Incident identification
1. Incident identification
Imagine there’s a security breach at your organization, and you’re working on the incident response process. It’s your responsibility to help your team better understand the severity, impact, and scope of the breach. How do you accomplish that task? In this video, we’ll dive into incident identification, a critical part of any incident response process. You’ll learn how to triage and prioritize alerts, collect information, assess potential impact, and learn the difference between true incidents and false positives. To start, let’s consider incident identification. Incident identification involves recognizing potential security threats based on alerts, log data, and other indicators. The key to successful incident identification is to efficiently triage, prioritize, and assess alerts. That way, you can make sure you're addressing the most important incidents first. The initial steps in incident identification are to triage and prioritize alerts. Triaging alerts means categorizing and filtering the alerts based on specific criteria. Prioritizing alerts means you address the most critical issues first, ensuring a timely response to potential threats. When you prioritize alerts, you need to consider questions that help you focus on severity, potential impact, and urgency. For example, a question to help you consider severity might be: How serious is the potential security threat? Next, to consider potential impact, you might ask, What are potential consequences of the incident? And finally, to consider urgency, you might ask, How quickly does the incident need to be addressed? Once you've triaged and prioritized alerts, you get ready to assess the alert by gathering information and evidence related to the potential incident. This might include reviewing logs, analyzing network traffic, or examining user activity. Once you collect this information, you can assess the potential impact and scope of the incident. The assess step in incident identification will help you determine the right course of action for addressing the incident. It's important to keep in mind that not all alerts indicate a real security issue. Sometimes, harmless events like network disruptions or misconfigurations can trigger false alarms. You need to be aware of the difference between true incidents and false positives. To differentiate true incidents from false positives, you need to examine the data and confirm the type of event. Let’s discuss how to tell the difference. When distinguishing between the two, you can address the information available with analysis and verification. First is analysis. During analysis, you’ll examine the available evidence and context, review for patterns and relationships between data points, and assess whether the alert represents a real security threat. If you discover multiple related alerts and indicators of compromise, your analysis most likely indicates a true incident. Second is verification. During verification, you’ll double-check the affected systems for signs of compromise, like unauthorized access or changes to files. If you find evidence of intrusion, the verification likely indicates a true incident. If you don't find evidence of intrusion, the alert might be a false positive. Here’s a pro tip about analysis and verification in relation to false positives. Sometimes, an incident may be flagged as a false positive —and discarded based on the team’s current understanding— only to be revealed as a true positive once more information is available. You and your team will always be learning, even in an active investigation. Now you can go into an investigation with confidence. You know how to identify and prioritize alerts to help define the impact and scope of the incident. You also know how to differentiate between a true incident and a false positive to help guide your team down the right path.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.