The National Institute of Standards and Technology (NIST) has introduced a new metric called Likely Exploited Vulnerabilities (LEV). This metric aims to estimate which software vulnerabilities have likely been exploited in the past. LEV builds upon the existing Exploit Prediction Scoring System (EPSS).
EPSS predicts the likelihood of a vulnerability being exploited within a 30-day timeframe. It considers various factors to generate a probability score. However, EPSS has limitations.
It is predictive and does not account for past exploitation. Known Exploited Vulnerability (KEV) lists, like the one maintained by CISA, provide confirmed cases of exploitation. But these lists are often incomplete.
LEV aims to bridge this gap. It calculates the probability that a vulnerability has been exploited in the past based on historical EPSS data. LEV is a statistical estimate, not a confirmation.
NIST emphasizes that LEV is meant to augment, not replace, existing methods. The stakes are high when it comes to vulnerability management. Remediating vulnerabilities is time-consuming and costly.
Introducing the LEV metric
Most companies only manage to patch about 16% of the vulnerabilities affecting their systems each month. Research shows that only about 5% of vulnerabilities are actually exploited in the wild.
LEV could help organizations prioritize vulnerabilities that are likely to have already been used in attacks. This could make patching efforts more targeted and effective. The metric could be used to estimate how many vulnerabilities have been exploited, check the completeness of KEV lists, identify high-risk vulnerabilities missing from those lists, and fix blind spots in EPSS.
NIST makes clear that LEV is not perfect. It depends on the accuracy of EPSS, which has improved over time but is still far from complete. LEV also requires making statistical assumptions that may not always hold true.
To validate LEV, researchers need access to data showing when specific vulnerabilities were first exploited. This data is often held by private sector companies. NIST is actively seeking collaboration with such partners.
Without real-world validation, LEV will remain a promising idea rather than a trusted tool. The LEV code is already available and calculates scores based on public EPSS data. For now, it works best with CVEs published after March 2023, when EPSS version 3 was introduced.
Scores can be updated daily, and LEV lists can be generated based on whatever probability threshold an organization chooses.
Rashan is a seasoned technology journalist and visionary leader serving as the Editor-in-Chief of DevX.com, a leading online publication focused on software development, programming languages, and emerging technologies. With his deep expertise in the tech industry and her passion for empowering developers, Rashan has transformed DevX.com into a vibrant hub of knowledge and innovation. Reach out to Rashan at [email protected]
