SecurityScorecard v3.0 Recommended Actions to Improve Your Scores
As we shared in our blog post dated November 14, 2023, in April 2024, SecurityScorecard will implement a more detailed, updated methodology for measuring risk scores as v3.0. With V3.0, algorithms that tighten the correlation with the probability of a breach will be put into use. With the V3.0 Beta version, you can already preview the new scores of your company, competitors, suppliers and all 3rd parties. You can access the preview of V3.0 scores via the option on the Issues page on the platform.
In V3.0, findings classified as informational in the previous scoring will also be included in the evaluation, etc. Due to differences, a decrease in the scores of many companies is observed. In our previous blog post, we also shared the current probability values regarding the violation probabilities in return for letter scores. When you examine it, you can see that as the letter score increases, the probability of violation increases even more.
For this reason, it is recommended that you check the v3.0 scores for both your own company and the third parties you work with and take the necessary actions, starting with the high priority findings.
|Ways to Improve Your Score
|Unsolicited Commercial Email
|• Implement an email filtering system to detect, flag, and quarantine unsolicited commercial emails.
• Educate users on the risks associated with unsolicited commercial emails, and provide guidance on how to handle them (e.g. not clicking on links or downloading attachments).
• Report any suspicious emails and their content to your internal security team for further investigation.
|IMAP Service Observed
|• Immediately investigate the event to determine the source and scope of the IMAP service. This should include analyzing log data for any suspicious activities or patterns, as well as inspecting the network for any signs of malicious activity.
• Establish a response team to take appropriate action based on the findings of the investigation. This should include developing a plan of action to address the event, as well as identifying any further steps that need to be taken.
• Set up additional monitoring and detection capabilities to alert the response team of any further IMAP service activity. This should include alerting on any suspicious activity, such as failed login attempts, as well as implementing measures to prevent any malicious activity from taking place.
|POP3 Service Observed
|• Disable the POP3 service on the affected system and any other systems where it is running.
• Determine the source of the POP3 service and investigate for any malicious activity.
• Implement additional monitoring and logging to track all activity related to the POP3 service.
|Credentials at Risk (Historical)
• Increase user awareness and education on the importance of strong passwords and the risks associated with weak ones. Provide tools and resources to assist users in selecting and managing secure passwords.
• Implement multi-factor authentication for all user accounts that have access to sensitive systems and data.
• Strengthen security monitoring and logging of access to sensitive systems and data. Review and analyze the logs for signs of suspicious activity.
|Malware Infection Trail
|• Implement a malware scanning system to monitor for suspicious activity.
• Educate users on the importance of safe online practices and awareness of malicious emails and websites.
• Implement a backup and disaster recovery plan to mitigate the risk of data loss.
|Adware Installation Trail
|• Investigate the source of the adware installation trail by reviewing system logs and tracking the IP address to determine the origin of the threat.
• Analyze the adware installation trail to determine what type of malicious software it is and if there is a risk of further malicious activity on the system.
• Develop a plan to remove the adware trail from the system and ensure that the system remains secure moving forward. This could include updating system software and running additional scans to detect other malicious software.
|OpenVPN Device Accessible
|• Immediately revoke all existing access to the OpenVPN device and disable any access until further investigation is conducted.
• Investigate the source of the vulnerability and the scope of access that was potentially granted.
• Implement additional controls such as two-factor authentication or IP whitelisting to prevent unauthorized access in the future.
|Telephony/VoIP Device Accessible
|• Immediately disable remote access to any VoIP devices or telephony systems and restrict access to only authorized personnel.
• Implement a secure authentication process, such as multi-factor authentication, for any remote access to VoIP devices or telephony systems.
• Monitor all remote connections to VoIP devices and telephony systems for suspicious activity and investigate any anomalies. If suspicious activity is discovered, take immediate action to prevent further damage.
|Networking Service Observed
|• Isolate the affected network segment from other internal networks, and deploy a firewall to restrict any unauthorized access.
• Establish a security incident response team to investigate the incident and identify any malicious activity or potential vulnerabilities.
• Establish a secure communication channel with the service provider to ensure the integrity and security of any transmitted data.
|Pulse Connect Secure VPN Product Observed
|• Deploy an Intrusion Detection System (IDS) to monitor traffic on the Pulse Connect Secure VPN network for any suspicious activity.
