7 min to read

EPSS for Offensive Security

An article on how the Exploit Prediction Scoring System (EPSS) model can be used during offensive security engagements such as penetration tests and red teaming!

Featured image

In the ever-evolving landscape of cybersecurity, professionals are constantly in search of innovative tools and methodologies to stay one step ahead of adversaries. Currently, the world of cybersecurity offers many different frameworks, standards and other models to assist in determining an organization’s cyber health and a way to show that the organization is up to a certain standard in terms of cybersecurity. Besides the traditional standards and frameworks you also got several sorts of security ratings and security scores, with one of the most known ones being the Common Vulnerability Scoring System (or CVSS in short). In the last few years a new, interesting data-driven model has been up-and-coming, the Exploit Prediction Scoring System (EPSS). While the Exploit Prediction Scoring System and the Common Vulnerability Scoring System are created by the same organization (Forum of Incident Response and Security Teams or FIRST) the outcomes of the models are different. What the Exploit Prediction Scoring System is, how the model works and how it can help penetration testers and red teamers during tests or engagements will be covered in this blog post!

Introduction to the Exploit Prediction Scoring System (EPSS) model

To get a good idea of how EPSS can be beneficial to us offensive security folks, it’s important to first know exactly what it is. At its base, the Exploit Prediction Scoring System (EPSS) is an advanced model developed to predict the likelihood that a software vulnerability will be exploited in the wild. The thing that makes EPSS unique is that is bases the probability score on a combination of machine learning algorithms and real-time data analysis. This score reflects the chances of a particular vulnerability being exploited, taking into account various factors such as the vulnerability’s characteristics, exploit availability, if there are any proof-of-concept(PoC) exploits around and the developments in the current threat landscape.

With the current landscape of security rating, the Exploit Prediction Scoring System (EPSS) had the stand out with a unique purpose and goal. The primary purpose of EPSS is to equip cybersecurity practitioners with a more nuanced and actionable metric for prioritizing vulnerabilities. In the vast sea of vulnerabilities disclosed every year, it’s imperative for organizations to focus their (sometimes limited) resources on patching those that pose the most significant risk. Therefor one of the main goals of EPSS is to streamline the vulnerability management process.

By assigning a predictive score to vulnerabilities, it enables organizations to prioritize their remediation efforts more effectively. This prioritization is based on the likelihood of exploitation rather than just the potential impact or severity which is the case in security ratings like CVSS. Another critical purpose of EPSS is to enhance the overall cybersecurity posture of organizations. This is done by incorporating EPSS scores into their vulnerability management frameworks and their software development lifecycle. Organizations can then adopt a more proactive stance towards cybersecurity.

How the Exploit Prediction Scoring System (EPSS) works

The Exploit Prediction Scoring System (EPSS) employs a machine learning algorithm to analyze and predict the likelihood of software vulnerabilities being exploited in the wild. This predictive capability is not pulled out of thin air but is the result of a sophisticated analysis of a wide array of data sources and factors that influence the exploitability of a vulnerability. These different factors and data sources is what makes the EPSS a strong security rating model. These data sources and factors consists of the following:

At the core of EPSS is a machine learning model that ingests these different sets of data to calculate a probabilistic score for each vulnerability. This isn’t a static model; it’s continuously trained and updated to capture the latest trends and tactics used by attackers. The model evaluates the factors mentioned above, weighing them based on their predictive value determined through historical analysis and current threat intelligence. This results in a CVE being more exploitable one week than the week before that. The output of EPSS is a score that quantifies the risk of a vulnerability being exploited. The scores range from 0 to 1, with higher scores indicating a greater probability of exploitation, which could look something like this:

This shows that CVE-2017-5638 has the highest chance of exploitation according to EPSS and CVE-2020-1472 has the lowest. Which should indicate that a development team should focus their priorities on fixing CVE-2017-5638 first.

The importance of the Exploit Prediction Scoring System (EPSS) for Offensive Security

The usage of the Exploit Prediction Scoring System (EPSS) for DevOps and DevSecOps teams is quickly noticeable, prioritizing potential security threats which are more likely to be exploited before others. But how does EPSS benefit penetration testers, red teamers and offensive security in general?

With the vast number of potential vulnerabilities present in any given system, determining which to exploit first can be daunting. EPSS simplifies this process by providing scores that reflect the likelihood of real-world exploitation. Penetration testers can use these scores to prioritize their efforts, focusing on vulnerabilities that are not just theoretical but are likely to be exploited by actual attackers. It’s also common that a lot of companies offer “light” versions of security assessments in the form of security scans. In my experience these scans are often executed by (junior) penetration testers to get them more familiar with CVEs and the tooling used to perform these scans. The outcome of these scans are usually a bunch of CVEs sorted on their CVSS score. While this is generally a good way of rating these CVEs, a penetration tester can provide a more detailed service to a customer by giving advice on what CVE to prioritize.

The essence of red teaming is to think and operate like an attacker. EPSS scores offer insights into which vulnerabilities are most attractive to real-world adversaries, allowing red teams to craft their campaigns accordingly. This realism enhances the value of red team exercises, providing a more accurate assessment of an organization’s defensive capabilities. In addition to this, red teams can use EPSS in the planning phase of their engagements, selecting targets and tactics based on the likelihood of exploitation. This strategic use of EPSS ensures that red team operations are not just theoretically valid but are grounded in the practical realities of the threat landscape. By integrating EPSS into the penetration testing and red teaming methodologies, penetration testers and red teams can offer more value to their customers by prioritizing vulnerabilities that pose a more legitimate, immediate threat and crafting strategies that mirror the tactics of actual adversaries.

The EPSS Super Sorter

With my increased usage of the Exploit Prediction Scoring System (EPSS), I created a small tool that sorts a selection of CVEs based on their EPSS score, the EPSS Super Sorter. First, a list of CVEs should be provided for the tool in either .XML or .JSON format. This list should have multiple CVEs in it, for example from a security scan or a penetration test. The tool then takes the file, runs it through the EPSS API to get a score for each CVE. It then sorts the CVEs based on their EPSS score in order of most likely to be exploited. The output of the tool is a JSON file with the sorted CVEs along with their EPSS scores. The tool is easy to use and free to download and use. It can be downloaded here:

https://github.com/K1ngDamien/epss-super-sorter

placeholder