This open-source ML model will help you predict vulnerability exploits

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Vulnerability management is notoriously difficult. Most companies address the minefield of threats with no clear strategy for where to start patching and what needs prioritization. It leads them on a wild, inefficient goose chase.

Research shows that organizations only have the capacity to remediate 5-20% of the thousands of known vulnerabilities each month. Fortunately, only 2-5% of those vulnerabilities are ever exploited in the wild. That means most organizations can keep up with the riskiest vulnerabilities — as long as they know which ones are risky, and preferably ahead of the exploitation event.

A special interest group of security experts, of which I’m a co-creator joined by 38 other experts, has developed a free, open source tool, called Exploit Prediction Scoring System (EPSS) to address this problem. We first presented EPSS at the Black Hat 2019 conference, and beginning next week, we will add real-time scoring of common vulnerabilities and exposures (CVEs) as they are announced. So instead of waiting weeks to see if a vulnerability is exploited, this tool can serve as a forecast for a vulnerability’s potential to be exploited.

This will allow users to gain instant insight without having to gather data about a CVE elsewhere. EPSS uses an open-source, data-driven approach to quantify the risk of a particular vulnerability, so you know exactly which ones need the most urgent attention. The EPSS special interest group will continue to improve this scalable model and add new data sources.

EPSS has produced risk scores for all of the more than 71,000 CVEs that have been published since 2017 and now can help security teams predict the likelihood a vulnerability will be exploited in the 12 months after public disclosure.

Let’s take a closer look at how EPSS works and how you can use it to better prioritize vulnerabilities as they appear.

How the scores are created

EPSS provides a model based on proprietary data from Fortinet, Kenna Security, Reversing Labs, Proofpoint, and Alienvault, along with publicly sourced data and outside commercial data providers. The most important data are those that identify actual vulnerability exploitation. This is crucial to the predictive model. If you’re interested in contributing to these data sets, contact our working group, which constantly incorporates new sources.

Using public data like MITRE’s CVE, NIST’s National Vulnerability Database, CVSS scores, and Common Platform Enumeration information, the EPSS reads descriptive text for each CVE and scrapes for common multiword expressions. It also searches different repositories for exploit code. From there, it creates a list of 191 tags encoded as binary features for each vulnerability.

Risk scores are calculated based on 15 variables that correlate with exploitation. Among the most important questions EPSS considers are the hardware or software vendor the vulnerability lives on and how many reference links the vulnerability has. The more noise there is early on, the more likely it is that the vulnerability ends up being exploited. Common platform enumerations aren’t always available when the vulnerability is published, but as soon as they are, the EPSS scores are updated accordingly.

What the scores can tell you

Where EPSS is most useful is as a response to risk as it emerges. It’s simply not feasible to patch 100% of all vulnerabilities that appear, nor would you want to spend the time and resources fixing vulnerabilities that pose no risk.

Ninety percent of organizations are still relying on CVSS as a lone threat intelligence tool, which is problematic because not only does the National Vulnerability Database provide few updates to CVSS scores, but it only addresses the severity of the vulnerabilities and doesn’t address the probability that a CVE will actually be exploited. Even if your organization has a threat intelligence team or feed, those usually answer the question “of these vulnerabilities, which ones are risky right now?” EPSS has the distinct advantage of being predictive, which allows you to answer that question well before anyone asks it — or any of the threat intel teams see data.

A low EPSS score may suggest to a CIO that despite similar vulnerabilities becoming high-profile stories, this particular one isn’t likely to be exploited and therefore isn’t worth wasting valuable time on or slowing down business processes to address. A high score, on the other hand, may raise a red flag and necessitate remediation before that next headline is about your company. At the very least, this is a quantitative way to make time-investment decisions generally done by gut feel.

Compared to a strategy of remediating all vulnerabilities with CVSS scores of 9+, EPSS produces big gains in efficiency. When looking at coverage (the percent of exploited vulnerabilities that were remediated) and efficiency (the percent of remediated vulnerabilities that were exploited), research shows that companies focusing on CVSS scores of 9+ can fix the same number of exploited vulnerabilities while reducing their effort by 78% by using EPSS instead.

Most vulnerability management is done in weekly or monthly cycles, but vulnerabilities and attacks are real-time and live-tracked. Having a more real-time resource like EPSS creates a function that forces the vulnerability management process to address everything closer to real time, which is just as valuable as the tool itself. When the CIO asks “What are we doing about this vulnerability?” you will have a real-time answer, instead of a search within a vulnerability management tool or configuration management database (CMDB), which gives you data about a week-old ticket.

EPSS shouldn’t be a standalone prioritization method, however. It’s designed as an early warning system for emerging vulnerabilities and doesn’t help fix a security debt or backlog. You also need to stay aware of what exactly the vulnerability exposes, how accessible those assets are to attackers, and the potential severity of an attack.

An important new tool

EPSS could level the playing field by encouraging more companies to take a risk-based approach to vulnerability management. It could also potentially fill a gap in public infrastructure, acting as a template for what the government should be funding as an early warning system both for government agencies and private sector companies.

President Biden’s executive order on cybersecurity focuses on information sharing and better tools for detecting and responding to security threats. With more data than other tools, EPSS can support that mission with proactive alerts.

While there is no single optimal prioritization strategy, adding EPSS dramatically saves resources and helps you more efficiently fix the vulnerabilities that pose a risk to your organization.

EPSS has a getting started guide here, and the new data and statistics are typically updated daily and are available to view and download here. We’re always looking to add new perspectives and skills to the EPSS membership. To inquire about joining the group, email us at epss-chairs@first.org.

Michael Roytman is Chief Data Scientist at Kenna Security (now part of Cisco) and has spoken at RSA, BlackHat, SOURCE, Bsides, Metricon, Infosec Europe, and SIRAcon. His work focuses on cybersecurity data science and Bayesian algorithms, and he has served on the boards of the Society of Information Risk Analysts and Cryptomove. He currently serves on Forbes Technology Council, and is a Board Partner at Social Capital. He holds an M.S. in Operations Research from Georgia Tech and recently turned his home roasting operation into a Chicago south side cafe, Sputnik Coffee.