Research from earlier this year revealed a worrying uptick in cyberattack volume in the past 24 months, with over a third (36%) of organisations admitting to experiencing three or more data breaches in this time frame. With attack volume increasing, one thing is called into question time and time again: vulnerability prioritisation. The Inaugural Study of EPSS Data and Performance report studies exactly this.
The report outlines vulnerability exploitation in the wild since 2017. Developed by the Cyentia Institute, the report is a data-driven collaborative effort for estimating the likelihood that a published vulnerability will be exploited in the wild. Its goal is to assist defenders to better prioritise vulnerability remediation efforts, putting focus on assessing risk. EPSS, which data is regularly contributed to by the community, uses current threat information targeting CVEs along with real-world exploit data. The EPSS model produces a daily updated prediction of the probability that a vulnerability will be exploited in the next 30 days.
The EPSS research found that there were 237,687 published CVEs as of May 31st 2024, with 13,807 being observed with exploitation activity. In the last 12 months, 30,000 CVEs have been published, with the annual rate varying around the average of 16%. Ultimately, the rising amount of vulnerabilities threatens to overwhelm vulnerability management teams if remediation cannot be prioritised.
Of these near-250k published CVEs, the number of known-exploited vulnerabilities is steadily approaching 15,000. This means that about 6% of all published CVEs have been exploited in the wild – and that rate is holding steady. Such figures show that tracking and predicting known exploits is critical for efficient remediation.
The EPSS aims to distil data from multiple different sources into evaluated exploit predictions within the next 30 days by focusing on coverage, efficiency and effort. EPSS empowers vulnerability management teams with a simple scoring system that can be used by anyone, regardless of industry or organisation. The system is a big stride for risk-based reporting. However, it is imperative that larger tech, cyber and cloud organisations pool data into independent schemes like EPSS to maximise its impact.
The report is sponsored by Advanced Cyber Defence Systems (ACDS), among other forward thinking organisations. But why is the step important? According to Elliott Wilkes, CTO of ACDS: “EPSS is the logical next step in quantifying the risk of a vulnerability with impact. The EPSS has the potential to be a gamechanger, if it is adopted widely. It’s a move to a much more reliable, data driven system that helps teams understand, predict, and protect future likelihood. The scoring system enables and supports data driven conversations between technical professions and board members. It quantifies risk, agnostic to any one organisation.”
EPSS aims to help leaders prioritise remediation of relevant CVEs that have the potential to cause disruption within their organisations, moving to a more standardised approach to vulnerability management.
ACDS are active supporters in other independent industry-led schemes and standards. Earlier this year, ACDS became an early supporter of CISA’s Secure by Design Pledge. The scheme aims to encourage developers to build software that’s foundationally secure by design, in essence helping both engineering and security teams. Such schemes bolster the security of the entire industry and broader world.
Elliott Wilkes dives into this topic more in his bi-weekly LinkedIn newsletter, Hacker Headspace, saying: “Building an open cybersecurity community is vital for resilience, especially when supporting government led schemes where we can cultivate a united front against cyber threats… Why? Because we believe it’s more powerful – and valuable – to stand together as a whole, rather than lead the way with one.”