The Art and Science of Alert Triage

Securely explore your data

THE ART & SCIENCE OF ALERT TRIAGE

© 2015 Sqrrl | All Rights Reserved

ABOUT ME Security Architect at Sqrrl. Research areas include threat intelligence, security analytics and the art & science of hunting. 15 years of detection & response experience in government, research, educational and corporate arenas. A founding member of a Fortune 5’s CIRT. Spent 5 years helping to build a global detection & response capability (500+ sensors, 5PB PCAP, 4TB logs/day).

AGENDA


What is Triage?

The Detection Cycle

Key Questions in the Investigative Continuum

Summary


WHAT IS ALERT TRIAGE?

Image: "Triage" by Umschattiger - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:Triage.jpg#/media/File:Triage.jpg

In medicine, triage involves evaluating, prioritizing and tagging patients according to the urgency of their condition. Alerts should be pre-prioritized and tagged, so humans shouldn’t need to do much except validation. Triage involves less prioritization/tagging and more investigation.


THE AUTOMATED DETECTION CYCLE Observe

Compare

Alert

Validate

Observe what is happening in your environment Compare these activities to some reference databases (signatures, indicators, patterns of activity, etc) Alert when we are reasonably confident of a match Validate that the system actually detected the type of activity it meant to.


THE INVESTIGATIVE CONTINUUM

Alert! How should

my org respond?



Alert! Is this an

actual attack?

Was the attack

successful?

What other assets were

affected?

What other activities

occurred?

How should my org

respond?



Alert! Is this an

actual attack?

Was the attack

successful?

What other assets were

affected?

What other activities

occurred?

How should my org

respond?

Validation & Scoping AKA

Triage


IS THIS AN ACTUAL ATTACK? Context is key to quickly discarding false positives 02/08-18:48:04.305170 [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**]

[Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 58.64.132.100:44674 -> 172.16.150.20:80


WAS THE ATTACK SUCCESSFUL? For fewer alerts, focus on indicators of attacker success

Most alerts are for attack attempts. Most attempts are not successful. Most of your alerts don’t require action, so why waste time with them? Indicators of success or post-compromise actions result in fewer, more meaningful alerts.


WHAT ELSE WAS AFFECTED? Use context to expand the scope of the investigation. Investigation questions from our previous example: •  Did the attacker compromise user

accounts on the target? •  Where else might those user

accounts be valid? •  What other systems

communicated with the attacker? •  Are there any other related assets

we need to check out?


WHAT OTHER ACTIVITIES OCCURRED? Create a timeline of attacker activities and IR milestones

First exploit attempt

All alerts generated by

attack

When the alerts were

investigated and escalated

When each asset was contained

When each asset was

remediated

When the incident was

closed

Now you know what assets were affected, find the evidence and record the events in order. Timelines are useful not only for reports, but as IR leads for identifying gaps in the story.

Start with a simple spreadsheet or wiki page to get a feel for the process, then expand. Doing a few graphical timelines manually helps you understand your true requirements, too!

Securely explore your data

CONCLUSION


REVIEW: KEY QUESTIONS

Was this an actual attack?

Was the attack successful?

What other assets were affected?

What activities did the attacker carry out?


REVIEW: OTHER TIPS Don’t waste your time prioritizing alerts. Let the computer do it for you.

Make sure your analysis tools and workflows support answering the key questions. This makes your analysts much more powerful.

High level context tools like graphs offer many advantages that are hard to get with log-based tools.

Focus on indicators of success to cut down on the number of alerts.

WANT TO LEARN MORE?


www.sqrrl.com

Read our white paper or product paper Schedule a demo or proof of concept Request a VM or evaluation software

QUESTIONS?


David J. Bianco

[email protected]

@DavidJBianco

The Art and Science of Alert Triage

Data & Analytics

Transcript of The Art and Science of Alert Triage