Now that we have gone through the process of preparation, we are now prepared to discuss the activities around detection and analysis.

A key concept that you must understand and develop as a core component of your incident response capability is the concept of incident triage. The reality is that not all incidents are treated the same, and by using a triage approach you are able to focus on the events that are important while ignoring the noise.

The following list provides a sample of the potential attack vectors that can be used by an attacker that the incident responder will need to be prepared to respond to. Each one of the following categories is very different in how it can be exploited, and therefore will require different mechanisms to discover abnormal behavior:

• Compromised credentials: An attack made possible due to the harvesting of information system credentials:
  • System (OS) / service account compromises
  • User account compromises

• Web attacks: Attack vector that utilizes a web browser to install malware or harvest credentials:
  • Drive-by downloads
  • Cross-Site Scripting
• Removable media: An attack delivered via removable media:
  • USB thumb drives or DVDs left in a parking lot
  • Unsecured USB thumb drives being used by an unauthorized individual
• Email attack: An attack that utilizes email as a vector to deliver malware:
  • Business email compromise
  • Phishing emails / spear phishing emails
• Loss or theft of equipment: The loss of a device allowing an unauthorized user to have access to intellectual property:
  • Laptops without hard drive encryption
  • Mobile devices improperly configured to encrypt sensitive information
• Information system misconfigurations: Attack vector that takes advantage of misconfigurations in the information system:
  • Vulnerable software configurations
  • Anonymous FTP servers
  • Open proxy servers
  • Patching not maintained
• Improper usage: This is an incident that is generated by an authorized user performing unauthorized actions:
  • Insider threat
  • Employee exfiltration of intellectual property

An important concept related to detection and analysis is the importance of automation and properly configuring your automation tools. Tools are great to have but an improperly configured tool makes your job harder. Some thoughts to remember when configuring your automated tools include:

• You don't need everything: Sometimes, as information security professionals, we want to make sure that we have every aspect of an information system fully logged and fully available for us to search.

The reality is that this costs an incredible amount of money to do, and it can make it almost impossible to find actionable information in your automated tool. Additionally, the number of false alerts is usually very high because the information is not targeted enough to perform searches against.

Instead, perform a requirements analysis and ingest only the information you need into your incident response tools. Doing this will allow you to do more, with better data.

• Your rules need to be good: Many will purchase security tools and do nothing with them if the inbuilt rules are good enough. While the inbuilt rules may be good, they do not address the specific concerns related to your information system, and they certainly do not address all the work that you did with your business stakeholders to determine what was critical to the organization.

Instead, model your information systems on the rule sets you build in your incident response tools. If you have critical information and information systems you should make sure that your automation is being used to analyze those assets.