Critical Vulnerability Management Cheat Sheet

Thumbnail for article

Ideally vulnerabilities should be remediated as part of your regular patching cycle.

However, if you believe there is a strong likelihood of the vulnerability being exploited before the patching cycle kicks in, then you might want to escalate the patching to avoid a security incident. 

The Critical Vulnerability Management Cheat Sheet is a series of actions to streamline this escalation activity. It will ensure all options are considered, actions play out and stakeholders are informed.

>> Download the Critical Vulnerability Management Cheat Sheet Here


1. Assess the situation

The information available to assess zero-day vulnerabilities will be incomplete and may change as the community learns more. If the facts change, don’t be scared to reassess your situation and the response you’re taking.

  • Identify the team you need to help assess and remediate; this should include the individuals who manage affected systems, and who will best understand their purpose and criticality.
  • Collectively establish the vulnerability’s criticality for your organisation and agree on how to move forward
  • Think Impact:
    - What criticality has the vendor or community rated the vulnerability?
    - Do you rely on the affected technology?
    - What is the function of the affected systems in your organisation?
    - How would your organisation respond if those systems were compromised or became unavailable?
  • Think Likelihood:
    - Do you have public or internal exposure?
    - Can the vulnerability be exploited remotely?
    - Has a POC been released?
    - Has exploitation in the wild been reported?
    - Do you have other technologies or processes which would help mitigate the vulnerability?
  • Setup live information feeds to ensure you have the latest information. Think Twitter & Reddit.
  • If there is value in a centralised coordinated response, reach out to your industry working groups and governing bodies. Think FSCCC, NCSC & NSA (country & industry dependant)
  • Identify any 3rd party vendors which could be affected. If required, reach out to understand their exposure and response.

2. Ensure your defences

If patching is not an option or unavailable, consider other mitigations and compensating controls you can safely implement. Then move to permanently secure the organisation at a later date via the patch management process.

  • Do you have any mitigations or compensating factors that can be deployed? i.e., a WAF in front of a web application, additional email filters or end-user controls.
  • Has the vendor or the community released any mitigation steps to aid remediation?
  • Has the vendor released a patch for remediation?
  • What is the community’s feedback on remediation effectiveness and safety?
  • Deploy the remediation to a testing group which is representative of your organisation’s workforce or the UAT systems. You must quickly gain confidence in the suggested fix.
  • Test the remediation has been effective in closing out the risk introduced by the vulnerability.
  • Providing remediation steps have been successful, push to the wider organisation and production systems.
  • Depending on the criticality and remediation steps, the timelines for these activities could be a few hours to a few days. This should be agreed at a senior level based on your organisation's risk appetite set against the new threat.
  • Finally, if the initial remediation steps only focused on a mitigation step, then you must still patch. Work with your standard patch management process to ensure a vendor-approved patch is applied once released.

3. Detect & respond

While doing what you can to prevent one, make sure you’re ready for an incident, especially if you know you’re vulnerable and it’s trending.

  • Do you have enough information to develop a detection case to identify if an adversary were to use the zero-day against your organisation?
  • Do you have confidence that your incident management process could contain and respond if an adversary were to use the zero-day against your organisation?
  • Can you retrospectively run the new zero-day detection case against recent logs to understand if you’ve been previously exploited?
  • Does the detection case require out of regular hours support?
  • What is your level of confidence that your organisation has not been exploited? Can you explain the reasoning behind your answer?

4. Keep communicating

Communication is the linchpin that holds a good response together. It’s essential during times of high-pressure to keep everyone on the same page and build confidence across the organisation.

  • Use collaboration tools to develop a single source of truth for the working group.
  • Clearly explain what the vulnerability means to your organisation, how you’re responding and set expectations across the spectrum of stakeholders.
  • Identify your senior and executive stakeholders. If the vulnerability is likely to receive a brand name and be published in the national press, ensure you’ve pre-emptively alerted them and given them confidence that everything is under control.
  • Reach out to your industry governing body to understand how your peers are tackling the issue. Your approach should have some alignment with your peer’s wider response. Feed this into your comms to build trust.
  • Reach out to your government governing body for advice and guidance on the national response and their views on how this could affect different industry sectors. Again, feed this into your comms to build trust.
  • Have a communication and action plan. Develop a structure and predictable cadence for your communication with stakeholders.
  • Consider informing the wider organisation. Use email channels and internal forums to help the organisation understand the Cyber Security Department is responding to a threat. They’ll be more understanding if you need their assistance or cause them minor inconveniences.
  • Privately and publicly say “Thank you” to the individuals who helped remediate the vulnerability. If appropriate also ask the big boss to express their appreciation.

5. Post critical vulnerability review

Conduct a review of your organisation’s response, identify weaknesses, and ensure you’re in the best place to handle the next critical vulnerability.

  • Hold a formal Post Incident Review (PIR) to identify successes and weaknesses in your process. Follow the rules of a blameless post-mortem — the key is making improvements, not attributing blame.
  • Your incident might be over, but 3rd parties you rely on may still be affected. Consider if you wish to follow up and how.
  • If you’re unhappy with the way in which the supplier handled the vulnerability, ensure you give formal feedback.
  • All incidents and high-profile vulnerabilities should be developed into marketing material which enables future training and bolsters the business case when the Cyber Security Department requires additional funding. Never let a good crisis go to waste.

 

Finally, create a feedback loop to ensure that everyone is aware of the lessons to be learned. Don’t repeat the same mistakes next time… because there will be a next time!