Vulnerability Management and Incident Response

Introduction

The Department of Defense (DOD) manages vast and intricate networks, systems, and data that are constant targets for state-sponsored adversaries, terrorist organizations, and cybercriminals. Central to safeguarding these critical assets are two intertwined disciplines: Vulnerability Management and Incident Response.

Vulnerability management is a subset of the Risk Management process we learned about previously. Much like the proactive process of identifying, analyzing, prioritizing, addressing and monitoring risk, we can use the same principles to manage security vulnerabilities within an organization's systems and software. Vulnerability Management is a continuous cycle aimed at reducing the attack surface and minimizing the likelihood of successful exploitation. Incident response, on the other hand, is the reactive process of preparing for, detecting, analyzing, containing, eradicating, recovering from, and learning from cybersecurity incidents. While distinct, these two functions are deeply interdependent; effective vulnerability management can significantly reduce the number and severity of incidents, while incident response often uncovers new vulnerabilities or highlights failures in existing vulnerability management processes.

Vulnerability Management: Identification, Prioritization, and Mitigation

Vulnerability management is a systematic and continuous process designed to identify, evaluate, prioritize, and mitigate security weaknesses in an organization’s IT infrastructure. It is a proactive defense mechanism, aiming to close security gaps before they can be exploited by malicious actors. As we learned in the Vulnerabilities and Malware lesson a vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. These weaknesses can arise from various sources:

• Software Flaws: Bugs, coding errors, or design weaknesses in operating systems, applications, or firmware (e.g., buffer overflows, SQL injection vulnerabilities, cross-site scripting).
• Configuration Errors: Misconfigurations of systems, networks, or applications (e.g., default passwords, open ports, unnecessary services enabled, weak access controls).
• Protocol Weaknesses: Inherent design flaws in network protocols.
• Human Factors: Lack of security awareness, social engineering susceptibility, or poor operational procedures.
• Physical Weaknesses: Inadequate physical security leading to unauthorized access to systems.

Identification of Vulnerabilities

The identification phase is the cornerstone of vulnerability management. It involves continuously scanning and analyzing the environment to discover potential weaknesses. Key methods for identification include:

1. Vulnerability Scanning: Automated tools are used to scan networks, systems, and applications for known vulnerabilities. These scanners compare system configurations and software versions against databases of known vulnerabilities such as the National Vulnerability Database and the Common Vulnerabilities and Exposures - CVE database.
2. Penetration Testing: Ethical (White Hat) Hackers are hired to find and exploit weaknesses in an organization's systems, networks, and applications and report back their findings.
3. Security Audits and Assessments: Reviews of system configurations, security policies, and operational procedures to ensure compliance with established security baselines and best practices (e.g., DISA STIGs - Security Technical Implementation Guides).



4. Security Information and Event Management (SIEM) Systems:SIEMs collect and aggregate log data from various security devices and systems. While primarily for incident detection, they can also highlight anomalous behavior or failed attacks that might indicate underlying vulnerabilities.
5. Threat Intelligence Feeds: Subscribing to and analyzing threat intelligence from government agencies (more on this next lesson)

Prioritization of Vulnerabilities

Once identified, not all vulnerabilities are created equal. Organizations must prioritize vulnerabilities based on their potential impact and exploitability. Effective prioritization ensures that limited resources are focused on the most critical risks. Key factors for prioritization include:

1. Severity/Impact: How much damage could be done if the vulnerability were exploited?
2. Exploitability: How easy is it for an attacker to exploit the vulnerability?
3. Asset Criticality: How critical is the affected system or data to the organization's mission?
4. Threat Landscape: Is there an active threat actor known to be targeting this type of vulnerability or system?
5. Compensating Controls: Are there existing security controls that might mitigate the risk, even if the vulnerability itself isn't patched immediately?
6. Regulatory/Compliance Requirements: Certain vulnerabilities might need immediate attention due to federal regulations, or industry standards.

The Common Vulnerability Scoring System (CVSS) can help prioritize vulnerabilities by providing a standardized, numerical severity score (0-10) based on exploitability and impact. By breaking vulnerabilities down into base, threat, environment, and supplemental metrics, it provides a comprehensive view of risk, enabling security teams to allocate resources efficiently and communicate risk levels effectively across different teams and departments.

Management of Vulnerabilities

Managing vulnerabilities is a continuous cycle that extends beyond identification and prioritization. It involves a structured approach to remediation and ongoing monitoring:

1. Remediation/Mitigation: This is the process of eliminating or reducing the risk posed by a vulnerability.
• Patching: Applying vendor-supplied software updates or patches is the most common and effective remediation.
• Configuration Changes: Correcting misconfigurations (e.g., disabling unnecessary services, changing default passwords, implementing stronger access controls).
• Workarounds: Implementing temporary measures to reduce risk until a permanent fix can be applied.
• System Redesign/Replacement: For deeply flawed systems, a complete redesign or replacement might be necessary.
2. Tracking and Reporting: Maintaining a comprehensive inventory of identified vulnerabilities, their status and remediation timelines is crucial. Regular reporting to leadership provides visibility into the organization's security posture and progress.
3. Verification: After remediation, re-scanning or re-testing the affected systems is essential to confirm that the vulnerability has indeed been closed and no new issues have been introduced.
4. Continuous Monitoring: Vulnerability management is not a one-time event. Continuous monitoring ensures that the process remains effective over time.

