Exploitation Prediction Scoring System (EPSS) Score

We are continuously striving to help our members minimise their exposure to cyber threats and understand that managing effective prioritisation in vulnerability management is a growing concern. To assist with these efforts, AUSCERT is pleased to introduce the Exploitation Prediction Scoring System (EPSS) within our bulletins and Critical MSINs, starting August 12 2024.

Important: AUSCERT advises members to research EPSS thoroughly before considering its application in vulnerability management.

What is EPSS?
EPSS, developed by FIRST (Forum of Incident Response and Security Teams), employs advanced algorithms to forecast the likelihood of vulnerabilities being exploited in real-world scenarios. Higher EPSS scores indicate a heightened risk of exploitation, enabling our members to prioritise their remediation efforts on the most critical vulnerabilities. This initiative is designed to bolster proactive cybersecurity measures and enhance overall resilience against potential threats.

EPSS vs CVSS:
CVSS serves as a reliable framework for assessing vulnerability severity, whereas EPSS offers an additional layer of insight by predicting the likelihood of exploitation.
CVSS evaluates vulnerabilities based on their characteristics and potential impacts but lacks real-world threat data. In contrast, EPSS predictions draw from the latest risk intelligence sourced from the CVE repository and empirical data on actual system attacks.

Where does the EPSS score appear in the AUSCERT bulletin?
The EPSS (Max) score appears for each bulletin in the comments section, below the CVSS (Max) Score.

Where does the EPSS score appear in the Critical MSIN?
The EPSS (Max) score appears in the overview section of the AUSCERT’s Critical MSIN.

Syntax:
EPSS (Max): (*Probability) (**Percentile) (CVE Number) (Date EPSS calculated)
For Example: EPSS (Max): 0.2% (51st) CVE-2024-XXXXX 2024-07-02

*The likelihood of exploitation of the given CVE within the next 30 days
** The vulnerability’s relative severity compared to others, ranking it within a distribution of similar security issues based on their assessed risks and potential impacts.
(Important: Note that EPSS scores can change over time, so if making decisions based on EPSS it is recommended to ensure you are using a recently updated value available from FIRST)

(See articles below for further details on use and interpretation)

References:
Understanding EPSS can require effort, and its suitability can vary depending on the environment. For those interested in exploring EPSS further and understanding its functionality, informative articles are available:

[1] https://www.first.org/epss/
[2] https://www.first.org/epss/user-guide
[3] https://www.first.org/epss/faq
[4] https://vulners.com/blog/epss-exploit-prediction-scoring-system/
[5] https://blog.stackaware.com/p/deep-dive-into-the-epss
[6] https://asimily.com/blog/epss-and-its-role-in-vulnerability-management/
[7] https://security.cms.gov/posts/assessing-vulnerability-risks-exploit-prediction-scoring-system-epss
[8] https://insights.sei.cmu.edu/blog/probably-dont-rely-on-epss-yet/