A CISO’s playbook for responding to zero-day exploits

SolarWinds, Colonial Pipeline, MSFT Exchange — these names have become synonymous with infamous cybersecurity events. We keep calling every new zero-day exploit a “wake-up call,” but all we have been doing is collectively hitting the snooze button.

But the discovery of the newest widespread critical vulnerability, Log4Shell, ruined the industry’s holiday season. It’s the biggest cybersecurity threat to emerge in years, thanks to the near ubiquity of Java in web applications and the popularity of the Log4j library. Due to its unprecedented scale, compounded by the fact that it is not easy to find, getting rid of this bug from your IT environment isn’t a “one-and-done” activity.

Security teams across the globe are once again racing to remediate a software flaw, even as attackers have begun targeting the low-hanging fruit — public web servers — at a recently reported rate of 100 attempts per minute. A mere seven days after its discovery, more than 1.8 million attacks had been detected against half of all corporate networks.

Are you awake now?

I’ve participated in many urgent Log4Shell briefings with Qualys customers (who include 19,000+ enterprises worldwide, 64% of Forbes Global 100), and it’s clear that dealing with a constant barrage of zero-day vulnerabilities is one of the greatest challenges faced by today’s security teams.

Just like inventorying, gathering and analyzing threat intelligence is crucial to provide the necessary foundation for security teams to take calculated and intentional steps.

It can be overwhelming to prioritize fixes and patches when responding to a zero-day exploit like Log4Shell. Here are a few steps to respond to security threats that we have learned and cataloged over the years:

Establish a standard operating procedure

Create a detailed standard operating procedure that includes step-by-step activities tailored to the vulnerability type.

For a zero-day response, the following information must be included:

  • Process flow for responses. If you need help, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has created an excellent guide.
  • Categorize the vulnerability by the type, severity and required response times. There should be a specific category for critical zero-day vulnerabilities.
  • Pre-determined service-level agreements for each response team.
  • Procedure for declaring and communicating an incident (this could be a reference to the incident response standard operating procedure).
  • Steps for tracking, reporting, and concluding the incident and returning to normal operations.