5 steps to respond to zero day vulnerabilities

Zero day vulnerability is the new normal. Whenever a news pops up or an MSSP provides an update with a critical vulnerability which should be fixed asap (=yesterday), there is often a panic. Sometimes, we should leave all we are doing to fix the issue or mitigate the risk but sometimes its just not required.

This short write-up will provide you some tips to manage such situations.

First thing First:

Whenever you are informed about a threat or a vulnerability from your sources (CISO, news, team-mates, friends, MSSP, other teams, supplier or any other), take following steps:

1. Investigate the applicability.

Every critical vulnerability might not be applicable for you.

1. Consider following before deciding the applicability:

• Is the product, protocol, service being used?
• Is the mitigation techniques in place?

2. Investigate further using resource available.

• Often resources such as vulnerability management reports, CMDB, software inventory systems, AD information, SIEM reports are useful.
• Discuss it with the supplier and ensure that they do not use the vulnerable entity.
• Discuss it with the team. Although this information should be well documented and centralized, often this is not the case. Therefore, one should ensure that if the vulnerable entity is present in the organization.
• Enquire with other teams (other business teams, licensing team, networking and infrastructure team) as per the requirement

2. Act & Inform & Follow-up

Often vulnerabilities cannot be fixed by security teams alone. In that case, team who can fix the issue should be contacted.

1. Decide who should be contacted.

• If the zero day is applicable to network devices (VPN GWs etc.), you will need to contact network team.
• If the vulnerability is present in ERP systems, ERP team should be contacted.
• If the vulnerability is present in the applications or devices managed by remote teams or local team, they should be contacted.
• Or other teams based on the vulnerability and the organization structure.

2. Perform quick risk assessment to decide the actions required

• Do nothing because its not applicable.
• Patch or upgrade
• Accept the risk.

3. Create threat advisories:

• Decide type: ** Urgent: When actions needs to be taken. ** Informational: Stakeholders needs to be informed about (to avoid multiple discussions or to avoid panic.

In case where the vulnerability is present in the systems managed by the suppliers, you as an organization cannot do much but to ensure that your supplier fixes it asap.

Therefore, decide the type of the notification or advisory. (based on the audience & urgency & ownership & actions required)

4. Share: Depending upon the type, actions required and a stakeholder, urgency, ownership, different mediums can be used. Send email with information for quick action initiation. Sometimes, you need to just pick up the phone and call. Remember time is of the essence.

• Create documents (in preferred formats) containing information which covers at least following: Information on the vulnerability/ threat; Measures being taken security team; Recommendations; External references.
• Send the threat advisories with applicable information to applicable teams and internal and external stakeholders.

5. Ask for fix/evidence. Based on the threat or the vulnerability, ask internal teams and/ or suppliers for the fix, evidence of fix or mitigation.

• Perform required follow-up (decide required details & frequency of follow-up). This can be based on the criticaility and/ or the trust or known capability of the teams.
• Verify the fix yourself. Depending upon the criticality, call in the expert to perform advanced tests/ actions (such as forensic tests) or to perform a simple review or to obtain an advise from a supplier if such is not available internally.

3. Inform management and leadership team as required/ appropriate.

Align with them on frequency of update and or format of update.

1. Escalate when required.

2. You might want to involve legal, PR team as well depending upon the criticality and potential impact as per the assessment.

4. Invoke incident management & disaster recovery process if impact is suspected or indicators of compromise are observed.

1. Hopefully, this step is not required. But depending upon the situation, invoke incident management and disaster recovery process to investigate further and control the damage.
2. This step is only required if the impact is suspected or observed.

5. Follow-up & Close.

1. Follow-up with the teams/ stakeholders/ suppliers to ensure that the vulnerability is fixed. Usually multiple rounds of follow-ups are required.
2. Once the zero day has been fixed and depending upon the steps taken, summarize the event and learning and present them to management and leadership team.
3. Create a case for a change as per the learning.

Conclusion

There is no standard way to follow-up under these situations. However, assigning the responsibility to carry out required steps is very important. Furthermore, create an awareness that a person/ team is responsible for carrying out such investigations. Starting from investigations to closing the situation. With this you avoid situation where a suppliers or a team is contacted by all the direction. Instead this person or a team acts as a single point of contact who will make sure that investigations are performed, required teams are mobilized and stakeholders are informed.