Researchers from U.S. NIST and CISA have developed an important new security metric. This metric helps to determine the likelihood that a vulnerability has been exploited. A paper published this week by Peter Mell and Jonathan Spring outlined this metric. Their vulnerability exploit metric notably augments the existing Exploit Prediction Scoring System (EPSS). It also effectively builds upon CISA’S Known Exploited Vulnerabilities or KEV catalog. Studies show only about 5% of vulnerabilities are actually observed to be exploited. Yet the monthly vulnerability remediation rate for most companies currently stands at only 16%. Remediation is expensive so predicting exploitation is critically important for overall enterprise efficiency.
The researchers Mell and Spring noted some known shortcomings in both EPSS and KEV.
EPSS for example is known to have some inaccurate probability values for certain vulnerabilities. The CISA KEV catalog while useful is also likely not fully comprehensive in its listings. Their proposed new likelihood metric could help to augment EPSS based remediation efforts. It can achieve this by correcting some of these existing probability value inaccuracies. The metric could also build upon the KEV catalog by enabling comprehensiveness measurements. EPSS provides probabilities of exploitation within the next 30 days for known vulnerabilities. However its probabilities are often inaccurate for vulnerabilities previously observed to be exploited. Fortunately these probabilities are not randomly inaccurate as EPSS usually underestimates true probability. Mell and Spring call their new formula Likely Exploited Vulnerabilities or LEV probabilities.
These new LEV probabilities have at least four distinct and important potential use cases.
They can measure the expected number and proportion of vulnerabilities exploited by threat actors. They can also help to estimate the overall comprehensiveness of the existing KEV catalog. LEV augments KEV-based vulnerability remediation by identifying higher probability vulnerabilities possibly missing. It also augments EPSS-based prioritization by identifying vulnerabilities that may be currently underscored. The research paper listed two vulnerability examples where LEV and EPSS probabilities clearly differed. For CVE-2023-1730 a WordPress plugin flaw LEV probability was 0.70 while EPSS peaked at 0.16. For CVE-2023-29373 a Microsoft RCE flaw LEV was 0.54 while EPSS showed only 0.08. Their work also identified several hundred other vulnerabilities with a probability approaching 1.0.
Interestingly many of these high-probability vulnerabilities identified by LEV are not in KEV lists. This is one key reason that these new LEV lists cannot replace KEV lists. LEV cannot identify precisely which of many low probability vulnerabilities will actually be exploited. It can only help to compute how many of them are statistically expected to be exploited. KEV lists however identify the exact specific vulnerabilities that have already been exploited. Thus LEV provides a broader probabilistic view aiding in effective vulnerability remediation prioritization. Mell and Spring said they are now actively looking for various industry partners. They want to collaborate with these partners to obtain LEV metric performance measurements. This innovative new metric aims to significantly improve overall enterprise vulnerability management practices.
Reference:
