Every security incident is unique, just like every medical emergency. Regardless of the differences, the goals are very similar: identify the problem, prevent further damage and fix what has been broken. The disconnect from one event to another is the rate at which we respond, which should be based on severity, not category. There is great risk to an organization that throws all available resources at one problem just because that is what’s on the burner at that particular time. What we end up sacrificing is proper coverage for other events. Not to mention, having ‘too many hands in the pot’ could lead to missing important steps due to a lack of organization and structure. To reduce this risk, organizations need to put a greater emphasis on the triage phase of their incident response efforts. This is the key moment when security analysts take the first pieces of available information and use critical thinking skills, intuition and previous experience to judge the severity of the event based on the damage it has caused or is likely to cause, not solely on the category in which it belongs. 9-1-1, What is Your Emergency? We have all undoubtedly heard this phrase in movies or on television. The calm voice of a 9-1-1 dispatcher who is ready to take whatever information the often panic-stricken person on the other end of the line is able to give them. Are they reporting a car accident? A shooting? A fire? A hangnail on their big toe? Every time the phone rings in an emergency call center, the nature of the call is different, but one thing is certain: someone needs help. Once the information is received by the dispatcher, the information is then relayed to local emergency medical services (EMS) first responders and their job, just like that of an information security analyst, is to make an initial assessment of severity to determine the priority level of the call – which means they don’t always go lights and sirens! There is a very strong parallel between the decision that EMS workers and analysts make when it comes to the priority at which an incident should be responded to. And like EMS, when a major breach or incident occurs, it’s up to analysts’ to respond in a way that reduces and prevents further damage when every second counts! We are also first responders. While we may not hold people’s lives in our hands, we are responsible for ensuring that the livelihood of our fellow employees remains intact. There are several common phases of incident response as it relates to information security. At Duo, we break our incident response process into the following phases: Detection Reporting/Alerting Triage Analysis Containment Mitigation Follow-up Believe it or not, EMS follows a very similar structure when responding to calls, which also starts with detection and reporting. This is followed by EMS workers figuring out exactly what the problem is (triage and analysis) before they can give proper medical care (containment and mitigation). After all of that is complete, there is paperwork to be done (follow-up). Regardless of whether we are talking about human lives or computer systems, incident response starts with two primary elements, detection and reporting, which are the lifeblood to the most crucial phase of incident response: triage. Triage Proper detection and reporting is crucial to ensure that the triage phase is most effective. These phases can occur in numerous ways, but ultimately boil down to relying on either tools or people. Unfortunately, tools and people are not perfect. False positives can occur from a detection and reporting standpoint, just as easily as things can be overlooked. In an emergency situation, panic sets in, causing our judgment and perspective to change, which could alter the information necessary to triage properly. For an analyst, an important part of triage is being able to identify the function and information impact of the event that has occurred. The table provides a general standard to describe the high, medium and low ranking levels: Priority Level Functional Impact Informational Impact High All users are unable to perform critical functions Data was exfiltrated and potentially made publically available Medium A subset of users are unable to perform critical functions Data was changed, deleted or otherwise compromised Low Users can still perform critical functions Data was not affected The table below shows a side-by-side comparison of EMS and security-related incidents which have been triaged as high, medium and low. Subtle differences between each level show how the priority of an incident can change between incidents of the same category; in this case, a car accident and a phishing campaign. Known Information Following the Detection and Reporting Phases Priority Level EMS Security High Male, mid-20s, currently unconscious following a car accident Employee notices hundreds of messages containing an attachment have been sent from their account on their behalf Medium Male, 26 years old, experiencing dizziness following a car accident Employee clicked the link within a phishing message and entered their credentials into a fake website Low Male, 26 years old, involved in a car accident with a broken wrist Potential phishing message reported without clicking links or opening attachments In all three of these examples, severity of the incident was taken into consideration, which helped to determine the priority level. Triage is the phase that can make the difference between a good and bad outcome because it changes how and when we respond. The examples in the table show that a high priority level resulted in EMS workers needing to arrive on scene as quickly as possible because the patient’s life was at stake. The analysts in the high priority example also needed to respond as quickly possible because damage was already being done using the employee’s account. As we can see from the table, the category of the incident did not determine how the events were responded to. Not every car accident and phishing campaign result in a worst case, high priority scenario, and the triage phase helps