Here is a fresh new update to our vFeed Vulnerability Intelligence. For this release, we went risk-oriented and thus by adding 2 new features that went viral.
Indeed, vFeed now enriches its IoVs (Indicators of Vulnerability) with data from EPSS (Exploit Prediction Scoring System) maintained by FIRST and the Know Exploited Vulnerabilities (KEV) Catalog maintained by CISA.
First of all, I would like to inform you that I am personally not very convinced by the EPSS approach. Because on the one hand, it is built on the top of CVSS & rely on probabilities calculations and besides it introduces a certain complexity to the understanding and application of the concept itself (limited to only vulnerabilities with exploits). On a second hand, the system is opaque because there is no access to the data nor the machine learning code used to generate the numbers.
One’s should not rely entirely on the EPSS when assessing vulnerabilities in his environment. The theory of vulnerabilities remains subject to a lot of instability and improbable findings so that we can not “predict” them with a simple algorithm even if it looks fancy.EPSS
Also, vFeed will introduce very soon a new method for the classification and scoring of vulnerabilities entirely uncorrelated from CVSS (and by extension EPSS) and not based in any way on the theory of predictions. For years, we have been able to collect enough empirical data on vulnerabilities to describe their evolution model with our new scoring approach.
|Exploit Prediction Scoring System (EPSS)|
|The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The goal of EPSS is to assist network defenders to better prioritize vulnerability remediation efforts. |
As an effort the extend the risk capabilities of vFeed, we have mapped the percentile rank and probability provided by EPSS with our database. Whenever it is available, EPSS dataset will be replicated onto our indicators of vulnerability.
Below an example of CVE-2021-44228 tagged with EPSS.
|CISA Known Exploited Vulnerabilities Catalog (KEV)|
|CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. |
CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors.We have mapped our IoVs (indicators of vulnerability) to a certain extend with the KEV catalog entries.
So whenever a vulnerability is enlisted in the CISA website as Known Exploited Vulnerability, it will be reported and replicated onto our indicators of vulnerability.
Bellow an example of CVE-2021-44228 tagged with KEV.
|CAPEC updated to version 3.8|
|CAPEC Version 3.8 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.7 and Version 3.8.|
|Python API Updated to version 1.2.0|
|A new version of the API wrapper was released to handle all the changes. If you are using the python 3.x API, we urge you to upgrade to this latest version so you can be able to fetch the newest added indicators.Here is the full changelog|