• Implement an effective patch management process to ensure that all vulnerabilities in the Pulse Connect Secure VPN product are addressed in a timely manner.
• Run regular vulnerability scans on the Pulse Connect Secure VPN product to identify any additional security issues.
|SOAP Server Accessible
|• Immediately restrict access to the SOAP server to only authorized users. This may involve restricting IP ranges, creating firewall rules, or other access control measures.
• Implement multi-factor authentication for all users accessing the SOAP server.
• Perform a full vulnerability scan of the SOAP server to identify and address potential security weaknesses.
|• Immediately block all inbound and outbound UPnP traffic at the firewall and any other devices on the network to prevent unauthorized access.
• Conduct a full audit of all UPnP services on the network to identify any potentially vulnerable services.
• Implement a WAF (Web Application Firewall) to further enhance the security of the UPnP services and block any potentially malicious traffic.
|Minecraft Server Accessible
|• Implement proper access control measures for the server, including user authentication and authorization, to ensure only authorized users can access the server.
• Perform a security assessment of the server to identify any potential vulnerabilities or misconfigurations.
• Implement a monitoring system to alert when unauthorized access is attempted or granted to the server.
|DNS Server Accessible
|• Set up logging for all accesses to the DNS server, so as to track and investigate any suspicious activity.
• Implement two-factor authentication for any user accessing the DNS server.
• Set up segmentation and restrict access to the DNS server to only necessary user accounts and services.
|• Implement regular vulnerability scans of the CDN used to identify any weaknesses or potential breach points.
• Monitor access logs for the CDN for any suspicious activity, such as unusual login attempts, unauthorized access attempts, or other anomalies.
• Implement a robust security policy for the CDN that includes password management, two-factor authentication, and other security best practices.
|Cloud Provider Service Used
|• Establish a detailed incident response plan for the cloud provider service that outlines the appropriate steps to take in the event of a security breach or incident. This should include a timeline for responding to the incident, as well as clear roles and responsibilities for each team member involved.
• Implement additional security measures, such as multi-factor authentication and encryption of data at rest and in transit, to further protect the cloud provider service and the data stored within it.
• Increase monitoring of the cloud provider service to detect any suspicious or malicious activity, and regularly review security logs for signs of potential breaches.
|Content Security Policy Contains ‘unsafe-*’ Directive
|• Document the current CSP policy and investigate the directive used to determine if it is necessary and if there are more secure alternatives.
• Ensure that the directive is properly configured and implemented without exposing vulnerable resources.
• Monitor the CSP policy for any changes or anomalies.
|Website Hosted on Object Storage
|• Implement a web application firewall (WAF) to detect and block malicious traffic to the website hosted on the object storage.
• Monitor the web requests and responses for the website hosted on the object storage for any suspicious activities.
• Deploy a vulnerability management solution to detect any vulnerabilities on the website hosted on the object storage and patch them as soon as possible.
|Unsafe Implementation Of Subresource Integrity
|• Immediately update the subresource integrity implementation to ensure that it is secure and compliant. This should include patching any known vulnerabilities and implementing additional security measures such as using HTTPS, Content Security Policy (CSP) directives, and other security best practices.
• Perform an internal audit of the subresource integrity implementation to identify any additional areas of vulnerability.
• Implement a comprehensive monitoring and alerting system to detect any unauthorized access or modification of the subresource integrity implementation. This should include monitoring for suspicious activity such as changes in code, network traffic, and suspicious user activities.
|Website does not implement X-XSS-Protection Best Practices
|• Develop an X-XSS-Protection policy and educate website administrators on the importance of implementing X-XSS-Protection best practices.
• Regularly scan the website for any security vulnerabilities and address any issues found.
• Deploy an application layer security firewall to monitor and block any malicious requests that try to bypass the X-XSS-Protection measures.
|Website References Object Storage
|• Immediately investigate the source of the website reference and take appropriate action to mitigate the risk. This may include enabling two-factor authentication (2FA) or other access control measures.
• Conduct a full review of the object storage system to identify any vulnerabilities that may have been exploited to gain access to the stored data.
