One of the most straightforward and effective ways for an organization to prioritize vulnerability response and protect from being compromised is by focusing on vulnerabilities already being actively exploited in the wild. E Com Security Solutions Vulnerability Response Playbook standardizes the high-level process Organizations can follow when responding to these urgent and high-priority vulnerabilities. It is not a replacement for existing vulnerability management programs in place at an organization; instead, it builds on existing vulnerability management practices.

The impacted organization or others in the related mission space could observe vulnerabilities that this playbook addresses. Most vulnerabilities will have common vulnerabilities and exposures (CVE) descriptors. In other cases, agencies might encounter new vulnerabilities that do not yet have a CVE (e.g., zero days) or vulnerabilities resulting from misconfigurations. Effective vulnerability response builds on strong vulnerability management. Ensure that effective vulnerability management practices are being followed. Standard vulnerability management programs include phases for identifying, analyzing, remediating, and reporting vulnerabilities. Belo describes the vulnerability response process in standard vulnerability management program phases.

Vulnerability Response Process

Identification: Proactively identify reports of vulnerabilities that are actively exploited in the wild by monitoring threat feeds and information sources, including but not limited to:

    • External threat or vulnerability feeds, such as NIST’s National Vulnerability Database, can also show exploited vulnerabilities.
    • Internal SOC monitoring and incident response can detect vulnerabilities being exploited in an Organization. To help with the rest of the response process, capture additional information about the vulnerability, including its severity, susceptible software versions, and IOCs or other investigation steps that can be used to determine if it was exploited.

Evaluation: First, determine whether the vulnerability exists in the environment and how critical the underlying software or hardware is, using methodologies such as Stakeholder-Specific Vulnerability Categorization (SSVC). Existing patch and asset management tools are critical and can be used to automate the detection process for most vulnerabilities. Use these tools’ “rapid response” processes (e.g., CDM) to exploit vulnerabilities actively. In rare cases, such as one-off misconfigurations and zero-days, additional manual scans may need to be performed.  If the vulnerability exists in the environment, address it—as described in the Remediation section below—and determine whether it has been exploited. Use existing best practices to find signs of exploitation, including:

  • A sweep for known IOCs associated with the exploitation of the vulnerability.
  • Investigation of any abnormal activity associated with vulnerable systems or services, including anomalous access attempts and behaviour.
  • Completion of any detection processes.
  • If needed, collaborate with a third-party incident responder.

If the vulnerability was exploited in the environment, incident response activities should immediately begin. At the end of the Evaluation phase, the goal is to understand the status of each system in the environment as:

  • Not Affected. The system is not vulnerable.
  • Susceptible. The system is vulnerable, but no signs of exploitation were found, and remediation has begun.
  • Compromised. The system was vulnerable, signs of exploitation were found, and incident response and vulnerability remediation had begun.

Remediation: Remediate all actively exploited vulnerabilities that exist on or within the environment promptly. In most cases, remediation should consist of patching. In other cases, the following mitigations may be appropriate:

  • Limiting access;
  • Isolating vulnerable systems, applications, services, profiles, or other assets or
  • Making permanent configuration changes.

Existing patch management tools and processes can be used to patch all vulnerabilities regularly. Use “rapid response” processes—as described in the Evaluation section above—in those tools for vulnerabilities that are being actively exploited. In cases where patches do not exist, have not been tested, or cannot be immediately applied promptly, take other courses of action to prevent exploitation, such as:

  • Disabling services,
  • Reconfiguring firewalls to block access, or
  • Increasing monitoring to detect exploitation.

Once patches are available and safely applied, mitigations can be removed, and patches can be used. As systems are remediated, keep track of their status for reporting purposes. Each system should be able to be described as one of these categories:

  • Remediated. The patch or configuration change has been applied, and the system is no longer vulnerable.
  • Mitigated. Other compensating controls—such as detection or access restriction—are in place and the risk of the vulnerability is reduced.
  • Susceptible/Compromised. No action has been taken, and the system is still susceptible or compromised.

Reporting and Notification: Sharing information about how adversaries exploit vulnerabilities can help defenders understand which vulnerabilities are most critical to patch. This awareness enables other organizations to understand the vulnerabilities’ impact and narrow the time between disclosure and vulnerability exploitation. Organizations must report to regulatory bodies immediately.

E COM SECURITY SOLUTIONS’ – INCIDENT RESPONSE AND CYBER CRISIS MANAGEMENT

The E Com Security Solutions Cyber Range solution creates immersive simulations to guide your team through realistic breach scenarios, helping ensure you can respond and recover from enterprise-level cyber security incidents, manage vulnerabilities, and build a stronger security culture in your organization. The E Com Security Solutions Cyber Range virtual experiences provide immersive simulations to strengthen your organization’s cyber response, improve resilience, and fix vulnerabilities—anywhere in the world.

Increase preparedness with E Com Security Solutions’ assess, build, and test capabilities and our processes, plans, and playbooks that minimize the impact of cybersecurity incidents. Receive emergency incident response support such as forensic analysis, incident command, deep/dark web analysis, and skilled support from E Com Security Solutions.