Most organizations have external assets that are necessarily exposed—not only to customers and users but also, unfortunately, to malicious actors. Lumu Discover provides insights into vulnerabilities within your external surface. However, addressing those vulnerabilities requires action. In this playbook, we will explore the steps you can take to remediate your network’s vulnerabilities and enhance your cybersecurity posture.

This playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61 R2, the incident response life cycle has four main phases, as described in the following illustration.

Preparation

This section outlines the essential steps to proactively prepare for responding to and addressing vulnerabilities as they are detected. These measures ensure that the organization is well-equipped to efficiently identify, evaluate, and remediate vulnerabilities.

How Lumu Helps:

• Lumu Discover helps you identify exposed public IPs, services, and domains, along with any associated vulnerabilities. This way, you can choose which assets to protect, thus protecting your whole organization.
• Lumu not only detects existing vulnerabilities, its continuous monitoring detects emerging vulnerabilities and variations in exposure as well. This way, you can remain informed about the current status of your exposed assets.

Recommended Actions:

• Asset Inventory:
  
  • Maintain an up-to-date inventory of all public-facing infrastructure (e.g., servers, IPs, domains). This will make it easier to pinpoint specific assets in your infrastructure and effectively use Lumu Discover’s insights.
  • Leverage Lumu Discover to automatically map and track your existing infrastructure, newly added assets, and, most critically, any changes in their exposure levels.
• Vulnerability Management Program:
  
  • Design and implement a structured program with clear guidelines and procedures that allow members of your organization to identify, prioritize, and remediate vulnerabilities.
  • Ensure that your organization’s patching and updating cycles consistently include all public-facing systems. Outdated operating systems and software in exposed assets are among the most common and severe vulnerabilities.
• Threat Intelligence Integration:
  
  • Utilize insights from the Portal on interactions with adversarial infrastructure to prioritize vulnerabilities based on detected exploitation trends. This approach ensures you consistently address the vulnerabilities that pose the greatest risk to your operations.

Detection & Analysis

During this stage, you must make good use of the groundwork laid during the preparation stage, and focus on identifying vulnerabilities and assessing their severity.

How Lumu Helps:

• Lumu Discover delivers a comprehensive list of open ports, exposed services, and associated vulnerabilities. This intelligence enables you to concentrate your efforts on securing the most vulnerable assets effectively.
• Lumu Discover not only identifies vulnerabilities in your network but also provides real-world exploit evidence, giving you the confidence to take informed and decisive action.

Recommended Actions:

• Conduct Regular Scans:
  
  • Use Lumu Discover's detailed intelligence to identify vulnerabilities in public-facing infrastructure.
  • Cross-reference any obtained findings with available and trust-worthy vulnerability databases (e.g., CVE, CVSS).
• Prioritize Risks:
  
  • Organize and categorize vulnerabilities based on exploitability, asset criticality, and adversarial activity detected by Lumu. This will allow you to prioritize critical threats and better protect your network.
  • Focus on high-severity vulnerabilities in systems connected to sensitive data or operations. By mapping out your network you will be able to prioritize exposed assets with a direct pathway to your vital infrastructure.

Containment, Eradication & Recovery

During this stage, you must focus on mitigating risks from any identified vulnerabilities, as well as restoring any affected operations securely.

How Lumu Helps:

• Lumu Discover offers insights into which vulnerabilities can be most easily exploited by adversaries targeting your infrastructure. You can use those insights to point those vulnerabilities precisely, correct them, and contain the spread of any attackers attempting to use said vulnerability to harm your organization.

Recommended Actions:

• Containment:
  
  • Apply temporary controls such as firewall rules, network segmentation, or access restrictions to limit exposure while the vulnerability is definitively addressed.
  • Disable any services or features connected to any assets where high-risk vulnerabilities have been detected, especially if a patch for said vulnerability isn’t available yet.
• Eradication:
  
  • Patch any and all affected systems using vendor-recommended updates. This should improve the defense capabilities of your assets.
  • If a security patch isn’t available yet, implement recommended mitigations that fit your necessities and conditions (e.g., disabling functionality, applying configuration changes).
  • Remove any unnecessary or unused services to reduce the attack surface. This will allow you to focus your efforts and attention.
• Recovery:
  
  • Validate that the remediation has been carried out successfully through post-remediation scans.
  • Test the stability of critical systems after all the patching and mitigation procedures are completed. Consider doing red-team exercises to make sure that the vulnerabilities have been completely addressed.

Post-Incident Activity

Make the best out of what was learned while handling a potential crisis. Focus on improving vulnerability management practices and preventing future incidents.

How Lumu Helps:

• Lumu will keep continuously scanning and monitoring your network and looking for new vulnerabilities in your external attack surface.

Recommended Actions:

• Refine Vulnerability Management Processes:
  
  • Review your organization’s remediation timelines and adjust your vulnerability service level agreement (SLAs) to ensure that patching is done regularly, and for faster resolution of critical vulnerabilities.
  • Implement automated patching tools where feasible.
• Improve Detection and Visibility:
  
  • Use Lumu to continuously map and monitor your exposed infrastructure.
  • Conduct regular tabletop exercises to test and improve vulnerability response readiness.
• Policy Adjustments:
  
  • Strengthen change management policies within your organization to ensure your cybersecurity team is prepared for a potential crisis and to minimize configuration errors that endanger exposed infrastructure.
  • Create, adjust and increase training for your organization’s system administrators on secure deployment practices. A properly configured network is a safer network.