Evaluating EPSS as a Primary Vulnerability Prioritization Tool

I have recently been asking a lot of questions about what the security community does when they need to prioritize too many vulns. Said another way, if you have more vulnerabilities than you can reasonably fix, what order do you choose to remediate?

‍

As you may expect, a lot of people working inside companies and at vendors alike discussed orders of operation around exploitability and asset importance. These are very interesting conversations and mirror what we’re hearing in private conversations with vulnerability management teams. But a couple answers involved the use of EPSS, and they’re worth discussing here.

‍

EPSS is a prediction scoring model that attempts to answer the question, “Which vulnerability is most likely to be exploited this month?” Comparatively, KEVs (known exploited vulnerabilities) are lists of exploits that have had evidence of exploitation in the wild. Examples of KEVs are lists like CISA KEV and VulnCheck KEV.

‍

A small handful of the community responses answered with some variation of “EPSS first, then KEV lists, then everything else.” There are two important things here.

‍

The first issue is that this order of using EPSS first flies in the face of guidance from the non-profit Forum of Incident Response and Security Teams (FIRST) - the governing body that developed EPSS.

‍

From the first paragraph of the EPSS FAQ, "Since EPSS is estimating the probability of exploitation activity, EPSS is best used when there is no other evidence of active exploitation. When evidence or other intelligence is available about exploitation activity, that should supersede the EPSS estimate (see “Everyone knows this vulnerability has been exploited…” question)."

‍

To be clear, I did not add the emphasis. That’s straight from the site. 

‍

A second issue is the respondents didn’t say at which point they switch from using EPSS to KEV lists. Do they switch after the top 90% are fixed? 80%? There is no built-in cutoff for EPSS, it naturally goes all the way down to 0% and is inclusive of all 300k+ CVEs. So are they really saying they’d fix all CVEs and then circle back to the KEV lists which are also composed of CVEs? 

‍

It doesn’t logically make sense, so implicit in their statement there must be a cutoff, even if it’s not spelled out. Also, “everything else” is included in EPSS unless they mean issues for which there is no CVEs associated. Okay, fair enough, but these details matter because this could make the difference between suffering losses and not.

‍

So no, an “EPSS first” strategy is not the correct route if you believe FIRST’s vision of risk prediction using EPSS in concert with real-world active exploitation. Listen to the authors on this one. While they didn’t mention KEVs by name, they certainly do reference the concept of known exploited vulnerabilities and recommend you take action at least in the instance where the model has not correctly predicted the exploitation activity of a vulnerability and you have evidence that it is currently in use.

‍

There is a lot to be said here about evidence of exploitation vs loss, but we can discuss that another day. I’d rather not muddy the conversation. However, I felt it important to discuss what appears to be a somewhat common prioritization strategy, and perhaps a misunderstanding of EPSS’s intended use. Hopefully that makes things a bit more clear!