CERT-CSIH Domain #3: Triage & Analysis
Triage and Analysis is the third domain of the CERT-CSIH certification exam and constitutes 28% of the overall objectives of the exam. Triage and analysis go hand-in-hand to help a CSIRT team in classifying events, conducting correlation analysis, prioritizing events, assigning events for further analysis, identifying the cause of an incident, analyzing intrusion artifacts and malware, performing vulnerability analysis and determining risks, threat level or a business impact of the incident.
Triage and Analysis techniques are applied when the Incident Detection phase has been completed. The incident data and intrusion artifacts that have been collected during the Incident Detection phase are now available for the Triage and Analysis phase. Further investigation is based on that data.
The following sections will take a deep dive to define how Triage the Analysis phase works.
Organizations should categorize events to determine their severity level and business impact. Since events occur in numerous ways, it’s inappropriate to establish step-by-step instructions for handling every event separately. Therefore, organizations should develop a general incident-handling plan that is able to deal with every event or events that are very common.
Some common events are listed below. However, they are neither comprehensive nor definitely classified.
- Theft or Loss of Equipment: Theft or loss of a media or any computing device, which contains an organization’s sensitive data, may trigger a serious event
- Performing Illegal Activities: Most organizations have “Acceptable Usage Policies” that bind users to only use authorized devices or applications within the organization’s facility. Employing any device/application illegally, such as installing third-party media applications, may provide an opening to malicious actors and then cause a significant event
- Email: Email messages often contain malicious links or attachments that cause an incident
- Web: An attack can be executed on the Web by exploiting browser vulnerabilities or installing malware
- Removable Media: An installation of removable media is a notoriously insecure method of transmitting data. Removable media often invites malware
Organizations can define categories in accordance with their own developed standards. Hence, events should be categorized using an organization’s standard category definition.
Performing Correlation Analysis
There are millions of events that occur every day. According to Panda Security, “230,000 new malware samples are produced every day.” An organization can be prone to more than one attack or many attacks that cause multiple events. However, determining an affinity between two or more events is indispensable. For this purpose, a CSIRT team performs correlation analysis.
Prioritizing events is one of the crucial factors in the Triage and Analysis phase. When an organization encounters various events at the same time, each event can have different nature in terms of its scope, urgency and potential impact. The most dangerous events must be neutralized first, rather than dealing with each event with the first-come-first-served strategy.
Spending time on less important events first may provide more serious events an extra time to inflict more damage. That’s where the strategy of prioritizing events comes in: to help a CSIRT team cope with the most dangerous events first, as they can stop business operations and compromise the confidentiality, integrity and availability of data.
Once the events have been prioritized, the next step is to assign events in order to make further analysis, response or closure/disposition. More serious events may require further analysis, while less important events are just closed unless they are neutralized altogether.
Determining Cause and Symptoms of the Event
During this step, a CSIRT team discovers why an incident occurred and what symptoms were involved. Determining a cause requires them to check whether there was a porous hole in the corporate network or if there were any potential vulnerabilities within the company IT infrastructure. This step helps security teams enhance an organization’s security posture further and prevents similar types of attacks in the future.
Analyzing Intrusion Artifacts and Malware
In the second decade of the 21st century, the IT security industry is shifting from concentrating on the perimeter to collecting and analyzing the artifacts and residue left on affected systems by cyberpests or hackers.
Unlike log files, which can be cleaned, the manipulation of artifacts is nearly out of the question. Analyzing intrusion artifacts/residue and malware is necessary, as they can provide vital information pertaining to the attacker’s behavior, the purpose of the attack or the specific vulnerability. Doing so helps a security team to build a dossier and identify the attacker. For instance, a Remote Access Trojan (RAT) artifact helped a CSIRT team to investigate the Office of Personnel Management breach.
Performing Vulnerability Analysis
A vulnerability analysis or vulnerability assessment is the proactive step used to identify, classify and prioritize vulnerabilities in systems, applications and networks. It also helps a CSIRT team to gain knowledge, awareness and background information of the risk to comprehend threats to their organization and know how to react to them appropriately. For this to be done effectively, security practitioners employ automated tools such as network security scanners. Once this process completes, the vulnerability assessment report is generated to list results.
Various types of vulnerability analysis include:
- Database scan: This includes finding vulnerabilities in databases to prevent database attacks such as SQL injection attacks
- Software scan: A software scan assists a CSIRT team in testing websites to detect application vulnerabilities and wrong configurations in Web applications or the network
- Wireless scan: This scan aims at identifying vulnerabilities in organization’s Wi-Fi network, such as finding rogue access points
- Host-based scan: A host-based vulnerability scan is performed to detect vulnerabilities in workstations, servers or other network hosts
Lastly, the CSIRT team should determine the risk, threat level or business impact of the confirmed incident.
In this article, we have delved in depth into the third domain of CERT-CSIH certification exam – namely, Triage and Analysis. The objectives of this domain are to find attackers, the purpose of the attack and the business impact of the attack. Doing so requires the contribution of the CSIRT team to categories events, perform correlation analysis, prioritize events, assign events, determine the cause of the event, analyze intrusion artifacts, perform vulnerability analysis and identify the risk, threat level or business impact of an event.
After this entire process, the CSIRT team will be able to perform the next phase of incident handling – the “Respond” phase, which is also the fourth domain of the CERT-CSIH certification exam.
InfoSec Institute offers you an Incident Response and Network Forensics Training Boot Camp that helps you to pass CERT-CSIH certification with an elite score. If you want to know more about the CERT-CSIH certification exam, InfoSec Institute also recommends you read our summary of CERT-Certified Computer Security Incident Handler (CSIH).
- CERT-Certified Computer Security Incident Handler Qualification Examination, Software Engineering Institute
- Computer Security Incident Handling Guide (Draft), NIST
- Cyber Security Statistics, TheBestVPN
- Security Artifacts – The Hunt for Forensic Residue, IT Business Edge
- Vulnerability assessment (vulnerability analysis), TechTarget