SOCFortress Integrations — Vulnerability Management using the Exploit Prediction Scoring System (EPSS)
(Resources used in this blog post:
Exploit Prediction Scoring System (EPSS) — Research Paper (pdf available here)
In the field of cybersecurity, there are various scoring systems and frameworks used to assess the severity and potential impact of vulnerabilities and exploits.
Some commonly known frameworks include the Common Vulnerability Scoring System (CVSS) and the National Vulnerability Database (NVD) scoring system. These systems assign scores or ratings to vulnerabilities based on factors such as the impact, exploitability, and ease of mitigation.
IT vulnerability management refers to the process of identifying, assessing, and mitigating vulnerabilities in an organization’s IT infrastructure. It involves implementing a systematic approach to proactively identify vulnerabilities in hardware, software, networks, and systems, and taking appropriate measures to address them before they can be exploited by attackers.
IT vulnerability management, as an ongoing process, includes the following main topics:
Vulnerability Assessment: This step involves conducting regular vulnerability scans or assessments using automated tools to identify potential weaknesses in the IT environment. These tools scan systems, networks, and applications for known vulnerabilities and provide reports on the identified issues.
Vulnerability Prioritization: Once vulnerabilities are identified, they need to be prioritized based on their severity, impact, and exploitability. Prioritization helps focus resources on addressing the most critical vulnerabilities first.
Risk Analysis: Vulnerabilities should be evaluated in the context of the organization’s specific risk landscape. Risk analysis considers factors such as the likelihood of exploitation, potential impact on business operations, sensitive data exposure, compliance requirements, and any existing security controls.
Patch Management: Keeping systems and software up to date with the latest security patches is crucial for mitigating vulnerabilities. This involves regularly applying patches and updates provided by software vendors to fix known vulnerabilities.
Continuous Monitoring: Vulnerability management is an ongoing process. Regular monitoring and scanning should be performed to identify new vulnerabilities, track patch status, and ensure that mitigation measures are effective.
The vulnerability reporting module included in Wazuh is a great resource to collect software vulnerabilities detected in each endpoint, for both the Operating System and installed software. Wazuh manager periodically downloads the NVD and will go thru the collected metadata, spotting CVEs and including CVSS scores.
In big and complex environments the question though is how to tackle remediation and how to effectively plan patching cycles.
EPSS stands for “Exploit Prediction Scoring System” and it’s an attempt to quantify how likely a given CVE is to actually be exploited by attackers in the wild.
The scoring system behind EPSS outputs a probability of the estimated likelihood of exploitation from 0 to 1 or 0% to 100%. For example, Heartbleed has a CVSSv2 score of 5.0/10 and an EPSS score of 0.960760000 (it’s 7.5/10 in CVSSv3).
EPSS uses a combination of public and proprietary data. Below is a list of some of the data sources:
- MITRE’s CVE List — Only CVEs in the “published” state are scored
- Text-based “Tags” derived from the CVE description and other sources talking about the vulnerability
- Count of how many days the CVE has been published
- Count of how many references are listed in the CVE
- Published Exploit code in any of: Metasploit, ExploitDB and/or Github
- Security Scanners: Jaeles, Intrigue, Nuclei, sn1per
- CVSS v3 vectors as published in the National Vulnerability Database (NVD)
- CPE (vendor) information as published in NVD
- Ground Truth: Daily observations of exploitation-in-the-wild activity from AlienVault and Fortinet.
EPSS provides a valuable information that will help organizations planning, prioritizing and executing patching campaigns, focusing on the scores provided by this prediction system.
The CVEs collected can be used as the input to execute an API call to EPSS and enrich the vulnerability detected (Wazuh event) with the scores returned. Instructions on how to implement this integration can be found below.
Create a new data adapter using EPSS API:
Create a data cache to run local lookups for CVEs already seen:
Create a new lookup table using the data adapter and cache created in previous steps:
Finally, create a new pipeline rule to trigger EPSS lookup using the data adapter previously defined:
rule "EPSS CVE Criticality"
$message.rule_group1 == "vulnerability-detector"
let ldata = lookup(
Visualizing CVEs and scores assigned: