Cyber Response Triage Process 4573

Cyber Response Triage Process

Published
Its Christmas time. The Elves want to process your gift list for Santa to deliver. They are almost prepared and ready to deliver. Similarly, you’ve already signed off for the holiday season or just about finishing getting projects and activities in order.  Your organisation is likely staggering change activities over the festive season so you actually feel content that all is in order; including the out of hours response framework. Elves are pretty good over the eons to select a repsonse model that ensures Santa has no down time in delivering presents.

Selecting the right framework for your business is crucial. It needs to address your forensic needs, legal response requirements, and more importantly, an approach on how the cyber incident will be triaged.

Commonly, a security incident follows the P1, P2 and P3 format as part of a typical Incident alert. During this first alert, the network and infrastructure team cross verify the issue and if their technical leads find compromise or unexpected behaviour, then the incident enters the Major Incident format. Here the incident is further defined as a Sev 1, Sev 2 or Sev 3 and typically a triage call takes place for the technical leads to identify the root cause of the issue, or confirm if an attack is taking place. In the triage call, it might be seen that alerts are not isolated, but from different sources, by discussing the aggravation points the incident response teams are able to know where the attack is being targeted to and what can be done to stop it. If it is a DDoS attack, then are the core servers showing any anomalies, or, if the alerts are from the cloud email solution do we see any outbound activities that are not expected? Asking these questions during an attack, you can determine what course of action to take and where to focus efforts. It might be acknowledged that files are being sent from the core solution so you may need to contact the Forensic team immediately to investigate and capture evidence for legal and compliance reasons.

Within hours, you will need to prepare the executive report and management summary that may be used at a later date, or likely that first draft will change many times until the compromise is over. Each element of investigation will require you to provide an update to the Sev 1 which is cascaded back down to the P1 team. This is shown in the skeleton flow diagram on this blog ( I’ve left out the flow label names on each arrow so you can customise to your needs ). As an extension, each tech tower in your network should have its own Security Functional Documentation that identifies Top 10 activities for each Security Tool, such as, Top 10 IDS, AV, SIEM or DDoS so your team know what to look for during a Cyber Sev 1 incident. 

There are many response models used, and provided the escalation points are identified for each aggravation vector, any compromise can be handled without any drama and the skilled engineers are able to respond in the correct form. With new digital business now entering the economy, whether it’s an app based business, retail, ecommerce or elves processing santa's gift list needs, cyber response frameworks will provide many opportunities for business process innovations to identify your best fit model.

 
Blog The Cyber Lens 11/12/2016 8:28pm GMT

Log in

Log in to post your comments on this blog.

Share: