EPSS

EPSS stands for Exploit Prediction Scoring System. It's a data-driven, open, and community-driven effort designed to predict the probability that a software vulnerability will be exploited in the wild.  

Think of it as a weather forecast for cyber threats. Instead of predicting rain, EPSS predicts the likelihood of exploitation for a given Common Vulnerabilities and Exposures (CVE) identifier. This helps security teams prioritize vulnerability remediation efforts by focusing on the weaknesses most likely to be weaponized and pose a real-world risk.  

Here's a breakdown of key aspects of EPSS:

1. Data-Driven Approach:

• EPSS relies on a vast amount of real-world data to generate its scores. This data comes from various sources, including:  

• Exploit intelligence: Information about known exploits, proof-of-concept code, and active exploitation campaigns.

• Vulnerability intelligence: Details about the vulnerability itself, its severity, and its impact.  

• Threat intelligence: Information about threat actors, their tactics, techniques, and procedures (TTPs).  

• Social media and dark web monitoring: Insights into discussions and activities related to vulnerability exploitation.

• This data is continuously analyzed using statistical models to identify patterns and correlations that indicate an increased likelihood of exploitation.  

2. Probabilistic Scoring:

• EPSS scores are a probability between 0 and 1 (or 0% and 100%).  

• A higher score indicates a higher predicted likelihood of exploitation. For example, an EPSS score of 0.8 (or 80%) suggests a high probability that the vulnerability will be exploited.  

• This probabilistic nature allows security teams to make risk-based decisions rather than treating all vulnerabilities with the same level of urgency.  

3. Temporal Aspect:

• Exploitation likelihood isn't static. It can change over time as new information emerges (e.g., the release of an exploit kit, increased chatter among threat actors).  

• EPSS scores are dynamic and fluctuate based on the latest data, providing a more up-to-date risk assessment than static scoring systems like CVSS.  

4. Open and Community-Driven:

• The EPSS initiative is open and relies on contributions from the cybersecurity community. This collaborative approach helps ensure the accuracy and comprehensiveness of the data and models.  

• The data and scoring methodology are generally transparent, allowing organizations to understand how the scores are derived.

5. Integration with Vulnerability Management:

• EPSS is designed to integrate with existing vulnerability management workflows and tools.  

• By augmenting traditional vulnerability scoring systems (like CVSS) with EPSS scores, security teams gain a more nuanced understanding of vulnerabilities' risk.  

• This enables them to prioritize remediation efforts more effectively, focusing on the vulnerabilities most likely to be exploited and have the most significant impact on their organization.  

EPSS in cybersecurity is a crucial advancement in vulnerability management. It moves beyond assessing a vulnerability's inherent severity and focuses on predicting the real-world likelihood of its exploitation. By leveraging a data-driven, probabilistic, and community-driven approach, EPSS empowers security teams to make more informed decisions, prioritize remediation efforts effectively, and ultimately reduce their organization's cyber risk.  

Think of the benefits:

• Improved Prioritization: Focus resources on the most dangerous vulnerabilities first.  

• Enhanced Efficiency: Reduce wasted effort on patching low-risk vulnerabilities.  

• Better Risk Management: Gain a more accurate understanding of the organization's threat landscape.

• Proactive Security Posture: Anticipate and mitigate potential attacks before they occur.  

By understanding and using EPSS, cybersecurity professionals can significantly enhance their ability to defend against evolving cyber threats

How ThreatNG Syncs Up and Uses Threat Intelligence Data

ThreatNG heavily relies on continuously updated intelligence repositories, branded as "DarCache". These repositories are crucial for ThreatNG's functionality and include:

• DarCache Vulnerability: This specifically incorporates data from:

• EPSS (DarCache EPSS): ThreatNG actively integrates EPSS scores to assess the likelihood of vulnerability exploitation.

• NVD (DarCache NVD) and KEV (DarCache KEV).

• Verified proof-of-concept (PoC) exploits (DarCache eXploit).

• Other key repositories that feed into ThreatNG's analysis include those for the Dark Web, Compromised Credentials, Ransomware, and ESG Violations.

