Overview
The National Institute of Standards and Technology (NIST) has introduced Likely Exploited Vulnerabilities (LEV), a data-driven approach to assessing the likelihood of vulnerability exploitation. This new metric, developed in collaboration with Cybersecurity & Infrastructure Security Agency (CISA) researchers, aims to provide real-time exploitation probability assessments, helping organizations prioritize patching efforts more effectively.
Traditional vulnerability management systems rely on CVSS scores, which measure severity based on technical impact but do not predict exploitation likelihood. LEV seeks to address this gap by offering historical exploitation data, probability models, and predictive analytics to enhance threat intelligence-driven decision-making.
LEV is designed to work alongside CISA’s Known Exploited Vulnerabilities (KEV) list and the Exploit Prediction Scoring System (EPSS), improving vulnerability prioritization strategies for cybersecurity teams.
1. Understanding LEV and How It Works
🔹 What is LEV?
LEV calculates the probability that a given vulnerability has been exploited based on historical data, exploit trends, and predictive models. Unlike EPSS, which forecasts exploitation likelihood within a 30-day window, LEV incorporates confirmed exploit history, offering a stronger foundation for long-term risk assessment.
📌 Key Features of LEV
✅ Daily Updates – LEV provides daily exploitation probability assessments, ensuring security teams receive the latest risk insights.
✅ Historical Exploitation Tracking – Unlike EPSS, which focuses on future exploitation predictions, LEV analyzes past attack patterns, making it more reliable for identifying vulnerabilities with long-term risks.
✅ Two Scoring Models – LEV includes:
- 30-day exploitation probability calculations for long-term threat analysis.
- Single-day predictions, offering real-time risk assessments (though computationally demanding).
📢 LEV helps security professionals move beyond static CVSS scores, focusing on real-world attack patterns to improve remediation prioritization.
2. How LEV Enhances Vulnerability Management
🚀 Advantages Over Existing Vulnerability Scoring Systems
🔹 Improves Accuracy of KEV Lists – While CISA’s Known Exploited Vulnerabilities (KEV) catalog identifies actively exploited vulnerabilities, LEV helps find high-risk vulnerabilities that may be missing from KEV due to reporting delays.
🔹 Refines EPSS Predictions – EPSS models do not account for historical exploitation. LEV adds real-world attack data, improving predictive accuracy.
🔹 Comprehensive Threat Intelligence Integration – LEV incorporates data from open-source exploit repositories, security reports, and dark web chatter, helping organizations detect potentially weaponized vulnerabilities faster.
⚠️ Limitations & Challenges
🚨 Data Gaps – LEV is heavily dependent on historical exploit reports, which may be incomplete or biased toward widely monitored vulnerabilities.
🚨 Computational Complexity – LEV’s single-day probability model requires heavy processing, making it less scalable for organizations without advanced security infrastructure.
🚨 Industry Collaboration Needed – NIST is seeking partnerships with cybersecurity firms to refine data accuracy and exploit correlation methodologies.
Despite challenges, LEV is a groundbreaking step toward more accurate vulnerability assessment, helping security teams prioritize high-risk vulnerabilities more effectively.
3. Next Steps for Organizations Using LEV
Cybersecurity teams should integrate LEV into their vulnerability management workflows to improve patch prioritization and proactive risk mitigation.
✔️ Monitor LEV probabilities daily to identify high-risk vulnerabilities and align patching efforts with active exploitation trends.
✔️ Use LEV alongside EPSS and KEV lists for comprehensive vulnerability tracking and remediation planning.
✔️ Collaborate with NIST and security vendors to refine LEV’s effectiveness and expand its integration into enterprise risk models.
🔗 NIST White Paper on LEV: Read more
