Every day, we make decisions. Decisions regarding what to purchase, which route to take, whom to vote for, and whether to opt for more or less. We make decisions regarding the future, which can have serious repercussions.
But we’re deluged. There are just too many security alerts to investigate and too many security solutions, as a siloed source of knowledge.
Given the plethora of vulnerabilities emerging annually, organizations face the staggering task of pinpointing which to address first. And actually address them. The Exploit Prediction Scoring System (EPSS) and the Common Vulnerability Scoring System (CVSS) offer distinct solutions to this challenge, each with unique driving factors, techniques, and implications.
EPSS: Exploitability is the new king
Incentive
Numerous vulnerabilities surface, yet only a select few are truly prone to exploitation. Research shows that a mere 2% to 7% of reported vulnerabilities ever face real-world exploitation. Contrastingly, organizations manage to patch just 5% to 20% of these vulnerabilities monthly, underscoring the need for strategic prioritization on the one hand, and a better remediation mechanism on the second hand.
Framework Description
EPSS’s primary goal is to ascertain the probability that a documented vulnerability might face exploitation within the subsequent 30 days. Scores vary between 0 and 1, with rising scores suggesting elevated exploitation risks. EPSS considers multiple factors: MITRE’s CVE list, “Tags” from CVE descriptions, reference counts, released exploit codes, security scanner details, CVSS attributes, vendor specifics, and exploitation data.
Evaluating Vulnerability Management Efficiency with EPSS
Vulnerability management efficacy hinges on two pivotal metrics: efficiency and coverage.
Efficiency: It zeroes in on how efficiently resources address vulnerabilities that indeed face exploitation.
- True Positives (TP): Aptly flagged high-risk vulnerabilities that faced exploitation.
- False Positives (FP): Incorrectly flagged high-risk vulnerabilities that remained unexploited.
Elevated false positives can hinder optimization due to the wasting of resources on non-threatening vulnerabilities.
Coverage: A reflection of how many vulnerabilities, exploited in real-life scenarios, have been addressed by the organization.
- True Negatives (TN): Accurately flagged low-risk vulnerabilities remaining unexploited.
- False Negatives (FN): Overlooked or misjudged low-risk vulnerabilities later exploited.
High false negatives can be alarming as they reflect overlooked critical threats.
The CVE-2019-0541 Example
Let’s take a journey through the life of CVE-2019-0541 to highlight the importance of nuanced vulnerability management.
- Initial Release and Disposition – On January 8th, 2019, when CVE-2019-0541 was first introduced, the vulnerability landscape was ambiguous. While its Common Vulnerability Scoring System (CVSS) was pegged at 9.3, indicating a severe risk, its Exploitability Predictive Scoring System (EPSS) didn’t even make an appearance initially.
- The Catalyst – Fast forward to 16th December 2019. The first malware sample targeting CVE-2019-0541 surfaced. This was a critical turning point. By February 8th, 2023, while the CVSS score remained static at 9.3, the EPSS skyrocketed to 54%.
- The Paradigm Shift – Things took a sharper turn on 7th March 2023. The EPSS saw a dramatic surge of 42%, clocking in at a whopping 97.33% by August 4th 2023. Now, what caused this abrupt recalibration? The revelation that multiple threat actors, including Advanced Persistent Threat (APT) groups, had their hands on this vulnerability was a game-changer. Its attractiveness to the nefarious community had increased exponentially.
- The Underlying Factors – But that’s not the whole story. March 2023 also witnessed the discovery of JavaScript (JS) files that facilitated exploiting CVE-2019-0541. This was a double-edged sword: Not only did it signify that exploiting the vulnerability was within the grasp of many attackers, but it also provided them with the tools to do so. This likely played a pivotal role in influencing the EPSS score.
