Security
Headlines
HeadlinesLatestCVEs

Headline

EPSS vs. CVSS: What’s the Best Approach to Vulnerability Prioritization?

Many businesses rely on the Common Vulnerability Scoring System (CVSS) to assess the severity of vulnerabilities for prioritization. While these scores provide some insight into the potential impact of a vulnerability, they don’t factor in real-world threat data, such as the likelihood of exploitation. With new vulnerabilities discovered daily, teams don’t have the time - or the budget - to

The Hacker News
#vulnerability#mac#intel#The Hacker News

Many businesses rely on the Common Vulnerability Scoring System (CVSS) to assess the severity of vulnerabilities for prioritization. While these scores provide some insight into the potential impact of a vulnerability, they don’t factor in real-world threat data, such as the likelihood of exploitation. With new vulnerabilities discovered daily, teams don’t have the time - or the budget - to waste on fixing vulnerabilities that won’t actually reduce risk.

Read on to learn more about how CVSS and EPSS compare and why using EPSS is a game changer for your vulnerability prioritization process.

What is vulnerability prioritization?

Vulnerability prioritization is the process of evaluating and ranking vulnerabilities based on the potential impact they could have on an organization. The goal is to help security teams determine which vulnerabilities should be addressed, in what timeframe, or if they need to be fixed at all. This process ensures that the most critical risks are mitigated before they can be exploited and is an essential part of attack surface management.

In an ideal world, security teams would be able to remediate every vulnerability as soon as it is discovered, but that’s neither possible nor efficient. Research has shown that most teams can only remediate about 10-15% of their open vulnerabilities per month, which is why prioritizing effectively is so important.

Ultimately, getting vulnerability prioritization right ensures organizations can make the best use of their resources. Why does this matter? Because businesses can’t afford to spend money on things unless it makes a difference, and risk management is all about making sure money is spent on genuinely reducing risk.

The limitations of CVSS for vulnerability prioritization

Historically, one of the most common ways organizations prioritize vulnerabilities is by using CVSS base scores.

CVSS base scores are determined by factors that are constant across time and user environments, such as the ease and technical means by which a vulnerability can be exploited and the consequence of a successful exploit. These factors are quantified and combined to generate a final score between 0 and 10 – the higher the score, the higher the severity.

CVSS scores offer a baseline and a standardized way of assessing severity and are sometimes necessary for compliance. However, they have limitations that make relying on them less efficient than considering them alongside real-time data sources.

One of the main limitations of CVSS scores is that they do not consider the current threat landscape, such as whether a vulnerability is being actively exploited in the wild. This means that a vulnerability with a high CVSS score may not necessarily be the most critical issue an organization faces. Take CVE-2023-48795, for example. Its current CVSS score is 5.9, which is 'medium’. But if you consider other threat intelligence sources, such as EPSS, you’ll see there’s a high chance of it being exploited within the next 30 days (at the time of writing).

This shows the importance of taking a more holistic approach to vulnerability prioritization that considers not only CVSS scores but also real-time threat intelligence.

Improving prioritization with exploit data

To improve vulnerability prioritization, organizations should move beyond CVSS scores and consider other factors, such as exploitation activity identified in the wild. A valuable source for this is EPSS, a model developed by FIRST.

What is EPSS?

EPSS is a model that provides a daily estimate of the probability that a vulnerability will be exploited in the wild within the next 30 days. The model produces a score between 0 and 1 (0 and 100%), with higher scores indicating a higher probability of exploitation.

The model works by collecting a wide range of vulnerability information from various sources, such as the National Vulnerability Database (NVD), CISA KEV, and Exploit-DB, along with evidence of exploitation activity. Using machine learning, it trains its model to identify subtle patterns between these data points, allowing it to predict the likelihood of future exploitation.

CVSS vs EPSS

So how exactly do EPSS scores help improve vulnerability prioritization?

The diagram below illustrates a scenario in which vulnerabilities with a CVSS score of 7 or higher are prioritized for remediation. The blue circle represents all of these CVEs recorded on 1 October, 2023. In red, you can see all the CVEs with CVSS scores that were exploited in the following 30 days.

