Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

06 Sound the Alarm: Detection and Response > MD3 Response and Recovery: The role of triage in incident response > Flashcards

MD3 Response and Recovery: The role of triage in incident response Flashcards

1
Q

Triage

A

In medicine, triage is used to categorize patients based on the urgency of their conditions. For example, patients with a life-threatening condition such as a heart attack will receive immediate medical attention, but a patient with a non-life threatening condition like a broken finger may have to wait before they see a doctor. Triage helps to manage limited resources so that hospital staff can give immediate attention to patients with the most urgent conditions.

Triage is also used in security. Before an alert gets escalated, it goes through a triage process, which prioritizes incidents according to their level of importance or urgency. Similar to hospital emergency departments, security teams have limited resources available to dedicate to incident response. Not all incidents are the same, and some may involve an urgent response. Incidents are triaged according to the threat they pose to the confidentiality, integrity, and availability of systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When does triage happen?

A

Once an incident is detected and an alert gets sent out, triage begins. As a security analyst, you’ll identify the different types of alerts, and then prioritize them according to urgency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Triage process

A
  1. Receive and assess
  2. Assign priority
  3. Collect and analyse

The triage process generally looks like this. First, you’ll receive and assess the alert to determine if it’s a false positive and whether it’s related to an existing incident. If it’s a true positive, you’ll assign priority on the alert based on the organization’s policy and guidelines. The priority level defines how the organization’s security team will respond to the incident. Finally, you’ll investigate the alert and collect and analyze any evidence associated with the alert, such as system logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Triage as an Analyst

A

As an analyst, you’ll want to ensure that you complete a thorough analysis so that you have enough information to make an informed decision about your findings.

For example, say that you received an alert for a failed user login attempt. You’ll need to add context to your investigation to determine if it’s malicious. You can do so by asking questions. Is there anything out of the ordinary associated with this alert? Are there multiple failed login attempts? Did the login happen outside of normal working hours? Did the login happen outside of the network?

These questions paint a picture around the incident. By adding context, you avoid making assumptions, which can result in incomplete or incorrect conclusions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

06 Sound the Alarm: Detection and Response (51 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions