Vulnerability Response Playbook

High-level process to urgent and high-priority vulnerabilities being actively exploited in the wild

Most vulnerabilities will have common vulnerabilities and exposures (CVE) descriptors. In other cases, agencies might encounter new vulnerabilities that do not yet have a CVE (e.g., zero-days) or vulnerabilities resulting from misconfigurations.

Identification

Proactively identify reports of vulnerabilities in the wild being actively exploited by monitoring threat feeds and info sources

Evaluation

• A sweep for known IOCs associated with exploitation of the vulnerability.

• Investigation of any abnormal activity associated with vulnerable systems or services, including anomalous access attempts and behavior.

• Begin IR reponse if vulnerability is being exploited in environment

Remediation

• Patch management --> patch all vulnerabilities

• Disable unused services

• Reconfigure firewalls to block access to known IOCs

• Increasing monitoring (Alert levels)