When you deal with cyber security incidents, the first course of action to be taken is known as Triage. While better known in the medical field, the concept of Triage still holds the same for cyber security. The aim is to prioritize and sort incidents based on their urgency and potential impact. This allows Security Operations teams to focus their efforts on the most demanding and impactful incidents while at the same time keeping a track on those incidents that are not quite as urgent.

Balancing speed and precision

Cyber Security Analysts and Incident Responders are often in a constant rush as they have to sift through myriads of alerts and incidents. Nothing critical should be overlooked, and no time should be wasted. It is quite a dilemma! In critical situations every second counts as the effects of a breach must be mitigated as rapidly and effectively as possible. My personal two cents, which I base on my own experience working as a Cyber Security Analyst, are that although speed is essential, precision is indispensable. No matter the hurry, take your time to carefully investigate each incident to the best of your abilities and double check that you have not overlooked anything. At times, the most important bits of evidence have nothing to do with the alert that was triggered. For instance, an incident with the heading “Possible obfuscation of command line arguments detected” may be triggered, but a closer inspection of the data reveals a much more serious threat such as a misconfiguration that is causing sensitive client information to be leaked.

Speed and efficiency should never be at the cost of precision. If the volume of alerts and incidents is too high to allow adequate time to investigate each incident, the alert rules and playbooks need to be tuned to filter out unnecessary false positives.

PRIORITIZATION AND SEGREGATION

Triage is an initial investigation that aims to accurately determine whether the incident is a false positive, and if it is not, how urgently must further actions be taken to remediate the situation. Notice the carefully chosen term False Positive rather than True Positive. The reason for this is that an initial investigation is often insufficient to accurately determine whether an incident is really a True Positive. However, it is in most cases adequate to determe whether the incident was caused by something that should not have triggered an alert. It is crucial to understand that any incident that has abnormal or anomalous characteristics should be escalated for a more thorough investigation. While abnormal behavior does not necessarily mean that the incident is a True Positive, it is sufficient to warrant a second opinion.

Triage is typically performed by Tier I Junior Cyber Security Analysts. It is of great importance that a clear and concise summary is written down so that it can later be reviewed by Tier II Cyber Security Analysts in the event that the incident requires further actions. Ideally, the notes should contain technical information as well as a narrative of the events that have unfolded and the investigation that has been carried out.

A Triage incident report should contain answers to at least the following questions:

1. What has happened?

2. What conclusion has been reached?

3. What evidence can be presented to support this conclusion?

4. Does the incident require a further analysis?

Final Thoughts

Although Triage is the first step in incident handling, it is often the most crucial. If great care is not taken during this initial investigation, a major incident may fly under the radar. With adequate training, precise alert tuning and a determination to excel, Junior Cyber Security Analysts can provide this valuable service and progress to higher levels within a Security Operations Center.