.
| Date | Amount of samples | FileType | Malware Family |
|---|---|---|---|
| 16/12/2019 | 1 | OneNote | Research Sample – first actual apperence of a POC |
| 13/09/2021 | 1 | chm | GhostWriter APT |
| 27/12/2021 | 2 | chm | GhostWriter APT |
| 31/01/2022 | 2 | chm | GhostWriter APT |
| 4/3/2022 | 2 | chm | GhostWriter APT |
| 6/3/2022 | 14 | chm | GhostWriter APT |
| 9/3/2022 | 2 | vbs | GhostWriter APT(MicroBackdoor) |
| 23/2/2023 | 1 | JS | unknown |
| 27/4/2023 | 1 | JS | Research Sample |
| 27/4/2023 | 1 | JS | Research Sample |
| 27/4/2023 | 1 | JS | Research Sample |
| 1/5/2023 | 1 | Research Sample |
CVSS: An Established Vulnerability Metric
CVSS offers a consistent, open, and universal approach to assessing IT vulnerabilities. By considering various criteria, it assigns a severity grade between 0 and 10, guiding organizations in vulnerability prioritization.
Challenges of Sole Reliance on CVSS
Though CVSS provides a structured vulnerability ranking, exclusive dependence can be problematic:
- False Positives: Elevated CVSS grades might mark some vulnerabilities as paramount. Yet, if their exploitation likelihood is low in certain scenarios, patching them might drain unnecessary resources. This can lead to undue efforts on minimal threat vulnerabilities.
- False Negatives: Conversely, just because a vulnerability has a lower CVSS score doesn’t mean it’s harmless. When its exploitability in the real world — given specific threat actors or environmental nuances — is factored in, what seemed like a minor risk might escalate to a significant threat.
In summary, relying solely on the CVSS score for patching can cause organizations to focus too much on less pressing threats, while neglecting more significant risks. It is crucial to find a balance between addressing current security gaps and using resources effectively for strong vulnerability management.
EPSS and CVSS: Juxtaposing or Complementing Strategies?
While CVSS is a widely recognized tool for assessing the severity of security vulnerabilities, its efficacy in risk prioritization has been debated. This draws attention to the potential synergy between CVSS and the Exploit Prediction Scoring System (EPSS).
Balancing Severity and Exploitability
Purely relying on CVSS may inadvertently direct resources to vulnerabilities based solely on their severity, not their exploitability. By integrating EPSS’s predictive approach, organizations can align remediation efforts with vulnerabilities that present both a high severity and a high likelihood of being exploited.
Potential Hurdles with EPSS
Questions arise about the system’s openness, especially since significant model updates or changes aren’t always transparent to stakeholders.
EPSS’s reliance on pre-existing CVE IDs could limit its utility, especially concerning zero-day vulnerabilities.
The Middle Ground
While EPSS can serve as a powerful adjunct to CVSS, striking a balance is essential. Merging the severity scores of CVSS with the exploit predictions of EPSS might offer organizations a more holistic strategy. Such an integrated approach can ensure that limited security resources are employed judiciously, targeting vulnerabilities that are both severe and likely to be exploited.
In sum, while both EPSS and CVSS have their respective strengths and limitations, their combined potential could pave the way for a more refined vulnerability management strategy.
Veriti combines both EPSS and CVSS scores for a comprehensive risk assessment. This approach prioritizes vulnerability remediation by considering both the likelihood of exploitation (EPSS) and the severity (CVSS) of vulnerabilities and enables focusing efforts on critical vulnerabilities with high risk and potential impact.
The Missing Piece of the Puzzle: Non-Disruptive Remediation
Traditional remediation, primarily through vulnerability patching, is a vital process but is not without its pitfalls. The act of patching can sometimes disrupt operations, introduce new vulnerabilities, or even cause system failures. Moreover, in large organizations with complex IT architectures, patching isn’t always immediate. Testing patches to ensure they don’t negatively impact business processes can take time, sometimes weeks or even months. But, in the fast-paced world of cyber threats, time is a luxury that many organizations don’t have.
Virtual patching is back in fashion, offering temporary protection from a vulnerability by preventing exploitation until a permanent patch is ready or can be safely applied. However, the crown jewel of modern remediation methods is the capability to validate actions for potential business impacts. By ensuring that remediation activities don’t result in false positive events, performance issues, or other disruptions, organizations can maintain their operational integrity while bolstering their security posture.
So, while predictive tools like EPSS and CVSS are essential for identifying and assessing vulnerability risks, the non-disruptive remediation method fills the gap in the vulnerability management lifecycle. It addresses the “how” of vulnerability management – how to fix issues without negatively impacting business processes. In the complex jigsaw puzzle of cybersecurity, this approach is the piece that many organizations didn’t even realize was missing.
