NIST Proposes New Metric for Predicting Probability of Vulnerability Exploitation
Patching software to fix known vulnerabilities is an endless process and one that is vital for cybersecurity; however, with so many vulnerabilities being discovered, it is a major challenge for security teams to keep on top of vulnerability management.
In 2024, there was a 39% increase in Common Vulnerabilities and Exposures (CVEs), with 40,003 added to the National Vulnerability Database. For busy security teams, there is an inevitable delay in patching all instances of software to fix known exploited vulnerabilities and vulnerabilities that will likely be exploited in the wild, which gives threat actors a window of opportunity to conduct attacks. It is therefore important to ensure that patches are prioritized.
Only a small number of disclosed vulnerabilities are ever exploited, so prioritizing patching can help to ensure the best use of resources to keep the window of opportunity as short as possible. One study suggests that only around 5% of vulnerabilities are exploited, while the monthly remediation rate at companies is around 16%. If the 16% of patched vulnerabilities include all of the 5%, then all is well and good, but that may not be the case.
When prioritizing patching, security teams should assess the likelihood of a vulnerability being exploited, using information such as CVSS scores and whether threat actors have previously targeted a particular software solution. The best tools are currently the Exploit Prediction Scoring System (EPSS), which can be used to estimate the likelihood of a vulnerability being exploited within the next 30 days, and Known Exploited Vulnerability (KEV) lists, such as the list maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Unfortunately, the EPSS is known to contain inaccurate values, and KEV lists are not fully comprehensive. The inaccuracies in the EPSS are predictable and expected, rather than random, with the inaccuracies most common with vulnerabilities that have previously been exploited, with the system generally underscoring those vulnerabilities.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The National Institute of Standards and Technology (NIST) has recently proposed a new metric to help organizations with patch prioritization, which may augment EPSS remediation by eliminating some of the inaccuracies while also augmenting KEV lists to address any possible omissions. The new metric, Likely Exploited Vulnerabilities (LEV), is detailed in a recently published NIST Cybersecurity White Paper. NIST says LEV probabilities can help address EPSS inaccuracies and omissions from KEV lists. Since most vulnerabilities will have relatively low LEV scores, creating a LEV list of vulnerabilities above a certain threshold, such as 20%, would produce a manageable number of vulnerabilities to focus efforts on while continuing to address any vulnerabilities on KEV lists.
The LEV list would include the vulnerability, a description, a publication date, a LEV probability, the peak EPSS score, the date of the peak EPSS score, and the affected products. While the new LEV system has limitations, such as an unknown margin of error, it could prove to be a valuable tool to help organizations focus their efforts on the vulnerabilities that have the highest risk of exploitation, and therefore help them improve their security posture.
