MD3 Incident detection and verification: The detection and analysis phase of the lifecycle Flashcards
Detection and Analysis phase of the incident response lifecycle
This is where incident response teams verify and analyze incidents.
Detection
Detection enables the prompt discovery of security events.
Events
Remember not all events are incidents, but all incidents are events.
Events are regular occurrences in business operations, like visits to a website or password reset requests. IDS and SIEM tools collect and analyze event data from different sources to identify potential unusual activity. If an incident is detected, such as a malicious actor successfully gaining unauthorized access to an account, then an alert is sent out. Security teams then begin the Analysis phase.
Analysis
- Impossible to detect everything
- High volume alerts
Analysis involves the investigation and validation of alerts. During the analysis process, analysts must apply their critical thinking and incident analysis skills to investigate and validate alerts. They’ll examine indicators of compromise to determine if an incident has occurred. This can be a challenge for a couple of reasons.
Challenges in detection and analysis phase
The challenge with detection is it’s impossible to detect everything. Even great detection tools have limitations in how they work, and automated tools may not be fully deployed across an organization due to limited resources. Some incidents are unavoidable, which is why it’s important for organizations to have an incident response plan in place.
Analysts often receive a high volume of alerts per shift, sometimes even thousands. Most of the time, high alert volumes are caused by misconfigured alert settings. For example, alert rules that are too broad and not tuned to an organization’s environment create false positives. Other times, high alert volumes can be legitimate alerts caused by malicious actors taking advantage of a newly discovered vulnerability.
