In a prior discussion, we explored the concept of triage, a vital practice used to assess alerts and determine the priority of incidents. In this reading, we’ll delve deeper into the triage process and why it’s important. As a security analyst, your role includes analysing security alerts, and having the skill to effectively triage is crucial. It allows you to address and resolve security alerts efficiently.

Triage Process

Incidents can potentially cause significant harm to an organisation. Therefore, it’s essential that security teams respond quickly and effectively to prevent or mitigate the impact of these incidents before they worsen. Triage is the process of prioritising incidents based on their level of importance or urgency. It helps security teams assess and prioritise security alerts, ensuring that resources are directed towards dealing with the most critical issues promptly.

The triage process involves three distinct steps:

Step 1: Receive and Assess

During the initial step of the triage process, a security analyst receives an alert from an alerting system, such as an intrusion detection system (IDS). Remember that an IDS is an application that monitors system activity and alerts on potential intrusions. The analyst’s role is to review the alert, confirm its validity, and gain a comprehensive understanding of the situation.

This involves gathering extensive information about the alert, including details about the triggering activity, the systems and assets involved, and more. Here are some pertinent questions to consider when assessing the validity of an alert:

• Is the alert a false positive? It’s crucial to determine whether the alert genuinely indicates a security concern or if it’s a false positive, meaning it inaccurately detects a threat.
• Has this alert been triggered before, and if so, how was it resolved? Examining the alert’s history helps determine whether it is a recurring or new issue.
• Is the alert linked to a known vulnerability? If the alert results from a known vulnerability, existing knowledge can guide an appropriate response to minimise the vulnerability’s impact.
• What is the severity of the alert? The severity level of an alert influences its priority in the response process, with critical issues taking precedence.

Step 2: Assign Priority

Once an alert has been thoroughly assessed and verified as a genuine security concern, it must be prioritised accordingly. Incidents vary in impact, size, and scope, which directly influences response efforts. Prioritisation is necessary to effectively manage time and resources since not all incidents hold the same level of significance. Factors to consider when determining incident priority include:

• Functional Impact: Security incidents can impact the functionality of information technology systems, affecting the services these systems provide to users. For instance, a ransomware incident can severely disrupt the confidentiality, availability, and integrity of systems, making data inaccessible. Assess how an incident affects the existing business functionality of the affected system.
• Information Impact: Incidents can compromise the confidentiality, integrity, and availability of an organisation’s data and information. In a data exfiltration attack, malicious actors can steal sensitive data, which may belong to third parties or other organisations. Consider the broader consequences of information compromise beyond the organisation.
• Recoverability: The ability of an organisation to recover from an incident depends on its scale, scope, and available resources. In some cases, recovery may not be feasible, such as when a malicious actor successfully exposes proprietary data to the public. Investing time, effort, and resources in an incident with no recoverability may not be practical. It is crucial to evaluate whether recovery is possible and whether it justifies the time and cost.

Note: Security alerts frequently come with assigned priorities or severity levels that guide their urgency and prioritisation.

Step 3: Collect and Analyse

The final step in the triage process entails a comprehensive analysis of the incident by the security analyst. This analysis involves gathering evidence from various sources, conducting external research, and meticulously documenting the investigative process. The ultimate objective is to gather sufficient information to make informed decisions on addressing the incident. Depending on the incident’s severity, it may require escalation to a level-two analyst or a manager who possesses advanced techniques for addressing the incident.

Benefits of Triage

Prioritising incidents based on potential impact offers several advantages, reducing the scope of harm to the organisation through timely responses. Some key benefits of triage for security teams include:

• Resource Management: Triage enables security teams to focus their resources on imminent threats, avoiding the allocation of time and resources to lower-priority tasks. This, in turn, can reduce response times.
• Standardised Approach: Triage introduces a standardised approach to incident handling. Process documentation, such as playbooks, ensures that alerts progress through a structured process, guaranteeing that only valid alerts advance to the investigation stage.

Key Takeaways

Triage empowers security teams to prioritise incidents based on importance and urgency. The triage process plays a crucial role in helping organisations achieve their incident response goals. As a security professional, you will likely utilise triage to effectively respond to and resolve security incidents.