Vulnerability Response Playbook
High-level process to urgent and high-priority vulnerabilities being actively exploited in the wild
Most vulnerabilities will have common vulnerabilities and exposures (CVE) descriptors. In other cases, agencies might encounter new vulnerabilities that do not yet have a CVE (e.g., zero-days) or vulnerabilities resulting from misconfigurations.
Identification
Proactively identify reports of vulnerabilities in the wild being actively exploited by monitoring threat feeds and info sources
Evaluation
A sweep for known IOCs associated with exploitation of the vulnerability.
Investigation of any abnormal activity associated with vulnerable systems or services, including anomalous access attempts and behavior.
Begin IR reponse if vulnerability is being exploited in environment
Remediation
Patch management --> patch all vulnerabilities
Disable unused services
Reconfigure firewalls to block access to known IOCs
Increasing monitoring (Alert levels)
Last updated