Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Securely explore your data
THE ART & SCIENCE
OF ALERT TRIAGE
© 2015 Sqrrl | All Rights Reserved
ABOUT ME
Security Architect at Sqrrl. Research areas include
threat intelligence, secur...
AGENDA
© 2015 Sqrrl | All Rights Reserved
What is Triage?
The Detection Cycle
Key Questions in the Investigative Continuum...
© 2015 Sqrrl | All Rights Reserved
WHAT IS ALERT TRIAGE?
Image: "Triage" by Umschattiger - Own work. Licensed under CC BY-...
© 2015 Sqrrl | All Rights Reserved
THE AUTOMATED DETECTION CYCLE
Observe
Compare
Alert
Validate
Observe what is happening ...
© 2015 Sqrrl | All Rights Reserved
THE INVESTIGATIVE CONTINUUM
Alert!
How should
my org
respond?
© 2015 Sqrrl | All Rights Reserved
THE INVESTIGATIVE CONTINUUM
Alert!
Is this an
actual
attack?
Was the
attack
successful?...
© 2015 Sqrrl | All Rights Reserved
THE INVESTIGATIVE CONTINUUM
Alert!
Is this an
actual
attack?
Was the
attack
successful?...
© 2015 Sqrrl | All Rights Reserved
IS THIS AN ACTUAL ATTACK?
Context is key to quickly discarding false positives
02/08-18...
© 2015 Sqrrl | All Rights Reserved
IS THIS AN ACTUAL ATTACK?
Context is key to quickly discarding false positives
02/08-18...
© 2015 Sqrrl | All Rights Reserved
IS THIS AN ACTUAL ATTACK?
Context is key to quickly discarding false positives
02/08-18...
© 2015 Sqrrl | All Rights Reserved
IS THIS AN ACTUAL ATTACK?
Context is key to quickly discarding false positives
02/08-18...
© 2015 Sqrrl | All Rights Reserved
IS THIS AN ACTUAL ATTACK?
Context is key to quickly discarding false positives
02/08-18...
© 2015 Sqrrl | All Rights Reserved
WAS THE ATTACK SUCCESSFUL?
For fewer alerts, focus on indicators of attacker success
Mo...
© 2015 Sqrrl | All Rights Reserved
WHAT ELSE WAS AFFECTED?
Use context to expand the scope of the investigation.
Investiga...
© 2015 Sqrrl | All Rights Reserved
WHAT OTHER ACTIVITIES OCCURRED?
Create a timeline of attacker activities and IR milesto...
Securely explore your data
CONCLUSION
© 2015 Sqrrl | All Rights Reserved
REVIEW: KEY QUESTIONS
Was this an actual attack?
Was the attack successful?
What other ...
© 2015 Sqrrl | All Rights Reserved
REVIEW: OTHER TIPS
Don’t waste your time prioritizing alerts. Let the computer do it fo...
WANT TO LEARN MORE?
© 2015 Sqrrl | All Rights Reserved
www.sqrrl.com
Read our white paper or product paper
Schedule a demo...
QUESTIONS?
© 2015 Sqrrl | All Rights Reserved
David J. Bianco
dbianco@sqrrl.com
@DavidJBianco
Upcoming SlideShare
Loading in …5
×

The Art and Science of Alert Triage

592 views

Published on

If you follow the trade press, one theme you hear over and over again is that organizations are drowning in alerts. It’s true that we need technological solutions to prioritize and escalate the most important alerts to our analysts, but the humans have a critical part to play in this process as well. The quicker they are able to make decisions about the alerts they review, the better they are able to keep up. An incident responders’ most common task is alert triage, the process of investigation and escalation that ultimately results in the creation of security incidents. As crucial as this process is, there has been remarkably little written about how to do it correctly and efficiently. In this presentation, learn incident response best practices from Sqrrl security expert, David Bianco.

