Zero Day & CVE Response

What Zero Day Response Covers and When to Activate

• A zero-day vulnerability is a software flaw that is either (a) publicly disclosed without a vendor patch, (b) actively exploited before the vendor knows about it, or (c) disclosed via CVE with a critical score and active exploit code in the wild.
• MITRE ATT&CK maps vulnerability exploitation to T1588.006 (Obtain Capabilities: Vulnerabilities) — attackers weaponize CVEs to gain initial access, escalate privileges, or bypass defenses.
• Activate this playbook when: (1) A CVE is published with CVSS 9.0+ and active exploit code, (2) CISA publishes a Known Exploited Vulnerability (KEV) alert relevant to your environment, (3) A vendor releases an emergency patch for an actively exploited vulnerability, or (4) Your organization’s threat intel team reports active exploitation of a zero-day affecting your tech stack.

Step 1: Triage the Disclosure (First 30 Minutes)

Information Gathering

When a new CVE or zero-day is announced, collect:

Triage Decision Matrix

Step 2: Asset Discovery and Exposure Assessment (1-2 Hours)

Find Affected Assets

# Search configuration management database (CMDB) for affected software
# Query your asset inventory — crowdstrike, tenable, or CMDB API

# Search SIEM for affected software versions
index=windows sourcetype=WinEventLog:Application
| search ProductName="*VulnerableProduct*" ProductVersion="*affected_ver*"
| stats dc(Computer) as Affected_Systems by ProductName, ProductVersion

Exposure Assessment

Prioritize Systems for Patching

Step 3: Compensating Controls — Patching Delay Mitigation

When a patch is not immediately available (vendor hasn’t released one, or patching requires a maintenance window), deploy compensating controls:

Network-Level Controls

Endpoint-Level Controls

Suricata Rule Template for Virtual Patching

# Virtual patch — block exploitation of CVE-YYYY-NNNNN
alert tcp any any -> $HOME_NET $HTTP_PORTS (
  msg:"CVE-YYYY-NNNNN — virtual patch for remote code execution";
  content:"/vulnerable/endpoint"; http_uri;
  content:"exploit_string"; http_client_body;
  classtype:attempted-admin;
  sid:1000001; rev:1;
  reference:cve,CVE-YYYY-NNNNN;
)

Step 4: Active Exploitation Monitoring

Once you have identified affected assets, monitor for exploitation attempts.

Monitor This Telemetry

SPL — Monitor for Post-Exploitation Activity

index=windows sourcetype=WinEventLog:Sysmon EventCode=1
| search ParentImage="*vulnerable_service*" OR ParentImage="*httpd*" OR ParentImage="*iis*"
| search Image="*cmd.exe*" OR Image="*powershell.exe*" OR Image="*wscript.exe*"
| stats count, values(CommandLine) as Commands by Computer, Image
| eval alert = "Post-exploitation activity from " . ParentImage . " spawning " . Image . " on " . Computer
| table _time, Computer, ParentImage, Image, CommandLine, alert

CVE-Specific Monitoring Checklist

Step 5: Patch Deployment and Verification

Deployment Phases

Verification Checklist

# Verify patches are installed
# Windows
wmic qfe list brief /format:texttable
Get-HotFix | Where-Object {$_.HotFixID -eq "KBXXXXXXX"}

# Linux
dpkg -l | grep package_name
rpm -qa | grep package_name

# Verify service restart (if required)
Get-Service -Name vuln_service | Select-Object Status, StartType
systemctl status vulnerable.service

Exception Handling

Systems that cannot be patched must have documented exceptions:

Communication Timeline

Related

• Zero Trust Architecture — detection and response for TA0005 techniques
• Active Directory Compromise Response — detection and response for T1558 techniques
• Business Email Compromise Response — detection and response for T1566, T1114, T1098, T1586 techniques

Sources

• NVD — National Vulnerability Database
• CISA Known Exploited Vulnerabilities (KEV)
• MITRE CVE List
• FIRST CVSS Calculator
• Exploit-DB
• SANS — Zero-Day Triage