Daily Updated CVSS 4.0 Score Calculation

[timbastin]

As a user, I want a daily updated CVSS 4.0 score in FlawFix, calculated based on current exploited vulnerabilities, their exploitation likelihood, and my environment information, to pre-prioritize my risks.

Alerting?

[pandatix]

Isn't EPSS a better method to fit this use case ?

CVSS threat metric group only contains the E metric which does not transmit the idea of exploitation likelihood, despite it is the exact idea of EPSS.

[timbastin]

Yep! I want to use the EPSS as the threat metric.

Using the calculator provided by the FIRST organization (https://www.first.org/cvss/calculator/4.0), it does ask for a "Threat" Metric. It is called: "Exploit Maturity (E)", which is defined as "Not Defined", "Attacked", "POC", "Unreported". I am curious, if I can use the EPSS and CISA KEV as DataSource for that. What do you think?

[pandatix]

You can use them as an input, but you'll have hard times automating finding whether the CISA KEV refers to X/A/P/U, if the threat intel is valid/realistic, etc. As a gigantic job is already performed daily by EPSS, in case of automation I would suggest providing the end-user the EPSS score along with explanations and thresholds capability to raise alerts rather than computing big data. Less frequently (maybe once a week) you could compute those "interesting" CVE (i.e. EPSS through the week higher than threshold, and/or everything you would find interesting for assessing a security posture) to get realistic threat metrics as part of the CVSS vector string.

My main point here is that it would cost a lot of resources to re-compute them all continously, not that it is not a good idea !

[timbastin]

Do you think it might make sense to map EPSS Values to the Exploit Maturity?

Like:

< 0.1: Unreported < 0.5: PoC

0.5: Attacked?

Does that sound reasonable? I would love to calculate something which is at least closely related to the term "Risk".

[pandatix]

EPSS is based upon many threat intel sources, it would not make sense to deduce intervals like this. Moreover, EPSS is a time-based metric representing the likelihood of a cyberattack to use a vulnerability as part of a Vulnerability Chaining/Cascading Attack, not the exploit maturity (we can imagine an exploit ready to use, but not actively used ; like Log4Shell not being actively exploited despite the exploits are numerous). Due to this, we could not set thresholds/boundaries like so as it would imply that the likelihood of a vulnerability to get used depends on the exploit maturity/quality (nonsense).

[timbastin]

Thank you so much for all your input! I am sure I will come back to you, after I had the time to think a bit more thoroughly about that. If you have any good sources for Exploit-Maturity or how to combine the CVSS and the EPSS (besides just displaying them next to each other 😄 ) I would really appreciate that! It is not trivial to calculate something which can be described as "Risk".

[timbastin]

We already implemented a risk calculation function, which recalculates the risk based on the information, if a cve exists inside the exploit db. We are currently working on improving this, by adding the information if an PoC exploit exists on github.

We should run this risk calculation whenever we have new data available for all the existing CVE-Flaws. @Refoo0 if you have any questions, feel free to reach out.