This constant syncing and referencing of threat intelligence, including EPSS, is essential to how ThreatNG operates across its various modules:

1. External Discovery

• While External Discovery is described as "purely external unauthenticated discovery using no connectors", the data gathered here (subdomains, open ports, technologies, etc.) forms the foundation for assessments that do use threat intelligence. For instance, discovered vulnerabilities are cross-referenced with DarCache Vulnerability (including EPSS) to gauge their risk.

2. External Assessment

This is where threat intelligence, including EPSS, plays a significant role. Examples:

• Cyber Risk Exposure: This assessment "considers parameters our Domain Intelligence module covers, including certificates, subdomain headers, vulnerabilities, and sensitive ports, to determine cyber risk exposure". The "vulnerabilities" aspect directly ties into DarCache Vulnerability, where EPSS scores help prioritize those posing the highest exploitation risk.

• Example: ThreatNG discovers an exposed web server (External Discovery) running a version of Apache with known vulnerabilities (DarCache Vulnerability). EPSS scores indicate a high likelihood of exploit. ThreatNG flags this as a critical cyber risk exposure.

• Breach & Ransomware Susceptibility: This is "derived from calculated based on external attack surface and digital risk intelligence, which includes domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks)".

• Example: ThreatNG finds compromised credentials (DarCache Rupture) related to an organization and combines this with the presence of exposed database servers (Domain Intelligence) and high EPSS scores for those database vulnerabilities (DarCache EPSS). This significantly increases the Breach & Ransomware Susceptibility score.

3. Reporting

• ThreatNG's reports (Executive, Technical, etc.) directly incorporate threat intelligence to provide context and prioritization.

• Example: A report on vulnerabilities will not just list CVEs but also include EPSS scores (from DarCache EPSS) to show which vulnerabilities need immediate attention. It will also likely include data from DarCache Ransomware to highlight if ransomware groups are actively exploiting a vulnerability.

• The Knowledgebase embedded in reports includes "Risk levels to help organizations prioritize their security efforts and allocate resources more effectively by focusing on the most critical risks". EPSS is a key component in determining these risk levels.

4. Continuous Monitoring

• ThreatNG continuously monitors external attack surface, digital risk, and security ratings. As threat intelligence evolves (e.g., new EPSS scores, new ransomware campaigns), ThreatNG's assessment of an organization's risk posture is updated in near real-time.

5. Investigation Modules

• The investigation modules, especially Domain Intelligence and Sensitive Code Exposure, heavily use threat intelligence for in-depth analysis.

• Example: During a Domain Intelligence investigation, if a subdomain is found to have an exposed login page, ThreatNG can pull in data from DarCache Vulnerability to see if there are known vulnerabilities with high EPSS scores that could allow attackers to compromise that login page.

• Example: The Sensitive Code Exposure module discovers exposed code repositories. It can then use DarCache Compromised Credentials to check if any of the exposed credentials in the code have also been found on the dark web, indicating a higher risk of immediate compromise.

6. Intelligence Repositories (DarCache)

• As described above, DarCache is the core of ThreatNG's threat intelligence. It's where data like EPSS scores, dark web activity, and ransomware information is stored and continuously updated, feeding all other modules.

7. Working with Complementary Solutions

• ThreatNG's API-driven nature and focus on providing enriched data make it suitable for integrating SIEMs, vulnerability management platforms, and other security tools.

• How ThreatNG helps: ThreatNG enriches these other tools with external attack surface context. For example, it can tell a SIEM that a particular IP address isn't just generating suspicious traffic. Still, it's also associated with a subdomain that is vulnerable to takeover and has exposed credentials on the dark web.

• Examples of working with complementary solutions:

• A vulnerability management system can use ThreatNG's EPSS-enhanced vulnerability data to prioritize patching.

• A SIEM can use ThreatNG's findings to correlate external attack surface data with internal security events, improving threat detection and response.

• SOAR platforms can automate actions based on ThreatNG's alerts, such as isolating vulnerable systems.

ThreatNG's power comes from combining external attack surface discovery with a rich threat intelligence context. EPSS is critical, enabling ThreatNG to provide more accurate risk assessments and help security teams focus on the threats that matter most.