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

The Art and Science of Alert Triage

  1. 1. Securely explore your data THE ART & SCIENCE OF ALERT TRIAGE
  2. 2. © 2015 Sqrrl | All Rights Reserved ABOUT ME Security Architect at Sqrrl. Research areas include threat intelligence, security analytics and the art & science of hunting. 15 years of detection & response experience in government, research, educational and corporate arenas. A founding member of a Fortune 5’s CIRT. Spent 5 years helping to build a global detection & response capability (500+ sensors, 5PB PCAP, 4TB logs/day).
  3. 3. AGENDA © 2015 Sqrrl | All Rights Reserved What is Triage? The Detection Cycle Key Questions in the Investigative Continuum Summary
  4. 4. © 2015 Sqrrl | All Rights Reserved WHAT IS ALERT TRIAGE? Image: "Triage" by Umschattiger - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/ File:Triage.jpg#/media/File:Triage.jpg In medicine, triage involves evaluating, prioritizing and tagging patients according to the urgency of their condition. Alerts should be pre-prioritized and tagged, so humans shouldn’t need to do much except validation. Triage involves less prioritization/ tagging and more investigation.
  5. 5. © 2015 Sqrrl | All Rights Reserved THE AUTOMATED DETECTION CYCLE Observe Compare Alert Validate Observe what is happening in your environment Compare these activities to some reference databases (signatures, indicators, patterns of activity, etc) Alert when we are reasonably confident of a match Validate that the system actually detected the type of activity it meant to.
  6. 6. © 2015 Sqrrl | All Rights Reserved THE INVESTIGATIVE CONTINUUM Alert! How should my org respond?
  7. 7. © 2015 Sqrrl | All Rights Reserved THE INVESTIGATIVE CONTINUUM Alert! Is this an actual attack? Was the attack successful? What other assets were affected? What other activities occurred? How should my org respond?
  8. 8. © 2015 Sqrrl | All Rights Reserved THE INVESTIGATIVE CONTINUUM Alert! Is this an actual attack? Was the attack successful? What other assets were affected? What other activities occurred? How should my org respond? Validation & Scoping AKA Triage
  9. 9. © 2015 Sqrrl | All Rights Reserved IS THIS AN ACTUAL ATTACK? Context is key to quickly discarding false positives 02/08-18:48:04.305170 [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 58.64.132.100:44674 -> 172.16.150.20:80
  10. 10. © 2015 Sqrrl | All Rights Reserved IS THIS AN ACTUAL ATTACK? Context is key to quickly discarding false positives 02/08-18:48:04.305170 [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 58.64.132.100:44674 -> 172.16.150.20:80
  11. 11. © 2015 Sqrrl | All Rights Reserved IS THIS AN ACTUAL ATTACK? Context is key to quickly discarding false positives 02/08-18:48:04.305170 [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 58.64.132.100:44674 -> 172.16.150.20:80
  12. 12. © 2015 Sqrrl | All Rights Reserved IS THIS AN ACTUAL ATTACK? Context is key to quickly discarding false positives 02/08-18:48:04.305170 [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 58.64.132.100:44674 -> 172.16.150.20:80
  13. 13. © 2015 Sqrrl | All Rights Reserved IS THIS AN ACTUAL ATTACK? Context is key to quickly discarding false positives 02/08-18:48:04.305170 [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 58.64.132.100:44674 -> 172.16.150.20:80
  14. 14. © 2015 Sqrrl | All Rights Reserved WAS THE ATTACK SUCCESSFUL? For fewer alerts, focus on indicators of attacker success Most alerts are for attack attempts. Most attempts are not successful. Most of your alerts don’t require action, so why waste time with them? Indicators of success or post- compromise actions result in fewer, more meaningful alerts.
  15. 15. © 2015 Sqrrl | All Rights Reserved WHAT ELSE WAS AFFECTED? Use context to expand the scope of the investigation. Investigation questions from our previous example: •  Did the attacker compromise user accounts on the target? •  Where else might those user accounts be valid? •  What other systems communicated with the attacker? •  Are there any other related assets we need to check out?
  16. 16. © 2015 Sqrrl | All Rights Reserved WHAT OTHER ACTIVITIES OCCURRED? Create a timeline of attacker activities and IR milestones First exploit attempt All alerts generated by attack When the alerts were investigated and escalated When each asset was contained When each asset was remediated When the incident was closed Now you know what assets were affected, find the evidence and record the events in order. Timelines are useful not only for reports, but as IR leads for identifying gaps in the story. Start with a simple spreadsheet or wiki page to get a feel for the process, then expand. Doing a few graphical timelines manually helps you understand your true requirements, too!
  17. 17. Securely explore your data CONCLUSION
  18. 18. © 2015 Sqrrl | All Rights Reserved REVIEW: KEY QUESTIONS Was this an actual attack? Was the attack successful? What other assets were affected? What activities did the attacker carry out?
  19. 19. © 2015 Sqrrl | All Rights Reserved REVIEW: OTHER TIPS Don’t waste your time prioritizing alerts. Let the computer do it for you. Make sure your analysis tools and workflows support answering the key questions. This makes your analysts much more powerful. High level context tools like graphs offer many advantages that are hard to get with log-based tools. Focus on indicators of success to cut down on the number of alerts.
  20. 20. WANT TO LEARN MORE? © 2015 Sqrrl | All Rights Reserved www.sqrrl.com Read our white paper or product paper Schedule a demo or proof of concept Request a VM or evaluation software
  21. 21. QUESTIONS? © 2015 Sqrrl | All Rights Reserved David J. Bianco dbianco@sqrrl.com @DavidJBianco

×