• Implement additional security measures such as data encryption, access control lists, and user authentication to limit access to the object storage system. Additionally, consider implementing a regular security audit to ensure the system remains secure.
|Browser Average Age Indicates Older Versions
|• Establish a browser age policy that requires all users to have the latest version of their browsers installed and configured. This should include regular notifications to users to update their browsers.
• Run a vulnerability scan across your environment to identify any systems running vulnerable or outdated versions of web browsers.
• Deploy a web content filter to ensure all users are accessing only legitimate websites and are not downloading malicious software or files. This will help reduce the risk of malicious software being downloaded onto vulnerable systems.
|Potentially Vulnerable Application (PVA) Installation
|• Immediately deploy a web application firewall (WAF) to protect the PVA from known and emerging threats.
• Implement multi-factor authentication (MFA) for all users accessing the PVA.
• Conduct regular security scans of the PVA to identify any potential vulnerabilities that could be exploited.
|Potentially Vulnerable Application Installation (PVA) Trail
|• Perform a security audit of the PVA installation to identify any potential vulnerabilities and determine if any corrective actions are necessary.
• Implement logging capabilities for the PVA installation, so that any suspicious activity or access attempts can be monitored and tracked.
• Implement a patch management system to ensure that all components of the PVA installation are up-to-date, and any known vulnerabilities are remediated.
|Website Copyright is Not Current
|• Immediately take the website down and initiate a comprehensive review to determine the scope of the issue and determine the source of the copyright discrepancy.
• Conduct a thorough review of all website content to ensure all content is updated and current.
• Implement a process for regularly auditing the website’s content to ensure that all copyright information is up-to-date and accurate. Additionally, ensure that the process includes a review of external links to ensure that they are also up-to-date.
|Website communicates with payment provider
|• Immediately shut down the website and its associated payment provider to prevent any further potentially malicious activity.
• Perform a deep forensic analysis of the website and its associated payment provider to determine what type of communication is occurring and to look for any potential malicious indicators.
• Implement additional monitoring and logging capabilities to detect any future suspicious activity related to the website and its associated payment provider.
|Site may use WebSockets to send user data
|• Investigate the underlying code to determine if the WebSockets are secure and properly configured.
• Ensure that all user data is encrypted while in transit and stored securely.
• Monitor for any suspicious activity associated with WebSockets usage, such as unexpected or unauthorized traffic.
|Site receives data over Websockets
|• Monitor the websocket traffic for any suspicious activity, such as data exfiltration or malicious content being pushed from the websocket.
• Establish a process to review and audit the websocket data regularly to ensure that it is only being used for its intended purpose.
• Implement security controls such as encryption and authentication mechanisms to protect the data being exchanged over the websocket.
|Site emits visible browser logs
|• Implement a web application firewall to monitor and filter out any visible browser logs from being emitted.
• Train users on browser security best practices, such as disabling or limiting the amount of data being logged.
• Monitor web server logs for any suspicious activity related to browser logs being emitted.
|Server with Expired Certificate Contacted
|• Investigate the source of the contact. Establish whether it is malicious or legitimate and if the server is compromised.
• Utilize a network monitoring tool to detect any suspicious activities related to the server.
• Replace the expired certificate and ensure that all other certificates in the system are valid.
|Ransomware Infection Trail Detected
|• Isolate the affected system(s) from the network immediately to prevent further spread of the ransomware.
• Activate incident response processes and protocols to investigate the incident.
• Perform a forensic analysis of the system to determine the extent of the infection and the source of the ransomware.
|Exposed Personal Information (Historical)
|• Ensure that all affected individuals are notified of the breach and the data that was exposed. Ensure that you provide appropriate guidance and education on how to protect themselves.
• Conduct a thorough review of historical data sources to identify any other instances of potential exposure.
• Deploy monitoring and alerting tools to detect any further attempts to access the exposed data. This could include network traffic monitoring, log monitoring, and/or endpoint monitoring tools.
|Product Running Vulnerable Log4j Version
|• Deploy an automated vulnerability scanning solution to detect any vulnerable Log4j versions in use across the entire product.
• Patch existing vulnerable Log4j versions and ensure that any new installations of Log4j use the latest version.
• Monitor the network for any suspicious activity related to the vulnerable version of Log4j, such as attempted exploitation or attempted lateral movement.
|SOCKS Proxy Service Detected
|• Immediately investigate the source of the SOCKS proxy service and determine whether it is authorized or unauthorized. If unauthorized, block the source of the service and move onto further investigation.
