The Exploit Prediction Scoring System (EPSS) is a vulnerability scoring system designed to predict the likelihood that a vulnerability may be exploited in the wild. It assigns a probability score of 0 to 1 to each vulnerability, helping organizations prioritize their remediation efforts. The higher the score, the greater the probability that a vulnerability will get exploited.
EPSS differs from the Common Vulnerability Scoring System (CVSS), which focuses on the severity of a vulnerability.
Table of Contents
- What Is EPSS in Cybersecurity?
- How Does EPSS Work?
- What Is the Difference between the EPSS Score and the EPSS Percentile?
- EPSS vs CVSS: What’s the Difference?
Exploit Prediction Scoring System: A Deep Dive
What Is EPSS in Cybersecurity?
EPSS helps organizations prioritize which vulnerabilities to address first by assigning a score to them based on their possibility of exploitation. It helps answer the question “How likely would attackers exploit a specific vulnerability?” All published Common Vulnerabilities and Exposures (CVEs) currently have EPSS scores.
The original EPSS model was published in 2019, with scores released publicly for the first time in 2021. Major updates were released in February 2022 and March 2023. The organization behind EPSS, the Forum of Incident Response and Security Teams (FIRST), continues to improve the model to provide near-real-time assessments of all publicly disclosed vulnerabilities. Aside from EPSS, FIRST also currently maintains CVSS.
How Does EPSS Work?
EPSS leverages machine learning (ML) to analyze various data points and generate a probability score. Its process typically involves three key steps.
Data Collection
The ML model gathers vulnerability information from various sources, such as vulnerability databases, threat intelligence feeds, and internal vulnerability management systems.
The model then gathers real-world evidence of daily exploit activity. Data sources may include security incident logs, network traffic analyses, and open-source intelligence.
Model Training
EPSS’s core function is to identify the relationship between vulnerabilities and the likelihood they would get exploited. To achieve that, the model undergoes a rigorous training process. The ML model is developed and trained using historical data to identify patterns and correlations between vulnerabilities and exploitation.
The trained model is then applied to new vulnerabilities to generate a probability score indicating its likelihood of exploitation.
Model Performance Measurement
The performance of this model is then evaluated through a look-back approach. It is trained on a 14-month historical dataset, with the most recent two months held out as a “future” testing period.
Part of the modeling process is categorizing vulnerabilities into the following:
- True positives (TPs): Correctly identified vulnerabilities that were subsequently exploited. These represent successful prioritization decisions.
- False positives (FPs): Vulnerabilities prioritized for remediation but never exploited, indicating potential resource misallocation.
- False negatives (FNs): Exploited vulnerabilities that were not prioritized, highlighting missed opportunities for prevention.
- True negatives (TNs): Vulnerabilities neither prioritized nor exploited, representing correct prioritization decisions.
The process then goes back to step 1, as the model obtains vulnerability information and uses it to produce daily estimates of the exploitation probability of each published CVE for the next 30 days.
What Is the Difference between the EPSS Score and the EPSS Percentile?
EPSS score and percentile are two different ways to represent the likelihood that a vulnerability would be exploited. In the image below, for instance, CVE-2023-44487 has a score of 0.73185 and a percentile of 0.98127.
The EPSS score is the direct output of the EPSS model, ranging from 0 to 1 or 0% to 100%. As previously mentioned, a higher score indicates a higher probability of exploitation. In the context of CVE-2023-44487, there is around a 73% probability that threat actors would exploit it during the next 30 days.
On the other hand, an EPSS percentile refers to a vulnerability’s position compared with all other vulnerabilities in the dataset. It also ranges from 0 to 1. A higher percentile means the vulnerability has a higher probability of exploitation compared with a larger portion of other vulnerabilities. Therefore, CVE-2023-44487 is more likely to be exploited than 98% of the CVEs.
EPSS vs CVSS: What’s the Difference?
While EPSS and CVSS are both vulnerability scoring methods, they differ in several ways. For one, they focus on different things. CVSS measures the inherent severity of a vulnerability based on its technical characteristics (e.g., attack vector, complexity, impact), while EPSS predicts the likelihood that a vulnerability would be exploited.
CVSS scores are static and remain constant unless the vulnerability changes. Meanwhile, EPSS scores are dynamic and can change over time based on real-world data and threat intelligence. A vulnerability’s EPSS score may suddenly increase when new exploitations are detected.
EPSS and CVSS also differ in terms of qualitative threshold. While CVSS has qualitative severity ratings of “low,” “medium,” “high,” and “critical,” EPSS does not use these thresholds.
Combining both CVSS and EPSS helps organizations gain a more comprehensive understanding of the risks vulnerabilities pose and prioritize remediation efforts accordingly.
Key Takeaways
- EPSS is a vulnerability scoring system that predicts the probability that a vulnerability would get exploited.
- It assigns each vulnerability a probability and percentile score ranging from 0 to 1.
- The probability score indicates the likelihood of exploitation, while the percentile measures exploitability relative to other vulnerabilities.
- The key steps in the EPSS process are data collection, model training, and performance measurement.
- EPSS and CVSS differ in focus, score type, and qualitative threshold.
Obtain EPSS insights into your vulnerabilities now. Kick off your 30-day free trial with Attaxion today.