For the DOD, this management process is often governed by strict directives, such as the DOD Instruction 8500.01 (Cybersecurity) and DOD 8510.01 (Risk Management Framework for DOD IT), which mandate specific vulnerability scanning, assessment, and reporting requirements.

Mitigation Controls

Mitigation controls are security measures implemented to reduce the likelihood or impact of a risk. When applied to vulnerabilities, these controls act as safeguards, either preventing the exploitation of a known weakness or minimizing the damage if an exploitation occurs. They are crucial when immediate remediation (e.g., patching) is not feasible or when a vulnerability cannot be fully eliminated.
Mitigation controls address risks by utilizing of some of the concepts learned in the Network Security Architectures lesson:

1. Reducing Likelihood of Exploitation:
• Network Segmentation: Dividing a network into smaller, isolated segments limits the lateral movement of an attacker if one segment is compromised.
• Firewalls and Intrusion Prevention Systems: These devices can block known attack patterns or restrict traffic to vulnerable services, effectively preventing an attacker from reaching or exploiting a vulnerable system from outside the network. An IPS, in particular, can detect and block exploit attempts in real-time.
• Access Controls (principle of least priviliege): Implementing strict access controls ensures that users and systems only have the minimum necessary permissions to perform their functions
• Multi-Factor Authentication: Even if a vulnerability allows an attacker to steal credentials, MFA makes it significantly harder for them to authenticate to a system.
• Endpoint Detection and Response (EDR) / AntivirusThese tools can detect and block malicious payloads or behaviors associated with exploit attempts on individual endpoints.
2. Reducing Impact of Exploitation:
• Data Encryption: Encrypting sensitive data (at rest and in transit) ensures that even if a vulnerability leads to data exfiltration, the data remains unreadable and unusable to the attacker without the decryption key
• Data Loss Prevention (DLP): DLP solutions can prevent sensitive information from leaving the organizational network, even if a system is compromised through a vulnerability.
• Backup and Recovery: Regular, tested backups allow for rapid restoration of systems and data after a successful exploit, minimizing downtime and data loss. This doesn't prevent the exploit but significantly reduces its impact.
• Incident Response Plans: A well-defined incident response plan ensures that, should a vulnerability be exploited, the organization can quickly detect, contain, and eradicate the threat, limiting the overall damage.
• Behavioral Monitoring: Detecting anomalous behavior (e.g., unusual data access patterns, privilege escalation attempts) can alert defenders to an ongoing exploitation, allowing for early intervention before significant damage occurs.

For example, if an IT system has a known software vulnerability that cannot be immediately patched due to operational constraints or compatibility issues, mitigation controls might include placing the system behind a specialized firewall that filters out known exploit attempts, isolating the system on a segmented network, and implementing enhanced logging and monitoring to detect any suspicious activity. These controls don't fix the underlying vulnerability but significantly reduce the risk of it being successfully exploited and limit the potential damage if it is.

Zero-Day Vulnerabilities

A zero-day vulnerability is a software or hardware flaw that is unknown to the vendor or to the public, and for which no patch or fix is available. The term "zero-day" refers to the fact that the vendor has "zero days" to fix the problem once it becomes known, as attackers may already be exploiting it in the wild. For the DOD, zero-day vulnerabilities represent one of the most significant and insidious threats. Adversaries, particularly nation-states, invest heavily in discovering and weaponizing zero-day exploits to gain strategic advantage.

Security Configuration Hardening

Security configuration hardening is the process of securing a system by reducing its attack surface. This is achieved by maintaining consistent standards across all technology platforms. Key steps include disabling unnecessary services, implementing strong access controls, and using secure configuration baselines uniformly to prevent exploitable misconfigurations.

Keeping Hardware and Software Current

To maintain a strong defense, organizations should implement a hardware refresh cycle for all IT systems. Older hardware may lack essential security features, become unsupported by vendors, or be unable to run modern security software. Regular hardware updates ensure that all systems can effectively utilize current defense mechanisms.
Additionally, organizations must implement software patching and fixes (USNA uses Software Center for this) to promptly address known security vulnerabilities. A structured vulnerability management program ensures that patches are applied consistently and tested thoroughly to prevent system disruptions before attackers can exploit weaknesses in outdated software.

Activity: Installed Applications

Managing installed software across enterprise networks can be a signficant challenge. If there are 50 applications installed on a computer and roughly 8,000 computers on the yard, ITSD has to manage 400,000 applications across production systems. When it comes to vulnerabilities, let's say there's an average of five per application (an extremely conservative number). We've already reached 2,000,000 vulnerabilities that need to be identified, tracked, and remediated!

