Analecta Cyber Company Blog: Identifying New Vulnerabilities and Implementing Mitigations

2018-06-12

Identifying New Vulnerabilities and Implementing Mitigations

Identifying new vulnerabilities and implementing mitigation - Analecta-LLC graphic banner You’ve done the hard work of planning your security posture and implementing mitigations for risk, but eventually you will find yourself responding to an incident. Incident response can be very hectic, and you’ll want some strategies for implementing quick mitigations to 0-day vulnerabilities.

An active incident response may not seem like the best time to identify new vulnerabilities to your systems, but there is much to be gained by chasing down the source of the intrusion. Although you may have identified the source, there may be new vulnerabilities that you can mitigate. In other cases, you may not learn of the initial intrusion vector and will want to reduce potential attack vectors with temporary mitigations.

Learning during a crisis


The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) recommends “ensuring that newly identified vulnerabilities are mitigated or documented as accepted risks.” This will look similar to the risk analysis that was done when you established your initial security plan by identifying and documenting any vulnerabilities across your assets. The difference is that you and your team need to work to find a specific vulnerability that was missed in the initial risk assessment, one that has allowed a malicious actor access to your information system.

Identify the vulnerability


Although a more narrow focus in your vulnerability identification may provide the benefit of a faster result, it still may require significant effort to discover the root cause. Identifying a new vulnerability at this point should be easier than during the initial planning phase. You have your previous risk assessment and network baseline as starting points in the discovery process. You may also have the intrusion detection system (IDS)/intrusion prevention system (IPS) signatures and logs available to help build the picture.

The incident response process can only be considered complete when there is an effective mitigation in place and the threat has been fully expelled from the network.

One thing to remember is that a hacker or other malicious actor may have gained access to your system using one vulnerability, but could be using alternate ones to improve their foothold in your network or to gain access to data. For example, network activity may show large quantities of data leaving your database server, but the attacker may actually have entered through a different access point. In this case, attempting remediation on the database server may treat the symptom, but not the cause.

When the cause is left untreated, you can expect to continue to battle against the hacker until you’ve found their initial foothold.

Activate mitigation


The incident response process can only be considered complete when there is an effective mitigation in place and the threat has been fully expelled from the network. After identifying which vulnerabilities were used as part of the attack, you will need to patch, replace or otherwise mitigate the vulnerability. If you discover that there were device misconfigurations that contributed to the breach, you now have a starting point for making corrections. Scan for and remove malware across all devices. Just because you discovered it communicating via one machine does not mean that it is absent from other devices on the network.

How to test the mitigation? 


Once the vulnerabilities that were used as part of this intrusion are mitigated, conduct another vulnerability scan of your networks and devices using the most up-to-date known vulnerabilities. It is not possible to identify all vulnerabilities, but it is a good idea to make sure that you are protected from the known ones. It also helps to verify that the mitigations actually resolve the vulnerabilities. It is important to know which devices are still vulnerable after mitigation efforts have been made. Some reasons for vulnerabilities remaining include:
  • Devices that may not have been powered on since updates were pushed
  • The updates install could have failed
  • The patch may not have completely resolved the vulnerability

 

Cyber risk assessment


If identifying new vulnerabilities and coming up with mitigation techniques isn’t your area of expertise, we can help. Using a holistic approach and industry-standards, our Analecta 96-point Cyber Risk Assessment enables small and medium-sized businesses to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. Our assessment identifies the most important next steps in your firm’s cyber security program to maximize protection. Email us at info@analecta-llc.com or visit our Cyber Security website.

Need to start building a cyber defense plan? Here are some recent articles that can get you started!

Further Resources