What Does Triage Mean in Cybersecurity?

In cybersecurity, triage is a cyber incident response approach to identifying, prioritizing, and resolving cybersecurity attacks, threats, and damages within a network.

When simultaneous and multiple attacks occur, an IT security team must prioritize which system or device to assess in order to mitigate, remediate, and salvage important devices and data from further damage.

This incident response process can be complex and limiting compared to the significant number of alerts that may be generated by an organization, SIEM, web application firewalls, or other intrusion prevention and intrusion detection systems (IPS/IDS).

Triage helps IT teams find the most important system components under attack to find relevant solutions and decide on the right procedures before continuing to the next prioritized device.

Triage helps investigate endpoints by collecting relevant data, analyzing it for malware and suspicious activity, and prioritizing incident alerting.

Examples of Cyber Security Incidents

Below are common examples of security incidents that prompt alerts.

• A computer system breach or data breach;
• Unauthorized access to a system, software, or data;
• Unexpected changes to some important data;
• An unauthorized device connecting the corporate network;
• A Distributed Denial of Service attack;
• An important server is going down.

When an organization finds these alerts pinging simultaneously, this is where triage comes into effect.

Who Uses Triage?

Triage is normally used by a skilled team of security analysts with appropriate certifications and training. These employees are responsible for the triaging process, which is performed in security operation centers (SOC), data centers, and disaster recovery units, or by managed security service providers (MSSPs).

Besides cybersecurity attacks, triaging is also useful for bug prioritization (based on severity, frequency, and risk) when IT teams develop a certain application or software during QA and software testing. This type of triaging process is also called defect triage.

How Does Cybersecurity Triage Work?

Working similarly to medical triage, cybersecurity triage focuses on repairing and managing the systems that are most likely to be restored, considering the system's productivity and the potential yield of financial damages.

Consider the following scenario. 

• An organization receives reports that 500 devices and systems have been infected with fast-spreading malware. 

• Of those devices and systems, 400 of those are end users, 80 are non-critical, and 20 are critical servers.

• The organization doesn’t have adequate resources to remediate all devices at once, instead using cybersecurity triage to help decide which systems should be prioritized first.

Following prioritization, the second triage step usually includes initial event routing to the IT security team.

Depending on both the nature of the attack and target, cybersecurity teams are coordinated, assembled, and assigned to the triage task they’re best suited to handle.

For example:

• Threats like ransomware attacks are assessed by teams that are capable of isolating the endpoint devices to decrease collateral damage.
• DDoS attacks are handled by the network security team, where they may use sinkholes (a type of network honey pot) to sink malformed packets.
• Low-priority issues like reports of suspicious activities are handled by cybersecurity generalists.
• Breaches and intrusion evidence are promptly escalated to be assessed by incident management teams.

How to Perform Cybersecurity Triage Effectively

To properly assess incident information during triage, a cybersecurity team must ask the right questions and assess relevant data sources regarding the details of the attack. 

Effective triaging incorporates the following processes: 

• Evaluating whether an incident constitutes a cyber attack –  if so, determining which methods the hacker used;
• Assessing the scores of the source IP addresses, destination IP addresses, threat feed, and vulnerability;
• Confirming if the user account or other assets are compromised;
• Finding out other related vulnerabilities;
• Calculating attack density;
• Examining the history of attacks to see if anything is related to the current attack;
• Deciding how to respond to the attack or attacks.

Why is Triage Important?

Protecting digital information means managing a lightning-fast cybersecurity incident response strategy. However, incident response times may be hindered by the following factors:

• Outdated, complex, and non-specialized incident response tools;
• A high amount of false positives from automated tools;
• Ever-changing attack vectors that are becoming more advanced with each attack;
• A large inventory of third-party service providers.

Triage is one of the most fundamental components of cybersecurity incident response by enabling a response team to contain incidents more quickly.

Today’s dynamic cybersecurity landscape presents ongoing security alerts that flood IT teams with false positives. It’s crucial to assess every security alert efficiently in order to prioritize response efforts. Triage also helps organizations save resources and time and improve workflow. 

Any organization facing insufficient IT resources, understaffing, or data resources uses triage to prioritize the allocation of resources for optimal management of cybersecurity, financial, and operational procedures.

Triage and Incident Response Plans

While triage is the first step in an incident response process, an incident response plan is commonly the second in post-detection procedures that are handled by responders.

An incident response plan uses a combination of tools and methods that a security team uses to identify and resolve cybersecurity attacks, recover missing data, and repair compromised systems.

A strong incident response plan has very clear and decisive key solutions and tips for dealing with cybersecurity incidents, and it helps organizations prevent threats in the future.

Learn how to create an effective incident response plan.

Triage and SIEM

Security information and event management (SIEM) is a subfield in cybersecurity that helps with analyzing security alerts from apps and networks on an ongoing basis.

With the rise of big data, data dependence, IoT, and evolving cyber threats, companies need a detection system like SIEM to help them improve their security posture.

With SIEM, a company uses both security information management and security event management in real-time to cover crucial challenges like threat intelligence. SIEM also allows you to create and manage incident response procedures within an IT infrastructure.

Once a company’s detection system prompts an alert, SIEM helps with endpoint investigation to calculate threat severity. This is where cybersecurity triage comes in.

Triage can be integrated with an organization’s SIEM or SOAR (Security Orchestration, Automation and Response) solution so that it may offer better endpoint monitoring for first responders and help them decide on proper remediation.

Additionally, SIEM and intrusion detection systems (IDSs) can work together to prevent the leakage of sensitive data as well as any unauthorized access.

Learn more about SIEM.

Triage vs. Threat Intelligence

Threat intelligence comprises knowledge of current and potential cyber threats and cyber attacks that a company’s IT security team has gathered and can act upon proactively. It allows organizations to take charge against cyber attacks, rather than react when the damage is already done.

Threat intelligence helps organizations identify, prepare for, and prevent advanced persistent threats (APTs) and mitigate cyber attacks, such as malware, phishing, and ransomware. Its proactive capabilities allow executive management to better assess threats, mitigate attacks, and enhance their organization’s security posture.

Though triage is also a proactive approach to resolving cyber attacks, its main goal is to prioritize what needs to be resolved in which systems or networks. It doesn’t necessarily deal with collecting intelligence for potential cyber threats.

Learn more about threat intelligence.

Triage Software and Tools

Triage software aims to automate as much of the triaging process to provide responders with readily available context and situational awareness, enabling faster decision-making.

Triage tools assess and investigate attacked endpoints based on the severity of the cybersecurity attacks. Collected data is then analyzed in-depth for malware or suspicious activity.

There are many smart triage platforms that can identify anomalies, automate data collection and fusion, and assess and present the right information for context.

Organizations often implement triage tools for the following use cases:

• Automated data collection from a central repository;
• Threat scoring, in which triage leverages information from previous incidents;
• Threat intelligence;
• Malware scanning tools for identifying suspicious data;
• Suspicious activity review, in which data is taken from multiple sources (e.g., files, registry, log files, servers, web history) and merged into a simple, reconstructed interface for a better overview of suspicious system activity or anomalies.

Modern triage software paired with effective strategy helps IT teams respond faster to the recovery of crucial data, devices, and systems affected by security incidents. Incident prioritzation helps incident responders streamline their backlog processes to better handle all levels of cybersecurity incident levels.

UpGuard help can improve your organization’s triage process by:

• automatically classifying the severity of identified risks for faster prioritization;
• identifying cyber threats in real time;
• automating remediation workflows, allowing organizations to respond faster to high-risk security incidents;
• generating executive reports, to provide clear insights into incident response processes for management teams.