Hello, welcome to the Monday, June 13th, 2020 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm according from Jacksonville, Florida.

Got an interesting diary by Russ from Friday, and it's about trying to predict how likely a vulnerability is being exploited.

First came up with a model. They call it the EPSS model or the exploit prediction scoring system

and made an API available. It allows you to look up the EPSS score for various vulnerabilities

based on their CVE. Now we do have the CVSS score. That score does indicate how severe a vulnerability is,

but of course does not necessarily predict if a vulnerability will actually be

exploited. And a real severe vulnerability you may care less about if it's not going to get

exploited. And that's always sort of a hard thing to sort of figure out. Well, first here came up

with a model that they consider somewhat valid in order to predict how likely

a vulnerability will be exploited in the next 30 days. Now to make it easier to interact with

the API that first offers Russ now created a little utility EPSS call that will allow you to interact with that API

and then retrieve the score based on dates.

So you also can change how it changes over date.

The two numbers that are typically being provided here by first, our first the EPSS

score itself, and then also a percentile, meaning how many vulnerabilities, are the percentage

of vulnerabilities that have a score of whatever the score of the vulnerabilities and lower.

So it's easy to see what sort of your top ranking vulnerabilities are based on their

likelihood of being actually exploited. Certainly an interesting and important project,

so take a look and let me know, let us know, sort of how these tools work, how these EPSS scores

work out for you.

...