• Conduct a thorough review of the system’s access logs to identify any suspicious activity associated with the SOCKS proxy service.
• Establish effective monitoring and alerting capabilities to detect any similar SOCKS proxy services in the future.
|• Immediately isolate the printer from the network and investigate the printer for any malicious activity or unauthorized access.
• Deploy a host-based firewall or network-based IDS/IPS system to monitor all printer activity.
• Monitor the printer’s logs for any suspicious activity or unusual patterns that could indicate a security breach.
|TOR Server Detected
|• Immediately quarantine the TOR server and all associated devices and systems to contain the threat and prevent further spread.
• Run a full investigation into the TOR server to identify any malicious activity.
• Gather detailed information about the server, including IP addresses, ports, and application versions, to help determine the origin of the threat and the scope of the incident.
|Apple AirPort Device Detected
|• Perform a vulnerability scan of the Apple AirPort device to identify any potential issues that may need to be addressed.
• Monitor the device for any suspicious activity or network traffic that may indicate an attack.
• Change the device’s default password and enable two-factor authentication for further protection.
|Mobile Printing Service Detected
|• Monitor the mobile printing services for any suspicious or malicious activity. Keep track of the type of documents printed, the users accessing the service, and any other potentially malicious activity.
• Implement an endpoint security solution on all mobile devices that access the mobile printing service. This should include antivirus/malware protection, application control, and firewall protection.
• Educate staff on the proper use of mobile printing services, such as not printing sensitive or confidential documents over the service. Emphasize the importance of understanding the risks associated with using such services.
|HTTP Proxy Service Detected
|• Establish a baseline of normal HTTP proxy traffic activity and set up an alert if any suspicious or anomalous HTTP proxy traffic is detected.
• Investigate the source of the HTTP proxy service to determine the origin and purpose of the traffic.
• If the HTTP proxy service is deemed malicious, implement measures to block or limit access to the service, such as firewall rules or whitelisting specific IP addresses.
|Embedded IOT Web Server Exposed
|• Perform an immediate vulnerability scan of the exposed web server to identify any potential security flaws.
• Implement access control measures to limit who can access the embedded IOT web server.
• Educate users on the importance of cybersecurity and how to securely configure web servers.
|Network Attached Storage Device Exposed
|• Immediately disconnect the Network Attached Storage Device (NAS) from the network and quarantine it in a secure location to prevent further exposure.
• Perform a detailed forensic analysis of the exposed NAS to identify any potential malicious activity, compromised data, and to determine the root cause of the exposure.
• Implement enhanced network monitoring and alerting to detect any unusual activity on the NAS or on any other connected systems.
|MySQL Server Running with Empty Password
|• Immediately change the password on the MySQL server to a unique, strong password.
• Enable secure authentication for the MySQL server, such as two-factor authentication or encrypted key authentication.
• Restrict access to the MySQL server to only authorized users and systems.
|iSCSI Device Exposed
|• Isolate the iSCSI device from the network: Immediately disconnect the device from the network and check to ensure that it is truly isolated.
• Scan the iSCSI device for vulnerabilities: Conduct a vulnerability scan of the device to identify any potential security flaws that could be exploited by malicious actors.
• Monitor network traffic: Implement network monitoring to detect any traffic coming from or going to the iSCSI device, and alert the security team if suspicious activity is detected.
|Cobalt Strike C2 server detected
|• Isolate the Cobalt Strike C2 server from the network and restrict access to it.
• Investigate the origin of the Cobalt Strike C2 server, including any associated malicious or suspicious activity.
• Monitor the system and network for any further suspicious activity, including additional Cobalt Strike C2 servers.
|Web application potentially vulnerable to Spring4Shell
|• Perform an audit of the web application’s code and configuration to identify any potential weaknesses or gaps in security.
• Monitor the web application for any suspicious activity or malicious activity.
• Implement application security best practices, such as input validation, secure coding guidelines, and encryption.
|Site requests data over insecure channel
|• Conduct a Risk Assessment: Perform an assessment of the risks associated with the insecure data transmission channel. Consider the type of data being transmitted, the sensitivity of the data, and the potential impact of a data breach.
