If you follow Cyentia Institute’s Jay Jacobs via social media you may FIRST ;-) have learned about the Exploit Prediction Scoring System (EPSS) from him, as I did. I quickly learned that FIRST offers an API for the EPSS Model, which immediately piqued my interest. Per FIRST, EPSS provides a fundamentally new capability for efficient, data-driven vulnerability management. While EPSS predicts the probability (threat) of a specific vulnerability being exploited, it can scale to estimate the threat for multiple vulnerabilities on a server, a subnet, mobile device, or at an enterprise level (Jacobs, 2022).
“The (EPSS) is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. By collecting and analyzing these data, EPSS seeks to improve vulnerability prioritization by estimating the likelihood that a vulnerability will be exploited. The EPSS model produces a probability score between 0 and 1 (0% and 100%). The higher the score, the greater the probability that a vulnerability will be exploited (in the next 30 days).” (Jacobs, 2022).
As of February 2022, EPSS version 2 is available; give Jay’s write-up a good read before proceeding. EPSS v2 is preceded by EPSS v1 and CVSS v3. Note the significant increase in model coverage and efficiency per Figure 1.
Figure 1: EPSS Comparison by Effort
Inspired by the work of Jay and Bob Rudis years ago via their excellent Data Driven Security book, I found myself immediately compelled to put to use all I’d learned from said book and create an app for the EPSS API.
It is with pleasure I introduce the initial iteration of EPSScall. EPSScall is a Shiny app built to provide a convenient way to interact with the Exploit Prediction Scoring System (EPSS) API. For your convenience there is a demo instance available via shinyapps.io.
To install locally or run on your own Shiny server, clone the repo, change directory to the directory where you installed the app directory and runApp from RStudio or an R terminal. I do so locally as follows:
Use of EPSS data centers around a few key entities, namely CVE, date, EPSS, and percentile. For the uninitiated, CVE, or Common Vulnerabilities and Exposures, are MITRE’s construct to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
EPSScall is a reactive app, and will, in the absence of input, return the entire set of CVEs included in the EPSS dataset. The data are JSON formatted via the API; EPSScall cleans it up and makes it easily human readable. There are some extremely intersting CVEs of late to consider with EPSScall and certain data pivots. As of this writing, CVE-2022-30190, aka Follina, specific to the Microsoft Support Diagnostic Tool (MSDT) was issued on 30 MAY 2022.
The EPSS score as of 09 JUN 2022 was 0.69 per Figure 2.
Figure 2: CVE-2022-30190 as of 09 JUN 2022
But was the score this high earlier? As the vulnerability underwent early analysis, but garnered more and more attention, and was discovered to be under active exploit, the EPSS score changed accordingly. The EPSS timeline view will help you quickly assess the changes, as seen in Figure 3.
Figure 3: CVE-2022-30190 timeline
Between 02 JUN and 09 JUN the EPSS score went from 0.02 to 0.12 to 0.51. to 0.69. A table view is nice but a graph is always preferred as seen via the EPSS Graph view in Figure 4.
Figure 4: CVE-2022-30190 timeline graph
In MAY 2022 we saw two vulnerabilities with CVSS scores of 9.8 out of 10 under active exploitation. These were CVE-2022-22954 for VMWare and CVE-2022-1388 for F5. Refer to Dan Goodin’s Ars Technica article for more insight. Given their high CVSS scores it is easy to assume their EPSS scores might follow suit. They can be queried with a variety of pivots in EVSScall. First, let’s assume an EPSS score of greater than 0.90. Ironically, as of 09 JUN 2022 EPSS results for CVE-2022-22954 and CVE-2022-1388 are returned right next to each other per Figure 5.
Figure 5: CVE-2022-22954 and CVE-2022-1388 EPSS greater than 0.90
CVE-2022-22954 has a score of 0.93 and CVE-2022-1388 has a score of 0.91. You may be curious what the percentile score represents. Per FIRST, “percentiles are a direct transformation from probabilities and provide a measure of an EPSS probability relative to all other scores. That is, the percentile is the proportion of all values less than or equal to the current rank” (Jacobs & Romanosky, 2022).
The percentiles for CVE-2022-22954 and CVE-2022-1388 are, as expected, both greater than 0.99. You can use EPSScall to search by date as well. Focusing now of CVEs with EPSS scores of 0.95 or greater, and percentile of greater than 0.99, I searched using 18 MAY 2022 as the date given is as the publication date for Dan’s article.
Figure 6: CVE-2022-22965 stands out
Interestingly, CVE-2022-22965 jumps right to the top of the pile. What vuln is that you ask? Another recent nightmare, Spring4Shell. Of interest, on 10 MAY the EPSS score was 0.65 but 11 MAY it leapt 30 points to 0.95.
Figure 7: CVE-2022-22965 jumps 30 points
Pure speculation but perhaps this jump was driven by a number of patches being released by a variety of vendors om 10 MAY 2022 and additional attention specific to exploitation in security blogs on 11 MAY.
I hope you find EPSScall useful, perhaps if only to compel you to find ways to incorporate the EPSS API into your workflows.
The premise of EPSS is vital: knowing the likelihood (probability) of a software vulnerability being exploited in the wild may contribute directly to organizational survivability. Make data informed decisions to patch, mitigate, remediate, protect, detect, etc. FIRST also produces a really nice daily report and CSV dump for your convenience, with useful visuals and insights.
Please consider contributing to this project, I’m an absolutely terrible developer, and I’m sure there are numerous better ways to make this app more useful. In particular, I do hope to plot more than one CVE at a time given that the rest of the app processes multiple comma-separated CVEs reasonably well.
Cheers…until next time.
Russ McRee | @holisticinfosec
Jacobs, J. (2022, February 4). The EPSS Model. FIRST. Retrieved June 1, 2022, from https://www.first.org/epss/model
Jacobs, J., & Romanosky, S. (2022, March). Probability, Percentiles, and Binning - How to understand and interpret EPSS Scores. FIRST. Retrieved June 1, 2022, from https://www.first.org/epss/articles/prob_percentile_bins