Crashedmind
commented
5 months ago thanks @chrisdlangton for the info. I was not aware of Coalition ESS - I see it was lauched in June 2023 https://www.coalitioninc.com/blog/announcing-coalition-exploit-scoring-system-ess.
The open questions that come to my mind (based on 10 minutes recon starting at zero knowledge)
- Is there a research/scientific paper that validates the solution?
- Is there any validation against ground truth i.e. exploits observed on the ground? From below, no, not yet.
- As someone who is in the middle of using "artificial intelligence and large language modeling to scan the descriptions used" in CVEs (for a conference I'll be presenting on in May), I can say that the data is not very consistent or useful as an indicator of exploitablity.
But, the data is available on https://ess.coalitioninc.com/explore/ so maybe I or someone else will do some analysis in the future.
Doing a quick 10 minute recon..
Coalition ESS leverages artificial intelligence and large language modeling to scan the descriptions used within newly released CVEs (Common Vulnerabilities and Exposures) and compares them to previously published vulnerabilities to predict the likelihood of exploitability. The result is two probability scores: the Exploit Availability Probability, or the likelihood that code for an exploit will be publicly available, and the Exploit Usage Probability, or the likelihood that threat actors will use an exploit to execute an attack. These scores combined give security managers and IT professionals a prioritization list outlining which vulnerabilities pose the greatest threat, saving time and resources in an otherwise arduous decision-making process.
As a result, Coalition said, combining honeypot data with automated vulnerability prioritization is "an exciting prospect." To that end, Coalition's long-term goal is to combine honeypot traffic with machine learning to assign weights to specific activity. The honeypot data would be integrated into Coalition's own ESS model, which was announced last year and compares descriptions of newly published CVEs to previously published vulnerabilities to predict the likelihood of exploitability.
chrisdlangton
cmlh
Like EPSS, Coalition ESS collect exploit intelligence and scores CVE data
Their site seems to have graphed all CVEs and it's searchable
I find its results less a blackbox than EPSS, because their values are theoretically reproduced as they've explained their process, algorithms, and detail how anyone else might produce their own ESS
However I am fully aware of the EPSS hype and realise ESS interest is almost non existent, because hype always trumps quality I have low expectations of seeing ESS covered in the guide or notebooks