• Increase Monitoring and Logging: Increase monitoring and logging of all data transfer and communications activities. This will help identify any suspicious activity or attempts to access the data in an insecure manner.
• Implement Encryption: Implement encryption of the data being transmitted over the insecure channel. This will provide an additional layer of security and ensure that the data is not readable by unauthorized individuals.
|Site links to insecure websites
|• Monitor all inbound and outbound links on the site for any malicious activity.
• Develop a policy and procedure for identifying and removing any links to insecure websites.
• Educate users about the risks of clicking on links to insecure websites and what to do if they encounter one.
|Link redirects to insecure website
|• Implement a web filtering system that will detect and block link redirects to insecure websites.
• Educate users on the potential risks of clicking on links that redirect to insecure websites.
• Monitor web traffic for any suspicious redirects or connections to known malicious websites.
|Insecure channel exposes sensitive information
|• Establish a secure channel for information transfer by implementing a secure protocol such as TLS/SSL.
• Implement access control measures on the insecure channel to ensure that only authorized personnel can access the sensitive information.
• Deploy data encryption to protect the sensitive information while it is in transit over the insecure channel.
|Server error detected
|• Conduct a thorough review of server logs to determine the cause of the error and identify any suspicious activity.
• Implement additional monitoring and logging to detect any further errors or suspicious activity.
• Update server security patches or other software as needed to prevent similar incidents in the future.
|Site fails to load page components
|• Run a full system scan to identify any potential malware, viruses, or other malicious code that may be causing the page components to fail to load.
• Check the browser settings to ensure that all necessary page components are enabled and functioning properly.
• Check the server logs to identify any potential issues with page component loading or requests.
|Server certificate issued by country on denylist
|• Monitor the server for malicious activity. Track all incoming and outgoing traffic to the server and flag any suspicious activity.
• Check the certificate’s fingerprint against the denylist to make sure it is not a match. If it is, contact the certificate issuer to investigate the issue.
• Use a trusted third-party service to scan the server for vulnerabilities and patch any flaws that are detected. Ensure that the server is up-to-date with the latest security updates.
|Certificate key is smaller than recommended size
|• Update the certificate with a larger key size. Ensure that the new key size meets the recommended standards for encryption strength.
• Monitor for any unauthorized activities associated with the certificate, such as attempts to access protected resources or any other suspicious activity.
• Educate users on the importance of following the recommended security standards for certificate key size and ensure that they are aware of the risks of using a smaller key size.
|Browser logs contain debug messages
|• Establish a process to review browser logs on a regular basis to identify any suspicious activity or events.
• Educate users on the importance of browser logs and how to report any issues to IT.
• Implement a browser-level security policy to ensure logs are being maintained and reviewed appropriately.
|Websocket requests contain sensitive fields or PII
|• Implement a WebSocket encryption protocol to secure the sensitive fields or PII. This should include authentication and encryption of the data transmitted over the WebSocket connection.
• Implement a WebSocket authorization framework to ensure only authorized users have access to the sensitive fields or PII. This should include authentication and authorization of the users requesting access to the data.
• Monitor all incoming and outgoing WebSocket requests for suspicious activity. This should include scanning for malicious payloads, as well as tracking the source and destination of the requests. Additionally, consider implementing a WebSocket intrusion detection system to detect and protect against malicious activity.
|Non-standard links detected: Local file path exposed
|• Investigate the source of the non-standard link and determine if the file path contains any sensitive information.
• Identify who has access to the file path and ensure that access is limited to authorized personnel only.
• Implement a monitoring solution to detect any attempts to access the exposed file path and alert the appropriate personnel.
|Non-standard links detected: Unsafe File Transfer Protocol
|• Immediately investigate the origin of the link and its intended recipient. Establish a timeline of events leading up to its detection and contact any potentially affected users.
• Block the link and quarantine any related files or systems.
• Deploy an appropriate security solution to detect and prevent any further attempts to use unsanctioned file transfer protocols.
|Non-standard links detected: Contact information displayed
|• Investigate the non-standard link to determine the source of the contact information.
• Monitor the link and associated contact information for any suspicious activity.
• Establish a process to review and approve any non-standard links before they are used in your organization.
|• Immediately shut down the exposed email system and conduct a comprehensive forensic investigation to identify the source and scope of the exposure.
