Cybersecurity Meets AI: The Cybersecurity Exploit Prediction Scoring System (EPSS)

How much do you know about the cybersecurity Exploit Prediction Scoring System (EPSS)?

Let's start from the top: perhaps the biggest tech story of 2023 was the rise of Artificial Intelligence (AI) into a general lifestyle tool named ChatGPT that smashed previous technology adoption records. The rise of AI has raised questions in the cyber security industry about how Generative AI will impact defensive strategy and change how threat actors operate.

Moreover, Machine Learning (ML) AI has been attributed with lowering the general costs of ongoing cybersecurity efforts and improving fraud detection. At this critical waypoint for AI, it's worthwhile examining a specific case example of how machine learning is being used to improve cyber defenses. 

In today's blog, our ethical hackers discuss what the EPSS is and how it is expected to shape 2024's cybersecurity landscape:

Firstly, What is the Cybersecurity Exploit Prediction Scoring System (EPSS)?

Developed by a collaboration of cybersecurity researchers and organizations, the Exploit Prediction Scoring System (EPSS) was first officially released in February 2020. Its primary purpose is to predict the likelihood of a publicly disclosed vulnerability being actively exploited in the wild.

Whether a vulnerability is being actively exploited has a big impact on the ultimate risk it presents to an organization. To accomplish this, EPSS utilizes multiple data points, including the characteristics of the vulnerability and the context of its discovery, to generate a score that indicates the probability of exploitation.

EPSS is most comparable to the Common Vulnerability Scoring System (CVSS), but while the CVSS focuses on the severity of vulnerabilities based solely on their security related attributes, the EPSS specifically predicts the likelihood of a vulnerability being exploited. Both CVSS and EPSS are generally used in conjunction with Common Vulnerabilities and Exposures (CVEs), which are publicly disclosed cybersecurity vulnerabilities.

Let's take a closer look at what makes up an EPSS score and how EPSS can be used to improve cyber defenses. 

How Are EPSS Scores Calculated?

EPSS scores are generated by a trained ML algorithm according to a set of about 1,500 statistical features for a CVE. Calculating the EPSS score depends on collecting and aggregating evidence of network or host-layer exploit attempts recorded by detection/prevention systems (IDS/IPS), or honeypots from multiple sources including Fortiguard, Alienvault OTX, the Shadowserver Foundation and GreyNoise. In addition to evidence of active exploitation, EPSS uses other information such as existence of exploit code collected from GitHub, VulnDB, Google's ProjectZero, CISA's Known Exploited Vulnerabilities catalog, and Trend Micro’s Zero Day Initiative (ZDI), as well as social media metadata, the vulnerability's CVSS base metric values, and even includes the product vendor's vulnerability history. 

An EPSS score represents the probability of exploitation in the wild in the next 30 days (from the date of score publication) as a decimal score from 0-1. EPSS scores are updated on a daily basis and a quick-view dashboard shows current CVEs whose EPSS scores are highest and most volatile. Frequent updating is crucial because the threat landscape and the factors influencing the exploitability of vulnerabilities can change rapidly. For organizations using EPSS to prioritize their cybersecurity efforts, this means they are working with the latest data to make informed decisions about which vulnerabilities to address first.

How Does EPSS Help Improve Cybersecurity?

Using the Exploit Prediction Scoring System (EPSS) operationally can significantly enhance an organization's cybersecurity posture in several ways:

• Risk Prioritization: EPSS helps in identifying which vulnerabilities are most likely to be exploited. This information allows security teams to prioritize patching and remediation efforts, focusing first on vulnerabilities with the highest likelihood of exploitation. By understanding which vulnerabilities pose the greatest risk, organizations can better allocate their resources, such as time, personnel, and budget, towards addressing the most critical threats. The data used by EPSS can be used for anticipating emerging threats and integrated into the organization's broader risk management efforts

• Incorporation into Security Automation and Orchestration: EPSS scores can be fed into security automation tools to trigger automatic responses when high-risk vulnerabilities are detected. This could include automated alerts, initiating patch management processes, or adjusting firewall rules

• Integration with Threat Graphs: EPSS data can be used for threat modeling in conjunction with threat graphs, which visualize the relationships between different entities like IP addresses, domains, and vulnerabilities. This integration can help in identifying patterns or connections that might indicate a broader security threat.

• Compliance and Reporting: Using a systematic approach like EPSS for vulnerability management can assist in compliance with various cybersecurity standards and regulations by providing evidence that an organization is mitigating the highest risk vulnerabilities in a timely manner. It also provides useful metrics for reporting to stakeholders about the organization’s cybersecurity health.

Conclusion

In summary, the cybersecurity Exploit Prediction Scoring System (EPSS) leverages Machine Learning AI for a more targeted and efficient approach to vulnerability management by focusing on the likelihood of exploitation, which is a crucial factor in cybersecurity risk. By incorporating EPSS into their cybersecurity strategies, organizations can enhance their ability to prevent successful cyber attacks, manage risks more effectively, and allocate their security resources more wisely.

Ready to learn more about how your organization can stay afloat of cyber trends in 2024 beyond? Receive your free quote from the Packetlabs team today.