Overview
P1 and P2 vulnerability incidents and critical vulnerability threat intelligence like Zero-days, Log4shell, and etc. requires immediate response to prevent/stop the exploit to propagate in the network. This process was not handled in vulnerability intelligence / incident process as this requires immediate action to handle the situation.
Response Playbook
Playbook is based on CISA Vulnerability Response Playbook. It has 5 phases namely: Identification, Evaluation, Remediation, Reporting and Retrospective.
Identification
Proactively identify reports of vulnerabilities that are actively exploited in the wild by vulnerability monitoring process. Capture additional information about the vulnerability like indicators and behaviors in logs and resources to improve detection mechanisms to be added in vulnerability monitoring tools.
Evaluation
The goal is to understand what we can do with the situation. First thing to do is to determine whether the vulnerability exists in the environment and how critical the underlying software or hardware is impacted with it. Second, perform vulnerability scanning to speed up the detection. Once an overview of the environment is established, the situation should be describe to wether the organization is Not Affected, Susceptible, Compromised.
Compromised - The system / application / hosts / network is vulnerable and exploited.
If the vulnerability exist in the environment, determine if the vulnerability is exploited.
If the vulnerability was exploited in the environment, immediately trigger the incident response team to address the vulnerability. The strategy would be, mitigation first before eradication, then remediation.
Susceptible - The system / application / hosts / network is vulnerable but not exploited.
If the vulnerability was not exploited in the environment, determine the best strategy based on the current situation if we can proceed with mitigation first for specific time period or immediately remediate it using on demand patch like hot fixes, etc.
Not Affected - The system / application / hosts / network is not vulnerable.
If the vulnerability did not exists in the environment, improve the monitoring mechanism as proactive measure to prevent the vulnerability from exploitation.
Remediation
Remediate all actively exploited vulnerabilities that exist on or within the environment in a timely manner. But determine the proper strategy to remediate the vulnerability. Take in consideration of the time and resources to address the vulnerability and the availability of security fixes or hot fixes from development team. In most cases, mitigation may be appropriate before patching.
Mitigation techniques:
Limiting access
Isolating vulnerable systems, applications, services, profiles, or other assets
Disabling services
Reconfiguring firewalls to block access
Making temporary configuration changes
Once an available patch can be safely applied, mitigation techniques can be removed accordingly.
As systems are remediated, keep track of their status for reporting purposes. Each system should be able to be described as one of these categories:
Remediated. The patch or configuration change has been applied, and the system is no longer vulnerable.
Mitigated. Other compensating controls—such as detection or access restriction—are in place and the risk of the vulnerability is reduced.
Susceptible / Compromised. No action has been taken, and the system is still susceptible or compromised.
Reporting
Tracked status of each vulnerabilities will be formulated as report for CTO to review. In most cases, these reports will be submitted to regulators according to regulatory policies. Reports should have a minimum content of:
Vulnerability information
Risk Assessment
Remediation steps performed to address it
Timeline of whole vulnerability response.
Retrospective
A retrospective will be performed after the remediation. The goal of this phase is to identify gaps that lead to exploitation of the vulnerability. Assess what went well and what went wrong and discuss lessons learned to prevent the exploitation moving forward. The outcome of this process will be placed as gaps to be addressed in Gap Assessment and Remediation Plan.
