TRIAGE

When you deal with cyber security incidents, the first course of action to be taken is known as Triage. While better known in the medical field, the concept of Triage still holds the same for cyber security. The aim is to prioritize and sort incidents based on their urgency and potential impact. This allows Security Operations teams to focus their efforts on the most demanding and impactful incidents while at the same time keeping a track on those incidents that are not quite as urgent.

Balancing speed and precision

Cyber Security Analysts and Incident Responders are often in a constant rush as they have to sift through myriads of alerts and incidents. Nothing critical should be overlooked, and no time should be wasted. It is quite a dilemma! In critical situations every second counts as the effects of a breach must be mitigated as rapidly and effectively as possible. My personal two cents, which I base on my own experience working as a Cyber Security Analyst, are that although speed is essential, precision is indispensable. No matter the hurry, take your time to carefully investigate each incident to the best of your abilities and double check that you have not overlooked anything. At times, the most important bits of evidence have nothing to do with the alert that was triggered. For instance, an incident with the heading “Possible obfuscation of command line arguments detected” may be triggered, but a closer inspection of the data reveals a much more serious threat such as a misconfiguration that is causing sensitive client information to be leaked.

Speed and efficiency should never be at the cost of precision. If the volume of alerts and incidents is too high to allow adequate time to investigate each incident, the alert rules and playbooks need to be tuned to filter out unnecessary false positives.

PRIORITIZATION AND SEGREGATION

Triage is an initial investigation that aims to accurately determine whether the incident is a false positive, and if it is not, how urgently must further actions be taken to remediate the situation. Notice the carefully chosen term False Positive rather than True Positive. The reason for this is that an initial investigation is often insufficient to accurately determine whether an incident is really a True Positive. However, it is in most cases adequate to determe whether the incident was caused by something that should not have triggered an alert. It is crucial to understand that any incident that has abnormal or anomalous characteristics should be escalated for a more thorough investigation. While abnormal behavior does not necessarily mean that the incident is a True Positive, it is sufficient to warrant a second opinion.

Triage is typically performed by Tier I Junior Cyber Security Analysts. It is of great importance that a clear and concise summary is written down so that it can later be reviewed by Tier II Cyber Security Analysts in the event that the incident requires further actions. Ideally, the notes should contain technical information as well as a narrative of the events that have unfolded and the investigation that has been carried out.

A Triage incident report should contain answers to at least the following questions:

1. What has happened?

2. What conclusion has been reached?

3. What evidence can be presented to support this conclusion?

4. Does the incident require a further analysis?

Final Thoughts

Although Triage is the first step in incident handling, it is often the most crucial. If great care is not taken during this initial investigation, a major incident may fly under the radar. With adequate training, precise alert tuning and a determination to excel, Junior Cyber Security Analysts can provide this valuable service and progress to higher levels within a Security Operations Center.

HUNGRY FOR MORE?

Cyber Security Misconceptions

Cyber Security Misconceptions

Do you lack the educational background and coding skills required to land a job in the cyber security industry? Several misconceptions exist regarding what it takes to break in! Find out more why you could and should pursue a career in cyber security.

Malware Analysis with ChatGPT

Malware Analysis with ChatGPT

CHATGPT POWERED MALWARE ANALYSISDuring late 2022 and early 2023, ChatGPT made headlines in the tech industry and everyone caught scent of the excitement! ChatGPT is a truly intriguing example of the capabilities of Artificial Intelligence, and how it can be used in...

Is coding required for Cyber Security?

Is coding required for Cyber Security?

Are you aspiring to work in the Cyber Security industry but lack coding skills? Is it really a must-have skill to possess in order to succeed? Find out the answer!

Do I need a college degree for Cyber Security?

Do I need a college degree for Cyber Security?

Have you ever been told that you cannot get into the cyber security field without a college or university degree? If you have, you are not alone! Self-learning is a perfectly viable alternative!

IACIS Windows Forensic Examiner review

IACIS Windows Forensic Examiner review

The International Association of Computer Investigative Specialists (IACIS) offers an affordable and comprehensive training solution to address the need for training in Windows Forensics.

Unable to Boot into Linux? Try this!

Unable to Boot into Linux? Try this!

You have just installed a Linux distribution on your computer and now your system refuses to boot. The option you may have overlooked is Trusted Execution Technology.

What does a Cyber Security Analyst do?

What does a Cyber Security Analyst do?

The role of a Cyber Security Analyst is one of great importance and responsibility. While the work can be highly rewarding, it also requires great deal of patience.

Pin It on Pinterest

Share This