The first step involves not only identifying the action behind the alert — and determining whether or not it’s malicious — but prioritizing the incident within the system. Network security monitoring and deeper investigation are keys here.
• How did the malware enter your network?
• What actions did it perform?
• Where is the malware?
• Did we get it all?
These are the questions to answer before proceeding with appropriate action. Infected endpoints are a crucial factor here. In order to cease and eliminate the threat, you need to know what occurred and where.
The second includes building context to prioritize the alert:
• Timeline, from entry to discovery and remediation.
• Is there external intelligence for this threat?
• What do the alerts tell you about the incident?
• What actions and damage caused?
Having a deep understanding of the attack, its intention and the affected assets enables your team to take action.
• Prioritize your highest-value targets and contain them as quickly as possible.
• Begin recovering the assets and resolving the issues in attacked areas.
• Malware removal and system restoration
If you have the right teams and tools in place, you should come to step three almost immediately. It’s all about informing and acting on every step of the process. That’s how you create an agile and efficient alert triage process.