Chart courtesy of Cyentia Institute Report "A Visual Exploration of Exploitation in the Wild: An Inaugural Study of EPSS Data and Performance"
The Download
As the chart above shows, there has been explosive growth in the publication of vulnerabilities (CVEs). In 2024 alone, the number of published CVEs is expected to exceed 30,000, and the total number of published vulnerabilities will cross 250,000.
That is a lot of vulnerabilities to search for and manage. In fact, spending enough time with the numbers you will quickly conclude that traditional ways of managing vulnerabilities no longer work. The work done by the Cyentia Institute breaks down the numbers for us. Perhaps the most startling number is only 6% of all vulnerabilities are ever exploited. This means if you are spending your time patching the other 94% you are wasting your time (for the purpose of addressing vulnerabilities to attack) and valuable resources.
So which 6% should we focus on? That is where the Exploit Prediction Scoring System (EPSS) comes in. EPSS provides a probability of a particular vulnerability will be exploited in the next 30 days based on open source threat intelligence.
Researchers from Resilient Cyber spent time with the report and published some interesting insights. Some key take-aways:
Vulnerability Growth: The number of reported vulnerabilities has been increasing by 16% annually, with 2024 being the first year to surpass 30,000 CVEs.
Exploitation Rate: Only about 6% of all known vulnerabilities are ever exploited in the wild, highlighting inefficiencies in current vulnerability management practices.
Exploitation Timing: Attackers exploit some vulnerabilities as quickly as 22 minutes after a proof-of-concept is available, while others are targeted years later, showing a wide range in exploitation timelines.
Vintage Vulnerabilities: Despite the hype around zero-day vulnerabilities, attackers often exploit older, known vulnerabilities, as they remain unpatched in many systems.
EPSS vs. CVSS: The Exploit Prediction Scoring System (EPSS) significantly outperforms the Common Vulnerability Scoring System (CVSS) in prioritizing vulnerabilities that are likely to be exploited, enhancing remediation efficiency.
What You Can Do:
While reading the report will be helpful, we provide these three actionable takeaways:
Adopt EPSS for Prioritization: Implement the Exploit Prediction Scoring System (EPSS) to focus on vulnerabilities with the highest likelihood of exploitation, improving resource allocation and reducing unnecessary workload.
Regular Patching of Known Vulnerabilities: Prioritize the patching of older, known vulnerabilities, as these are frequently exploited by attackers who take advantage of unpatched systems.
Timely Response to New Exploits: Develop a rapid response strategy to address newly disclosed vulnerabilities, particularly those with proof-of-concept exploits, to mitigate the risk of immediate attacks.
Fortunately, ThreatMate has you covered. ThreatMate provides EPSS scores for all vulnerabilities and also takes into account the CVE's CVSS (severity) score to develop a prioritized plan based on risk to the organization. Get started with ThreatMate today to effectively manage your attack surfaces with the minimal amount of effort required.
To Learn More:
Cyentia Institute ""A Visual Exploration of Exploitation in the Wild: An Inaugural Study of EPSS Data and Performance"