Incident Response Management Process – Triage

Incident Response Triage

07 Oct Incident Response Management Process – Triage

Incident Response – Triage

Triage is the first post-detection incident response process any responder will execute to open an incident or false positive. Structuring an efficient and accurate triage process will reduce Analyst Fatigue and ensure that only valid alerts are promoted to “investigation or incident” status.  Triage responders face the urgent challenge of filtering an unwieldy input source into a condensed trickle of events.

Every part of a triage process must be performed with urgency. To follow are suggestions for expediting analysis before data is validated:

  • Organization – Reduce redundant analysis by developing a workflow that will assign tasks to responders.  Avoid sharing an email box/email alias between multiple responders, instead, use a workflow tool to assign tasks. Implement a process to re-assign or reject tasks that are out of scope for triage.
  • Correlation – Use a tool such as a SIEM to combine similar events. Link potentially connected events into one useful event.
  • Data Enrichment – Automate common queries your responders perform daily. Collect data with the event, or make it easily accessible.  A few examples include:
    • Reverse DNS Lookups
    • Threat Intelligence Lookups
    • IP/Domain Mapping
    • Historical Events/Incident Notes

       Moving full speed ahead is the way to get through the initial triage process, but a more vigilant approach is necessary during event verification.  Presenting a case          to be accurately evaluated by SOC/CIRT analysts is key.  Here are a few tips for the verification:

    • Adjacent Data – Check the information adjacent to the event. For example, if an endpoint has a virus signature hit, look to see if there’s evidence the virus is running before calling for further response metrics.
    • Intelligence Review – Understand the context around the intelligence. Just because an IP address was flagged as part of a botnet last week doesn’t mean it still is part of a botnet today.
  • Initial Priority – Align with operational incident priorities and classify incidents appropriately.  Make sure the right level of effort is applied to each incident.
  • Cross Analysis – Look for and analyze potentially shared keys, such as IP addresses or domain names, across multiple data sources for better data acuity.

Once an event is verified, the event becomes an investigation or an incident.  All incidents must be investigated and tracked as defined in your Investigation process.

Syncurity’s IR-Flow™ saves security teams time by speeding up the triage process, allowing security analysts to rule out false positives quicker, spending time on the alerts that impact your organization the most.

Photo credit: brian.gratwicke / Foter / CC BY

No Comments

Post A Comment

CONTACT US FOR A DEMO