• Utilize an external cyber security firm to assist in the investigation and recommend remediation actions.
• Notify affected users of the incident and provide them with resources to mitigate any potential damage, such as resetting passwords and monitoring their credit reports.
|IP address exposed
|• Monitor the exposed IP address for suspicious activity. Set up a network-based intrusion detection system (IDS) to monitor incoming traffic and alert you to any suspicious activity.
• Change the IP address of the exposed system and update any relevant records.
• Educate users on best practices to prevent similar incidents from occurring in the future, such as using secure passwords, avoiding suspicious emails and links, and disabling unnecessary services.
|Social Security number exposed
|• Implement an immediate containment plan to mitigate the further spread of the Social Security number. This could include shutting down the system where the information was exposed, changing access credentials to any applications or accounts where the Social Security number was stored, and notifying any individuals who may have had access to the number.
• Conduct a detailed investigation to identify the root cause of the exposure and the potential scope of the incident. This includes determining who had access to the Social Security number, if it was shared outside the organization, and if any data has been accessed or stolen.
• Implement an appropriate response plan to address the incident. This could include notifying affected individuals, providing credit monitoring or identity theft protection services, and implementing additional security controls to prevent similar incidents from occurring in the future.
|Password hint exposed
|• Immediately implement a password reset for any accounts associated with the exposed password hint.
• Enable two-factor authentication for any accounts associated with the exposed password hint.
• Deploy a password manager to ensure users are creating strong, unique passwords and storing them securely.
|Cleartext password exposed
|• Identify the affected systems and users: Immediately begin an investigation to identify the source of the exposed password and the systems and users affected.
• Implement a remediation plan: Establish a remediation plan that includes resetting passwords for affected accounts and notifying users of the incident.
• Monitor and analyze the incident: Utilize threat intelligence and log analysis tools to monitor and analyze the incident. This will help identify any additional suspicious activity that may be related to the incident.
|• Conduct a thorough assessment of the incident to determine the root cause and scope of the exposure.
• Establish a communications plan to provide timely updates to key stakeholders and the affected individuals.
• Update or create an incident response plan to ensure similar incidents are addressed in a timely and effective manner.
|Security question and answer exposed
|• Immediately implement two-factor authentication on any accounts that had their security questions and answers exposed.
• Immediately reset all passwords on any accounts that had their security questions and answers exposed.
• Conduct an impact assessment to determine the extent of the exposure and identify any other accounts that may have been affected. If any other accounts are found, reset their passwords as well.
|Product Potentially Impacted by CVE-2022-41040 & CVE-2022-41082
|• Run an in-depth scan of the product to quantify the extent of the impact and identify any additional vulnerabilities that may be associated with the CVEs.
• Implement a patching and update strategy for the product to ensure it is always running the latest, most secure version.
• Install a network and host-based IDS/IPS system to monitor for any malicious activity associated with the CVEs.
|Product Potentially Impacted by PowerShell Remoting RCE
|• Perform an audit of the product’s PowerShell remoting configurations to ensure they are secure and up-to-date.
• Implement a system for monitoring PowerShell remoting activity on the product.
• Educate the product’s users on the risks associated with PowerShell remoting and ensure they understand the security measures in place.
|• Isolate the affected system(s) from the network to contain the spread of the malicious activity.
• Perform a comprehensive forensics and incident response investigation to identify the scope of the incident and the malicious activities that occurred.
• Deploy an advanced endpoint protection solution to scan all systems on the network for possible malware infections.
|Malicious TOR Exit Node Detected
|• Isolate the affected system from the network to prevent the malicious activity from spreading to other systems.
• Perform a comprehensive malware scan and quarantine any malicious files found.
• Utilize threat intelligence to determine the source of the malicious activity and take appropriate action to mitigate the threat.
|Malicious TOR Relay/Router Node Detected
|• Implement network monitoring and logging to detect and monitor suspicious TOR network activity.
• Block TOR network traffic from entering or leaving the network.
• Implement an intrusion detection system (IDS) to detect and alert on malicious TOR activity.
|IP on blacklist due to malicious activity
|• Immediately investigate the source of the malicious activity. This should include reviewing logs, monitoring network traffic, and performing forensics to identify any malicious actors and their methods.
