DDLC - Triage
In detection engineering, effective triage is key to prioritizing and addressing security threats efficiently. As the second phase in the detection engineering process, triage involves assessing and ranking alerts based on factors like threat severity, alignment, coverage, and active exploit presence. By thoughtfully triaging each alert, detection engineers can focus their resources on the most pressing and impactful threats, optimizing security efforts.
Breaking Down the Triage Considerations
Each consideration in the triage process plays a vital role in assigning priority levels to security alerts.
1. Threat Severity
Severity assesses the potential impact of a threat on your organization if left undetected. High-severity threats are those that could cause significant harm, such as breaches of sensitive data or disruptions to critical infrastructure. Generally, the closer the threat is to the end of the kill chain, the higher its severity. However, certain operational factors, like detecting a honeypot breach, can also influence severity.
Severity Levels:
Low Severity: A passive threat with potential for future harm (e.g., recon scanning public-facing ports).
Medium Severity: An active threat in its early stages (e.g., phishing email not yet opened).
High Severity: A direct and impactful threat (e.g., ransomware payload execution).
2. Organizational Alignment
Organizational alignment refers to how relevant a threat is to your specific organization, industry, or technology stack. It’s informed by threat intelligence that helps assess whether the adversary’s targets align with the assets you protect.
Organizational Alignment Levels:
0: Irrelevant threat (e.g., threat targeting an environment not used by your organization).
1: Unlikely to target your organization, but still possible.
2: Widespread or unpredictable threat (e.g., mass phishing campaigns).
3: Directly targeted threat based on intelligence and observations.
3. Detection Coverage
Detection coverage evaluates how well your current detection mechanisms can identify the threat across different parts of the environment, such as networks, endpoints, or applications. This step helps avoid duplication and ensures that resources are directed toward areas where new or enhanced detection capabilities are necessary.
Detection Coverage Levels:
0: Coverage already exists comprehensively.
1: Improvements are possible.
2: New detection is needed to fill a gap.
4. Availability of Active Exploits
The presence of active exploits significantly influences a threat’s priority. If exploits for a detected vulnerability are known and actively used, the urgency to address the threat rises, as it may pose an immediate risk to the environment.
Active Exploits Scoring:
Relevance:
0: Not vulnerable.
1: Vulnerable but a patch exists.
2: Vulnerable and no patch is available.
Prevalence:
1: No known exploit or observed in-the-wild activity.
2: Some in-the-wild activity, but no public exploit code.
3: Public exploit code exists, and active use is confirmed.
Calculating Detection Priority
Once each element has been assessed, you can calculate an overall priority score to help guide the response.
Priority Scoring Formula
The priority score is calculated as follows:
Priority Score = Threat Severity + Organizational Alignment + Detection Coverage + (Relevance + Prevalence)
This total helps determine the overall urgency of the detection requirement.
Priority Levels
Informational (1-4): Low-impact alerts that don’t require immediate attention.
Low (5-6): Minor threats; monitor but don’t require rapid response.
Medium (7-9): Moderate threats needing attention but not urgent.
High (10-12): Serious threats; act swiftly to mitigate.
Critical (13): Critical, time-sensitive threats requiring immediate action.
Conclusion
By carefully following the triage considerations and calculating a clear priority score, detection engineers can effectively rank security alerts, ensuring that resources and attention are directed toward the most critical threats first. This structured approach not only enhances the organization’s response to high-impact security incidents but also optimizes the detection engineering team’s efficiency and effectiveness.