What is Triage?
The word 'Triage' in cybersecurity has been derived from the world of 'Medics' or medicines.
Triage is a process done when the immediate demand for medical resources 'exceeds' their availability. It is the process of assigning PRIORITY to patients' treatments, based on the severity of their condition, the urgency of them to receive immediate treatment, and their likelihood of recovery with and without treatment.
This idea behind it is that you should ration patient treatment efficiently when your medical resources are NOT sufficient for all who need to be treated immediately. It influences the order and priority of emergency treatment, emergency transport, or transport destination for the patient.
It's the same reasoning that will be used by you if you are an Emergency Room doctor who is looking at two patients at the same time, as you would need to quickly decide about which of those two patients is the one that you're more certain you can save. You may have to let one patient go (die), as hard as it may be, so that the other might live. If you would work on the worse (read, more badly) injured person, then it's possible they both would die.
-
Let's Dig A Little History
Wikipedia mentions that the word 'Triage' has come from root-word 'tier' which means: to separate, sort, shift or select.
Modern medical triage was invented by Dominique Jean Larrey, a surgeon during the Napoleonic Wars, who "treat[ed] the wounded according to the observed gravity of their injuries and the urgency for medical care, regardless of their rank or nationality"
The triage was used by French doctors in World War I too, as they were treating the battlefield wounded at the aid stations behind the front. Those responsible for the removal of the wounded from a battlefield or their care afterwards would divide the victims into three categories:
-
Those who are likely to live, regardless of what care they receive.
-
Those who are unlikely to live, regardless of what care they receive.
-
Those for whom immediate care may make a positive difference in outcome.
This approach has always served well, in most emergency situations. Just imagine, there are 2-doctors and 32-wounded patients arriving at the same time or in quick succession...
In advanced triage, specially trained doctors, nurses and paramedics may decide that some seriously injured people should not receive advanced care because they are unlikely to survive. It is used to divert scarce resources away from patients with little chance of survival, in order to increase the chances for others with higher likelihoods.
This has always happened in disasters such as terrorist attacks, mass shootings, volcanic eruptions, earthquakes, tornadoes, thunderstorms, and rail accidents.
-
What is triage in cybersecurity?
Triage is used in the Security Operation Centers (SOC), at data center, at disaster recovery sites, and in boardrooms when limited financial resources must be allocated.
Triage is used in prioritizing bugs during software/application development too. Defect triage is a process where each bug is prioritized based on its severity, frequency, risk, etc. Triage term is used in the Software testing / QA to define the severity and priority of new defects.
Every time, you are facing the insufficiency of your IT resources, manpower resources, or other resources, you should use triage.
Triage is essential approach that is used in cyber incident-response, to investigate network alerts. Triage helps you to investigate the endpoints by pushing the collection tool over the network, collecting relevant data & artifacts, and analyzing it for malware and suspicious activity. And, to prioritize the alerts & likely incidents.
Let us take some examples of security incidents here:
-
An alert indicating a computer system breach.
-
An alert indicating unauthorized access to a system., software, or data.
-
An alert indicating unexpected changes to some important data.
-
An alert indicating an unauthorized device connecting the corporate network.
-
An alert indicating possibly a Denial of service attack building up.
-
An alert indicating an important server going down.
If all these alerts are emerging simultaneously, what will you do?
Triage, off course!
It is always your first response...based on prognosis.
-
TRIAGE IS THE CORNERSTONE OF INCIDENT RESPONSE IN CYBERSECURITY
Your cybersecurity teams are battling in a forever battle with cyber-attackers. But security alerts always come to them as a flood on daily basis. But not all alerts matters, but some alerts potentially can be fatal, if you leave them unattended.
However, you are still need to assess all alerts, so that you know if they should be addressed as a priority, or they should be put in queue for handling later, or simply left as they are. That is why, your team need to triage them with a speed, it is paramount!
Every time, when you would succeed in triage correctly, you would succeed in taking right action for remediation and elimination of threats in each case.
The medical kind of sorting is needed for cyber security alerts. However, manual resources for triaging are typically even more limited compared to the vast amounts of alerts that the network and systems of an enterprise can generate. Each security solution such as an intrusion prevention/detection system (IPS/IDS), web application firewall (WAF) or security incident and event management (SIEM) system generates its own alerts.
To make things even more difficult, alerts that may seem insignificant on their own may take on much more importance when grouped together, for example, indicating the path of an attack in progress.
To understand what it means for the cybersecurity of your enterprise, you should have the following information about each alert:
-
Is it (part of) an attack?
-
Has the attack been successful?
-
What is the source IP score?
-
What is the destination IP score?
-
What is the threat feed score?
-
What is the vulnerability score?
-
Has the user account involved been compromised?
-
What other assets were compromised?
-
What are the associated vulnerabilities?
-
What is the attack density?
-
Was this event associated with any other event or an artefact?
-
What activities did the attacker carry out?
-
How should the organization respond to this attack?
To answer the questions above, human judgment and experience is still crucial. But, as I mentioned above, they alone probably cannot cope with the volume and speed at which today’s alerts arrive. On the other hand, the right technology may allow all alerts to be analyzed and correlated in one place, without missing any of them. It gives quasi-real time results with detailed alert information and scoring.
The use of artificial intelligence (AI) within such technology allows additional insights and recommendations to be made about what the real threats are and how to treat them. The full attack story can be made available even before it starts to attain dangerous proportions.
This combination of artificial and human intelligence also allows the critical problem of alert fatigue to be avoided.
Regardless of everything, the trained team of security analysts can make a huge difference in triaging process.
-
REMEMBER:
Different types of security incidents merit different Response Strategies...
-
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
You can also share with all of us if the information shared here helps you in some manner.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM