The Importance of Triage Investigations and Defining a Triage Strategy

Triage is a vital stage in the investigation process. Once you have established that an attack may well be in progress, the quicker you’re able to establish the root cause and scope of the attack, the higher the likelihood you’ll be able to limit the impact of the attack.

In a triage collection, you cast the net and pull in critical data from a wide set of machines to look for the telltale signs of attack. This often involves many endpoints, and could often extend to servers and containers too. Since you’re trying to make the best of your time and resources, exhaustively examining the full disk is likely to be too time-consuming. Instead, you concentrate on key data - in a triage collection, you often pull back:

• File system information
• System and application logs
• Command histories
• Key configuration files and registry hives
• Local account databases
• By examining this information you’re often able to ascertain which machines are likely to be the most affected and understand better where to concentrate deeper investigative efforts.

Defining Your Triage Strategy

Creating an effective triage strategy involves several key steps:

1. Working Out How You’re Going to Get Access: Establishing a reliable method for obtaining shell access to the affected machines is crucial. This step ensures that you can execute commands and scripts necessary for data collection and further investigation.

1. Defining the Set of Artifacts You’re Going to Need: Identifying the specific data and artifacts that are critical for your investigation helps streamline the triage process. This typically includes file system information, logs, command histories, configuration files, registry hives, and local account databases.

1. Working Out What to Do with the Artifacts When You Get Them: Having a clear plan for analyzing the collected artifacts is essential. This includes determining the tools and techniques you will use to process and interpret the data to identify signs of an attack.

1. Working Out What to Do If You Need to Do Deeper Investigation: Sometimes, initial triage might not be sufficient, and deeper investigation is required. Establishing a protocol for such scenarios ensures that you can efficiently transition to more detailed analysis when necessary.

Automating Triage Collection

Increasing the speed at which incident responders can perform their triage and analysis can drastically reduce the risk to an organization during an incident. Traditional incident response methods relied on a collection of tools, scripts, and manual analysis, often performed sequentially. This time-consuming approach often led to delays in identifying and mitigating threats.

The Cado platform can automatically collect triage data from Detection technologies such as SentinelOne and cloud native detection technologies:

With advancements in the Incident Response (IR) space, you can start to automate these processes today. Managed Security Service Providers (MSSPs) and many enterprise organizations have already adopted Security Orchestration Automation and Response (SOAR) platforms to help with this. These platforms enable the automation of evidence collection and processing, allowing incident responders to quickly determine whether to dive deeper into a system or move on to others.

Whether you choose to perform evidence collection and processing semi-manually or fully automated, the guidelines and best practices recommended here are applicable in all instances. Automating triage collection not only saves time but also ensures that critical data is gathered consistently and accurately, enabling faster and more effective incident response.

The importance of triage investigations cannot be overstated. By quickly identifying the root cause and scope of an attack, you can significantly limit its impact on your organization. Defining a clear triage strategy and leveraging automation tools can enhance your ability to respond to incidents efficiently and effectively, safeguarding your business from potential threats.

Cado Security delivers immediate insights into malicious activity, saving analysts precious time during event triage. The platform enables analysts to perform automated triage acquisitions of endpoint resources to gain deeper context in a shorter period of time. With Cado, security teams can quickly narrow the scope of their investigation, determine severity, and focus on what matters most – response:

If you’d like to try this out in your own environment, take advantage of our free trial.