By Jay Jacobs

Call for Sponsors: Inaugural Exploit Prediction Annual Report

Cyentia Institute and the Forum of Incident Response and Security Teams (FIRST) are seeking multiple sponsors to support anlaysis into the historical performance of the Exploit Prediction Scoring System (EPSS). This effort will lead to the first-ever annual report for EPSS, which will benefit its large and growing community of enterprise users and security products that leverage EPSS. Information about this research is provided below and you can register sponsorship interest here.

What is EPSS?

EPSS is a data-driven effort for estimating the likelihood (probability) that a published vulnerability will be exploited in the wild. Our goal is to assist defenders to better prioritize vulnerability remediation efforts. While other industry standards have been useful for capturing innate characteristics of a vulnerability and provide measures of severity, they are limited in their ability to assess threat. EPSS fills that gap because it uses current threat information targeting CVEs along with real-world exploit data. The EPSS model produces a daily updated prediction of the probability that a given vulnerability will be exploited in the next 30 days.

What’s the goal of the study?

Have you ever heard claims about a security product or model/score that never made any attempt to validate whether actual performance lived up to those claims? Nah, neither have we. That’s obviously a joke—that’s the norm in our field. But we don’t want to follow that script with EPSS.

For years, we’ve been collecting evidence of exploitation activity from data contributors to the EPSS Special Interest Group (SIG) at FIRST.org. This data was used to train the EPSS model that produces daily scores. With the passage of time, we now have a rich history of predictions that we can test with the benefit of hindsight. In addition to primary goal of evaluating EPSS performance over the last few years, we also hope to explore the following research questions in this study:

  • How many vulnerabilities are actually being exploited in the wild?
  • How widespread and sustained is this exploitation?
  • How long after CVE publication does exploitation activity peak?
  • What trends and patterns can we detect in exploitation?
  • Should we focus more on zero-day or end-of-life vulnerabilities?
  • Are there any clear indicators before exploitation occurs?

All of these (and more) questions have been lingering in the data, just waiting to be uncovered!

Exploitation activity observed for a single CVE, Red represents more daily activity.

What will sponsorship funds be used for?

We have all the data necessary to complete the study. The Cyentia Institute will analyze the data, generate visualizations, coordinate input, draft the findings, and layout the report. Of course, this requires a significant amount of effort that takes us away from other paid research projects, which is why we’re seeking sponsors to help make that feasible. Sponsorship funds will also help cover the ongoing storage and compute costs associated with EPSS that to date has been paid exclusively by Cyentia. And last but not least, a portion of your sponsorship will be used by FIRST.org to support the EPSS SIG and related work. So, good causes all around that benefit the community and are well worth your investment!

Why should FIRST and the Cyentia Institute do this research?

A valid question, and thanks for asking it. FIRST is the non-profit hosting EPSS and the Cyentia Institute is a trusted entity with a long track record of conducting high-integrity, data-driven research. One of our founders started Verizon’s Data Breach Investigations Report (itself a multi-source analysis of data from many organizations) and led that team for almost a decade. The other founder is the primary author and data scientist on all EPSS research to date. Bottom line: We know how to do this kind of research on exactly this topic (which is why we are proposing it).

What are the benefits of being a sponsor?

The most important benefit is the satisfaction of directly contributing to improving EPSS and helping to reduce exposure for many organizations around the world. Plus, you get to work with the incredible Cyentia team! What more could you ask for?

Okay, yes, there are more benefits beyond those. We have several sponsorship packages designed to spotlight your organization’s support for this research and even include your reflections on our conclusions in the report itself. Please reach out so we can follow up with more details!

You might also like
Prioritization to Prediction, Vol 3: Wade’s Take
I Once Called Vuln Researchers NVPs; Are They MVPs Instead?
GitHub: A Source for Exploits
Looking Back on 2021
EPSS version 2 is out!
Visualizing the Value of Attack Path Choke Points for Prioritization
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.