On your personal computer or your issued laptop, take a look at the number of applications installed.

1. Open PowerShell and run the following cmdlet, filtering for the name of the application: Get-WmiObject -class win32_product |findstr Name
2. Add the Measure-Object cmdlet to count the number of lines, resulting in the number of applications installed: Get-WmiObject -class win32_product |findstr Name |Measure-Object -Line

The number of installed applications quickly increases the risk, via likelihood, based on the number of vulnerabilities present. Take into consideration personal mobile devices and the number of apps installed. What are user's responsibilities as it applies to the overall risk profile and contributions in protecting the organization from unnecessary vulnerabilities?

Incident Response Management

The risk management strategy is an important factor in establishing policies and procedures for Incident Response (IR) management. Organizations need to consider IR management and planning as part of the mission and business processes, to include operations and systems. Cyberspace scanarios involving incidents include the compromise of software and hardware supply chain; data breaches that results in unauthorized disclosure, loss of control, unauthorized acquisition, or compromise of Personally Identifiable Information (PII); suspicious email communications that can contain malicious code; and many more based on critical business operations and testing outcomes based on risk assessments. IR plans are often executed through the use of playbooks that outline workflows between teams and departments for how the IR lifecycle will be executed.

IR Lifecycle

The IR lifecycle has four phases that encourage the flow of information throughout the incident handling process - (1) preparation, (2) detection and analysis, (3) containment, eradication, and recovery, and (4) post-incident activity.

Preparation. The initial phase involves establishing and training an IR team (people), defining roles and responsibilities between leadership and departments through policies and procedures (processes), and acquiring the necessary tools and resources for executing tasks in the following phases (technologies). Risk assessments will help direct and prioritize mission and business operations, with proactive approaches needed in establishing standards for the utilization of security frameworks, system configuration hardening, and improving cybersecurity posture through processes improvement.

Developing processes and playbooks to handle incidents during this phase is crucial for effective communications, access to resources, and management engagement during the IR and handling process.

Detection and Analysis. There may be requirements once an incident has been declared, which includes legal, regulatory, and compliance requirements to consider. For example, certain federal entities are required to report cyber incidents to CISA within 72 hours under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. This has been the case for the financial banking industry based on a 2021 regulatory agency ruling that mandates the reporting of any significant computer-security incident within 36 hours.

Upon declaration of a cybersecurity incident, collection of data is necessary to preserve any evidence for future analysis and for Computer Emergency Response Teams (CERT) to determine the root cause of an incident. This includes accessing and leveraging network and security tools to investigate and determine any findings related to the incident. Leveraging existing frameworks, such as the MITRE ATT&CK will allow IR personnel to quickly assess Tactics, Techniques, and Procedures (TTPs) for any malicious activities or active attacks taking place.

Containment, Eradication, and Recovery. Containment intends to isolate attacks and malicious activities by identifying the source, access, and any data loss. Containment actions may include removing access to systems and services or disabling accounts that impact business operations.

Eradication is the process for removing any trace of the incident or intrusion from operational systems and networks. Reimaging systems, restoring files from backups, rebuilding networks and accounts are actions taken to ensure the removal of anything that may have been compromised during the incident. Changes to system and security configurations may include additional rules that have been implemented to filter malicious communications, block external connections, or further segment networks. These configuration changes may be added to updated hardening requirements in the next phase of post-incident activity. Increased monitoring and checks will continue through to the recovery phase to ensure there are no remnants of malicious activities.

Recovery is the process of returning the network and systems to a known, operational state. Interruption of enterprise operations may have been authorized during containment and would need to be backed out to restore and reconstitute services.

Post-Incident Activity. Preservation of any of the evidence collected during early response phases should be verified as well as any records used to document the incident and timelines. Configuration management updates and any exceptions to changes made for deploying security hardening changes should be implemented across all enterprise systems. Lessons learned should be conducted across teams to also document and improve processes that identified gaps in the response, re-training required for users and IR personnel, and update to policies, as required. Testing and monitoring for reoccurrence should continue.

Security Operations and Cyber Fusion Centers

Large enterprise organizations have to coordinate and manage staff across geographically separated business and technical operations. Security Operations Centers (SOCs) combine stakeholders across departments, to include management and technical personnel, allowing for centralized communications and control for the coordination of IR plans and security operations. Further expanding coordination across multiple external agencies and organizations can improve on the shortfalls of a traditional SOC and into a Cyber Fusion Center (CFC), which includes threat intelligence, threat hunting, Security Information and Event Management (SIEM), security orchestration, and Information Sharing and Analysis Centers (ISACs). The evolution of the importance of cybersecurity coordination have also come to be known as Joint Operations Centers (JOCs) or Joint Security Operations Centers (JSOCs). Below are links to agencies and organizations that have implemented centers to address the growing cybersecurity threats:

Interpol CFC - https://www.interpol.int/en/Crimes/Cybercrime/Cybercrime-threat-response
New York State JSOC - https://its.ny.gov/joint-security-operations-center-jsoc
Target CFC - https://opensource.target.com/security

---