IncidentResponsev2

Task Update the initial supported Mission Partner (MP) vulnerability assessment (VA) (scan)

Conditions

Given an IR Team deployed supporting a designated MP in Cyber Incident Recovery.

Standards

In coordination with the supported MP, the DCO-E should:

• Review initial the VA and document any/all changes made to improve security
• Conduct a port scan and document deltas with original scans
• Conduct a vulnerability scan and document deltas with the original scans
• As needed conduct a web application vulnerability scan (e.g. Burp Suite) and document deltas
• As needed test firewalls, IDS/IPS, proxies and boundary defense appliance configurations and document deltas
• Provide End of Assessment Nessus Report
• Additional assessments as needed

End State

The IR Team provides an updated VA & scan to the support mission partner in order to document any actions taken during Eradication and Recovery phases.

Notes

Depending on the severity and/or complexity of the cyber incident, the DCO-E may consider conducting another full vulnerability assessment. At a minimum, full network/system scans with tools such as NMAP, OpenVAS, NESSUS, orothers is critical.

Manual Steps

Running Script

N/A

Dependencies

N/A

Other available tools

N/A

References

NIST Cyber Security Framework
NIST SP 800-184: Guide to Cyber Event Recovery
US CERT: Cyber Resilience Review Self Assessment Package

Revision History