Planning Helps You Have a Prepared Response in a Crisis.
Last December the public and private sectors were both shaken by the Solorigate zero-day attack. Like other zero-day attacks, this type of attack had not been seen before, so it was stressful for everyone involved to put it mildly. Ever since then, cybersecurity analysts at CyberMSI have been refining our zero-day response plan to ensure that we will be prepared when something like this happens again in customers’ environments.

In this blog we will go over some of the major points in our zero-day response plan so that other organizations can be more prepared. We will also share considerations you should have when attempting to implement these concepts in your organization.
Specify Roles
When creating any incident response plan, it is important to define roles ahead of time so that there is no confusion about who is doing what. If the roles are not neatly defined, people will argue over who gets some responsibilities and attempt to push other responsibilities off on others. Confusion while everyone is panicking makes an unfortunate situation into disaster.
The way to avoid the confusion from roles is to make specific roles during the planning phase and updating the definition of those roles based on testing done with the response plan. Once the roles are solidified, have the ultimately responsible executives or board members sign off on the response plan to ensure everyone follows their roles.

Have a Clear Communication Plan
Having clear communication channels and standards outlined will help with making the zero-day response more effective. Instead of having key members of your organization contacted hundreds of times through various communication channels while everyone’s panicking, they can be contacted through a primary or secondary method and only by others that they need to interact with as part of their role.
The communication plan should be clearly defined and refined just like the roles. It should also be non-technical so that all the members of the organization needed for effective incident response can understand how they are supposed to communicate during the response.

Identify Sources for Updates
When a zero-day attack happens, security researchers are working around the clock to figure out how to respond to the newly discovered cyberattack. IT and security experts should be regularly monitoring news sources from their industries for updates about what is happening to affected environments and how to respond if their environment is affected as well.

Monitoring for Zero-Day Activity
When a zero-day attack happens the existing tools in your organization will not be able to detect the attack like they would with known incidents. IT security professionals would have to monitor for updates to the detection tools like analytics and signatures associated with the zero-day attack. IT security professionals should use some of the following sources to look for updates to their security tools.
- Websites of organizations that make the security products that are used in your environment.
- Websites of organizations that make a product that is being exploited as part of a zero-day attack.
- Trusted security research organizations.
- Security community resources like SOC Prime.
- IT community resources like GitHub.
If your organization has limited to no monitoring capacity, consider hiring an MSSP like CyberMSI to help you with incident monitoring.

Change Management
IT and security experts in your organization will discover new techniques while monitoring for zero-day attack updates. A change management process should be implemented so that they do not accidentally interrupt vital functions within the organization when attempting to implement these solutions. Organization members that are in a panicked hurry may forego change management, which is why it is important to make sure change management is clear in the response plan.
A flexible approach to change management is appropriate because the normal change management process may take too long in a scenario like a zero-day attack that requires urgent action.

Have an Incident Response Team Ready
Once a zero-day attack is identified an organized incident response team is needed to address the incident. Most large organizations have a dedicated incident response team, but smaller organizations will have to find some other alternative.
If your organization does not have the capacity for a dedicated incident response team, it would be practical to find a 3rd party partner like CyberMSI that does incident response in addition to the monitoring needed for zero-day incident management.

We will continue to share best practices and lessons learned in future posts on incident response in customer environments. Even though zero-day attacks are intimidating, they can be handled gracefully with careful planning and practiced incident response teams.
In closing, consider these three questions when planning for zero-day attacks in your organization:
- Do we have documentation and processes in place that can be used to address a zero-day attack incident?
- How can we get management onboard with a cybersecurity response plan that can be used to address a zero-day attack?
- Do we have enough trained staff to handle zero-day attack incident response, or should we hire someone with the right skills like CyberMSI?
