In this article, we will cover Security Incident Triage, how to combine local and global threat intelligence for effective triage.
When analyzing and categorizing information security incidents it is important to think about how the hacker. With regard to prevention, we cannot assume exactly which path a hacker will take to access the data network, however, each attack works through a certain standard, which according to Lockheed Martim is called a "cyber kill chain."
The "cyber kill chain" is a sequence of stages necessary for a hacker to enter and obtain data from a network, and each stage reveals a specific goal along the way. Designing the monitoring and response plan around the cyber destruction chain model is an effective method as it focuses on current scenarios and attack vectors.
This approach of thinking like the potential Hacker can be summarized in 4 steps:
1 - Attacker’s Goal - Reconnaissance and Scan: Find the target and develop an attack plan based on opportunities for exploration.
2 - Delivery & Attack - Bring the delivery engine online and use social engineering to induce the target to access malware or other exploitation.
3 - Exploitation & Installation - Exploit vulnerabilities on target systems to acquire access, escalate user privileges, and install the payload.
4 - System Compromise – Ex-filter data of high value without noise and as soon as possible. Use the compromised system to gain additional access, "steal" computing resources, and/or use it as an attack against other assets.
WHAT SECURITY EVENTS SHOULD YOUR ORGANIZATION BE CONCERNED ABOUT?
To help categorize each type of incident, you can align the types of events into the Cyber Kill Chain to determine the appropriate priority and incident response strategy.
The table below shows how it can be done:
Incident Type | Cyber Kill Chain Stage | Priority Level | Recommendations |
---|---|---|---|
Port Scanning Activity (pre‑incident) | Reconnaissance & Probing | Low | Ignore most events, except when the source IP has a malicious reputation and that there are multiple events of that same IP a short time interval. |
Malware Infection | Delivery & Attack | Low-Medium | Fix any malware infection as soon as possible before they progress. Scan the network to look for indicators of compromise associated with stand event (e.g. MD5 hashes). |
Distributed Denial of Service | Exploitation & Installation | High | Configure servers exposed on the web to protect against requests of extreme requests by HTTP and SYN. Coordinate with your ISP during an attack to block the source IPs. |
Unauthorized Access | Exploitation & Installation | Medium | Detect, monitor, and investigate how non-authorized access attempts are prioritized for that they are essential and/or contain sensitive data.. |
Insider Breach | System Compromise | High | Identify privileged users for all domains, servers, applications, and critical devices. Make sure that monitoring is enabled for all systems and for all system events, and make sure that you are feeding your monitoring infrastructure (SIEM). |