At the beginning of 2023, NSFOCUS started an internal review and optimization of its Emergency Response Process for Network Security Incidents and Vulnerabilities. This policy is used to guide the implementations and operations of emergency response to ensure the controllability of quality and progress, as well as the rapidity of emergency response service.
Launch Emergency Response
NSFOCUS Cert (NSCERT) team constantly obtains and screens network security intelligence from channels including the intelligence monitoring sector, incident emergency response sector, reporting from regional departments, and external sources. For intelligence that requires an emergency response, the emergency response process swiftly sorts out key information, such as a brief introduction of the vulnerability/incident, the scope of impact, detailed information or PoC/EXP disclosure, reference links, response suggestions, etc., and forms a briefing for VPs in rotation and emergency review experts to further review and make judgments on conditions, emergency response levels and suggestions. In this emergency response policy, emergency incidents are classified into four levels: red, orange, yellow, and blue. Upon determination of the emergency level for a certain incident, NSCERT activates the emergency response process. The system automatically sends an email to notify each product team and emergency contacts to start emergency response.
Issue Security Advisory
NSCERT generates a vulnerability/incident notification based on the obtained and sorted intelligence, and issues security advisory through various channels (Email, Website, Social Media, etc.);
Technical Analysis and Solution Validation
In accordance with key intelligence of emergency incidents, NSFOCUS Security Labs and NSCERT jointly provide sample behaviors, vulnerability details, detection and protection methods, and a technical analysis report.
NSFOCUS Threat Intelligence Center provides statistical reports on the impact of emergency incidents based on the sample activity and vulnerability details provided by the technical analysis team.
Building on detection and protection methods provided by the technical analysis team, and key intelligence of emergency incidents, NSFOCUS product team provides detection and protection upgrade packages for each product that can protect against the incidents.
An emergency response project manager is responsible for monitoring the emergency response process of the product line and a technical support contact is responsible for releasing the product upgrade packages.
Issue Handling Manual
During the emergency response process, NSCERT adds to the original briefing more information including technical analysis, protection solutions, policies on security devices, etc., and forms a complete handling manual to be released through various channels.
NSFOCUS’ Emergency Response Process for Network Security Incidents and Vulnerabilities was created in 2017. This is the ninth optimization. All team members have been very familiar with the entire process and give seamless cooperation and support in threat response. The proactive threat monitoring, security advisory, rapid response to attacks in minutes, detailed technical reports and practical protection recommendations build a timely defense line for customers before they become a victim of security incidents.