Full Report
We're all petrified about missing a critical event or misclassifying an alert, but when we're talking about incident response (IR), there are often hundreds if not thousands of alerts to parse through. It's easy to get caught up with one alert because it feels "too hot" or maybe not spend enough time looking into something that initially seems "too cold." The post Finding the “Goldilocks” Zone: A Practical Approach to Alert Triage appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Alert Triage Optimization
## Overview
Alert triage is the critical process of assessing and classifying security events under conditions of high urgency and volume. These practices address the "Goldilocks" challenge: spending exactly the right amount of time on an alert to ensure critical threats are not missed while preventing analyst burnout and "rabbit hole" investigations.
## Key Recommendations
### Immediate Actions
1. **Prioritize by Severity:** Categorically ignore "Low" alerts during active incidents and relegate "Medium" alerts to a secondary queue.
2. **Focus on Criticals:** Direct 90-second to 5-minute initial reviews strictly toward "High" and "Critical" alerts to establish the narrative of an attack.
3. **Apply "Actions on Objective" Filter:** Quickly evaluate if the alert activity shows the attacker moving toward a goal (e.g., exfiltration, lateral movement). If the activity remains stagnant or isolated, lower its triage priority.
### Short-term Improvements (1-3 months)
1. **Baseline Environment Activity:** Develop a "normal" profile for host and network behavior. Use the question: "Does this happen regularly across multiple hosts?" to identify false positives.
2. **Define Detection Intent:** Document the specific TTP (Tactic, Technique, or Procedure) each alert rule is designed to catch. Ensure analysts know exactly what "success" for that specific alert looks like.
3. **Procedural Questioning:** Implement a standard 4-question checklist for every triage task to maintain consistency across the team.
### Long-term Strategy (3+ months)
1. **Feedback-Driven Logic:** Use findings from "Medium" and "Low" alerts (vetted during calmer periods) to tune SIEM detection logic and reduce future noise.
2. **Goal-Oriented Detection:** Move toward a detection strategy focused on "success markers" for attackers rather than just identifying anomalous technical artifacts.
## Implementation Guidance
### For Small Organizations
- **Focus on Severity:** With limited staff, strictly follow the severity-based triage. Don't feel guilty about ignoring "Low" events to ensure "High" events get eyes.
- **Use Vendor Baselines:** Rely on "out of the box" baselines until custom environment profiles can be developed.
### For Medium Organizations
- **Standardize Triage Questions:** Formalize the four core triage questions into your ticketing system or SOAR platform.
- **Centralize Context:** Ensure analysts can see if an alert is "occurring on multiple hosts" without manual searching across different consoles.
### For Large Enterprises
- **Detection Intent Enforcement:** Require developers of detection logic to include a "Detection Intent" field in the SIEM to prevent analysts from following peripheral rabbit holes.
- **Automated Baserunning:** Automate the comparison of alert activity against the global organizational baseline.
## Configuration Examples
While specific code depends on the SIEM, the **Detection Intent** methodology follows this logic:
**Alert Rule:** *Suspected Credential Dumping (LSASS access)*
* **Detection Intent:** Identify processes not named `svchost.exe` or `taskmgr.exe` accessing `lsass.exe` memory.
* **Triage Instruction:** If the source process is a known security agent or specialized admin tool used globally: **Mark as False Positive and move on.** (Do not investigate the user's browser history or unrelated network connections).
## Compliance Alignment
- **NIST SP 800-61 Rev. 2:** Directly supports the "Detection and Analysis" phase of the Incident Response Life Cycle.
- **CIS Controls (Control 8):** Supports Audit Log Management and the analysis of events to detect attacks.
- **ISO/IEC 27035:** Aligns with the "Assessment and Decision" stage of incident management.
## Common Pitfalls to Avoid
- **Falling Down Rabbit Holes:** Investigating peripheral activity that is not related to the primary alert trigger.
- **Over-investigating "Cold" Alerts:** Spending excessive time on Low/Medium alerts before clearing the High/Critical queue.
- **Ignoring Objective:** Treating every anomaly as a threat, even if it provides no clear path or benefit to an attacker.
## Resources
- **Black Hills InfoSec Prompt Zines:** [https://www.blackhillsinfosec[.]com/prompt-zine/]
- **Infosec Survival Guide (Orange Book):** [Available at spearphish-general-store[.]myshopify[.]com]
- **Antisyphon Training:** [https://www.antisyphontraining[.]com/]