• Implement additional security measures to prevent the malicious activity from happening again. This could include implementing firewalls, IDS/IPS systems, and content filtering.
• Identify any additional IPs that may have been affected by the malicious activity. This can be done through DNS scans, WHOIS lookups, and other methods. Once identified, the affected IPs should be secured and monitored for any further malicious activity.
|Malicious botnet C2 server detected
|• Isolate the affected system from the network and disable all services on the system, including internet access, to prevent the malicious botnet from spreading to other systems.
• Contact a qualified IT forensic expert to investigate the system and determine the extent of the malicious activity.
• Deploy additional endpoint security solutions, such as a next-generation firewall, to detect and block attempts to communicate with the malicious C2 server.
|Known compromised or Hostile Host
|• Isolate the Hostile Host from the network. This can be done by unplugging any physical connections, disabling the network interface, and/or blocking any associated IP addresses at the firewall.
• Conduct a thorough forensic analysis of the Hostile Host to determine the extent of the compromise and to identify any malicious activities that may have occurred.
• Implement additional security measures such as host-based firewalls, endpoint detection and response (EDR) solutions, and/or intrusion detection systems (IDS) to detect and prevent any future malicious activity.
|DOS Attack Attempt Detected
|• Capture and analyze the traffic from the source of the attack to detect the purpose and intent of the attack.
• Implement a network monitoring system to detect and alert on any similar attack attempts in the future.
• Provide security awareness training to users to identify potential DOS attack attempts and encourage them to report any suspicious activity.
|Exploit Attempt Detected
|• Establish a baseline of expected network traffic and monitor for any anomalous activity that could indicate an exploit attempt.
• Immediately isolate any affected systems to minimize further damage or compromise.
• Utilize threat intelligence solutions to identify the source of the exploit attempt and take appropriate action.
|Malicious Scan Detected
|• Immediately isolate the affected system from the network in order to contain any malicious activity.
• Perform an in-depth investigation to identify the source of the scan, including scanning logs and network traffic analysis.
• Implement additional security measures to detect and prevent similar malicious scans in the future, such as implementing an intrusion detection system or firewall rules to block suspicious traffic.
|Mirai Botnet Traffic Detected
|• Immediately contain the infected host(s) or network segment(s) to limit the impact and prevent the spread of the malware.
• Conduct a thorough forensic investigation to identify the source of the infection, the scope of the infection, and which systems may have been compromised.
• Create custom signatures for your IDS/IPS and deploy them on your network to detect and block any traffic associated with the Mirai Botnet.
|Malicious User Agent Detected
|• Monitor the user and IP address associated with the malicious user agent to identify any further malicious activity.
• Utilize web application firewalls to detect and block future malicious user agents.
• Track the source of the malicious user agent and alert appropriate security teams to investigate the source.
|Active CVE Exploitation Attempted
|• Increase monitoring of network traffic to detect suspicious activity related to the CVE.
• Increase logging of system events to detect and investigate suspicious activity related to the CVE.
• Utilize threat intelligence feeds to determine if the CVE has been used in any known attacks.
|Attempted Information Leak
|• Utilize endpoint detection and response (EDR) tools to identify and investigate the attempted leak.
• Establish security policies and procedures to prevent future incidents of this type and ensure employees receive appropriate training.
• Review system logs and activity to establish more detailed forensic evidence and identify the source of the attempted leak.
|November 2022 OpenSSL 3.X vulnerability detected
|• Immediately patch or upgrade all systems running OpenSSL 3.X. Make sure to test the patch or upgrade before deploying it to production systems.
• Conduct a comprehensive security audit of all systems and applications that are using OpenSSL 3.X to identify any other potential vulnerabilities.
• Monitor all systems for suspicious activity and review logs for any signs of malicious activity. Consider implementing a SIEM solution or other automated security monitoring tools to improve detection capabilities.
|Potential vulnerability detected
|• Immediately engage with the IT Security team to investigate the potential vulnerability and develop a plan of action to address it.
• Put in place measures to contain the potential vulnerability as quickly as possible, such as patching the system or isolating the affected system from the organization’s network.
• Perform a thorough assessment of the affected system or network to identify any other potential vulnerabilities that may exist. Additionally, review the organization’s security controls to ensure they are up to date and effective.