As you can see, the number of vulnerabilities that were exploited in the wild represents a small number of the vulnerabilities with a CVSS score of 7 or higher.

Original source: FIRST.org

Let’s compare this to a scenario where vulnerabilities are prioritized based on an EPSS threshold set to 10%.

A noticeable difference between the two diagrams below is the size of the blue circles, which indicate the number of vulnerabilities that need to be prioritized. This gives an idea of the amount of effort required for each prioritization strategy. With a 10% EPSS threshold, the effort is significantly lower, as there are far fewer vulnerabilities to prioritize, reducing the time and resources needed. Efficiency is also significantly higher, as organizations can focus on vulnerabilities that would have the most impact if not addressed first.

Original source: FIRST.org

By considering EPSS when prioritizing vulnerabilities, organizations can better align their remediation efforts with the actual threat landscape. For example, if EPSS indicates a high probability of exploitation for a vulnerability with a relatively low CVSS score, security teams might consider prioritizing that vulnerability over others that may have higher CVSS scores but a lower likelihood of exploitability.

Simplify vulnerability prioritization with Intruder

Intruder is a cloud-based security platform that helps businesses manage their attack surface and identify vulnerabilities before they can be exploited. By offering continuous security monitoring, attack surface management, and intelligent threat prioritization, Intruder allows teams to focus on the most critical risks while simplifying cybersecurity.

A screenshot of the Intruder platform

Intruder is about to release a vulnerability prioritization feature, powered by the Exploit Prediction Scoring System (EPSS) – a model that leverages machine learning to predict how likely a vulnerability is to be exploited in the next 30 days.

You’ll soon be able to view EPSS scores right inside the Intruder platform, giving your team real-world context for smarter prioritization. These scores will be displayed alongside the existing scoring system, which combines CVSS scores with input from Intruder’s team of security experts to intelligently prioritize your results.

Sign up now to get ahead of the new release. Start your 14-day free trial or book some time to chat and learn more.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Debian Security Advisory 5750-1

Debian Linux Security Advisory 5750-1 - Support for the "strict kex" SSH extension has been backported to AsyncSSH (a Python implementation of the SSHv2 protocol) as hardening against the Terrapin attack.

Gentoo Linux Security Advisory 202407-11

Gentoo Linux Security Advisory 202407-11 - Multiple vulnerabilities have been discovered in PuTTY, the worst of which could lead to compromised keys. Versions greater than or equal to 0.81 are affected.

Red Hat Security Advisory 2024-1197-03

Red Hat Security Advisory 2024-1197-03 - A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.

Red Hat Security Advisory 2024-1150-03

Red Hat Security Advisory 2024-1150-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-0880-03

Red Hat Security Advisory 2024-0880-03 - Red Hat OpenShift Serverless 1.31.1 is now available. Issues addressed include denial of service and traversal vulnerabilities.

Red Hat Security Advisory 2024-0789-03

Red Hat Security Advisory 2024-0789-03 - An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available. Issues addressed include buffer overflow and denial of service vulnerabilities.

Debian Security Advisory 5601-1

Debian Linux Security Advisory 5601-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts.

Debian Security Advisory 5600-1

Debian Linux Security Advisory 5600-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts.

New Terrapin Flaw Could Let Attackers Downgrade SSH Protocol Security

Security researchers from Ruhr University Bochum have discovered a vulnerability in the Secure Shell (SSH) cryptographic network protocol that could allow an attacker to downgrade the connection's security by breaking the integrity of the secure channel. Called Terrapin (CVE-2023-48795, CVSS score: 5.9), the exploit has been described as the "first ever practically exploitable prefix

Gentoo Linux Security Advisory 202312-16

Gentoo Linux Security Advisory 202312-16 - Multiple vulnerabilities have been discovered in libssh, the worst of which could lead to code execution. Versions greater than or equal to 0.10.6 are affected.