Handle security incidents efficiently with Incident Response Triage

Author
Jolanda Muff
Published
27. August 2021

Preparedness is the key to effectively responding to cyber attacks. Even the best incident response team cannot efficiently handle with an incident without pre-established guidelines. Responding to cyber attacks is a process, not an isolated event, so it is important that IR teams approach each incident in an organised, coordinated fashion. In our blog, learn about key steps in security incident response that are critical to managing the broad spectrum of responses.

In order to successfully respond to security incidents, you need a good plan. Triage is the first step in the process once an incident or false positive is discovered. It is fundamental, because it shortens the time taken to respond to security incidents and ensures that only valid alerts are moved up to 'investigation or incident' status. It also saves analysts unnecessary work.

Each part of the triage process must be carried out urgently, as when you’re in the middle of a crisis, every second counts. The challenge for your triage specialists is that they have to filter huge amounts of information down into a condensed trickle of events. We have put together some starting points for you to speed up the analysis before the data can be validated:

  • Organisation: Reduce redundant analysis by developing a workflow that assigns dedicated tasks to agents. Avoid sharing an e-mail box or e-mail alias between multiple agents. Instead, use a workflow tool, such as SOAR solutions (Security Orchestration, Automation and Response), to assign tasks to a specific person. Implement a process whereby tasks that are ineligible for triage can be reassigned or rejected.
  • Correlation: Use a tool such as an SIEM tool (Security Information and Event Management) to combine similar events. Link potentially related events into a single useful event.
  • Data enrichment: Automate common actions that your staff need to perform every day, such as reverse DNS queries, threat data queries and IP/domain mappings. Add this data to the correlated event record, or at least make this information easily accessible to them.

Incident response triage means hitting the ground running

This triage has to be done quickly - so go flat out here. A tool can provide you with valuable services. The SOAR platform from Swimlane can automate the majority of the triage process, including workflow task assignment and data enrichment. This gives your team the context they need to carry out additional analysis. Additional steps in the incident response process can also be automated, such as threat intelligence searches and remediation steps. With SOAR, you can significantly improve the effectiveness of your security operations while reducing risk and increasing threat protection.

A CSIRT needs reliable data

A more detailed approach is required when you subsequently review events. It is important to present a solid case that can be accurately assessed by your Security Operations Centre (SOC) or the CSIRT analysts. Here are four important tips when verifying:

  1. Check correlations: Check the information around the event. For example, if a virus signature was found on an endpoint, check to see if there is evidence that the virus is running before requesting additional response metrics.
  2. Verification of information: Understand the context that the information is in. Just because an IP address was part of a botnet last week does not automatically mean, that it still is today.
  3. Prioritise events: Adjust operational priorities based on the urgency of the event and classify incidents correspondingly. Ensure that the right level of effort is applied to each incident.
  4. Use different data sources: Look for potentially common properties such as IP addresses or domain names and analyse them across multiple data sources to improve the quality of the data.

Once an event is verified, it becomes an investigation or incident. These then need to be investigated and followed up by your SOC or CSIRT teams as defined in your IR process.

InfoGuard supports you in every security incident

Handling a security incident requires resources and expertise that are immediately available, because it is so important to act quickly and professionally. Attackers won't wait until you are prepared to handle the cyber attack. You can contact the InfoGuard CSIRT round the clock !

Contact our CSIRT team!

If you do not have the resources required within your company, our Incident Response Retainer is the ideal, most effective solution. We prepare for the emergency in a joint onboarding workshop. Should one occur, we can react appropriately in cooperation with you - quickly, competently and with a lot of experience, 24/7. You can find out more about our incident response retainer here:

Incident Response Retainer

Share article