerability.jpg\",\"width\":786,\"height\":393,\"caption\":\"EPSS\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/solutionsreview.com\/network-monitoring\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Is EPSS Lying About Your Vulnerability Risk?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/#website\",\"url\":\"https:\/\/solutionsreview.com\/network-monitoring\/\",\"name\":\"Best Network Monitoring Vendors, Software, Tools and Performance Solutions\",\"description\":\"Solutions Review Network Monitoring\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/solutionsreview.com\/network-monitoring\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/#\/schema\/person\/324a0f30f7e1e47f6c7d714fd0531a01\",\"name\":\"Jacob Baines\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/JakeBaines.png\",\"contentUrl\":\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/JakeBaines.png\",\"caption\":\"Jacob Baines\"},\"description\":\"Jacob Baines is the CTO at VulnCheck. With more than a decade of experience, he's conducted research for a wide array of organizations, including VulnCheck, Rapid7, Tenable, Lockheed Martin, and Dragos. His research focuses on discovering and exploiting initial access vulnerabilities. He's credited with over 100 CVEs, and has presented his research at BlackHat, DEF CON, Infosecurity Europe, and several BSides events. He's an active member of the open-source exploit development community and a contributor to Metasploit.\",\"sameAs\":[\"https:\/\/vulncheck.com\/\"],\"url\":\"https:\/\/solutionsreview.com\/network-monitoring\/author\/jbaines\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Is EPSS Lying About Your Vulnerability Risk?","description":"Jacob Baines of VulnCheck examines how expanding the KEV catalog can fill in the blanks left by the EPSS (Exploit Prediction Scoring System).","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/","og_locale":"en_US","og_type":"article","og_title":"Is EPSS Lying About Your Vulnerability Risk?","og_description":"Jacob Baines of VulnCheck examines how expanding the KEV catalog can fill in the blanks left by the EPSS (Exploit Prediction Scoring System).","og_url":"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/","og_site_name":"Best Network Monitoring Vendors, Software, Tools and Performance Solutions","article_published_time":"2024-01-24T22:07:19+00:00","article_modified_time":"2024-01-24T22:10:42+00:00","og_image":[{"width":786,"height":393,"url":"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/EPSS-Vulnerability.jpg","type":"image\/jpeg"}],"author":"Jacob Baines","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jacob Baines","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/","url":"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/","name":"Is EPSS Lying About Your Vulnerability Risk?","isPartOf":{"@id":"https:\/\/solutionsreview.com\/network-monitoring\/#website"},"primaryImageOfPage":{"@id":"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/#primaryimage"},"image":{"@id":"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/#primaryimage"},"thumbnailUrl":"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/EPSS-Vulnerability.jpg","datePublished":"2024-01-24T22:07:19+00:00","dateModified":"2024-01-24T22:10:42+00:00","author":{"@id":"https:\/\/solutionsreview.com\/network-monitoring\/#\/schema\/person\/324a0f30f7e1e47f6c7d714fd0531a01"},"description":"Jacob Baines of VulnCheck examines how expanding the KEV catalog can fill in the blanks left by the EPSS (Exploit Prediction Scoring System).","breadcrumb":{"@id":"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/#primaryimage","url":"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/EPSS-Vulnerability.jpg","contentUrl":"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/EPSS-Vulnerability.jpg","width":786,"height":393,"caption":"EPSS"},{"@type":"BreadcrumbList","@id":"https:\/\/solutionsreview.com\/network-monitoring\/is-epss-lying-about-your-vulnerability-risk\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/solutionsreview.com\/network-monitoring\/"},{"@type":"ListItem","position":2,"name":"Is EPSS Lying About Your Vulnerability Risk?"}]},{"@type":"WebSite","@id":"https:\/\/solutionsreview.com\/network-monitoring\/#website","url":"https:\/\/solutionsreview.com\/network-monitoring\/","name":"Best Network Monitoring Vendors, Software, Tools and Performance Solutions","description":"Solutions Review Network Monitoring","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/solutionsreview.com\/network-monitoring\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/solutionsreview.com\/network-monitoring\/#\/schema\/person\/324a0f30f7e1e47f6c7d714fd0531a01","name":"Jacob Baines","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/network-monitoring\/#\/schema\/person\/image\/","url":"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/JakeBaines.png","contentUrl":"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/JakeBaines.png","caption":"Jacob Baines"},"description":"Jacob Baines is the CTO at VulnCheck. With more than a decade of experience, he's conducted research for a wide array of organizations, including VulnCheck, Rapid7, Tenable, Lockheed Martin, and Dragos. His research focuses on discovering and exploiting initial access vulnerabilities. He's credited with over 100 CVEs, and has presented his research at BlackHat, DEF CON, Infosecurity Europe, and several BSides events. He's an active member of the open-source exploit development community and a contributor to Metasploit.","sameAs":["https:\/\/vulncheck.com\/"],"url":"https:\/\/solutionsreview.com\/network-monitoring\/author\/jbaines\/"}]}},"_links":{"self":[{"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/posts\/5899"}],"collection":[{"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/users\/752"}],"replies":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/comments?post=5899"}],"version-history":[{"count":0,"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/posts\/5899\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/media\/5900"}],"wp:attachment":[{"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/media?parent=5899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/categories?post=5899"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/tags?post=5899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"EPSS\"](\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2024\/01\/EPSS-Vulnerability.jpg\")
<\/p>\n