Triage, Scoping and Threat Hunting: Maslow’s Hierarchy of Needs in Incident Response

Triage, Scoping and Threat Hunting

by Bricata

Advanced threats that use lateral spread techniques are becoming more commonplace. This has important implications for incident management that we can liken to Maslow’s Hierarchy of Needs for incident response.

The lateral movement of malware made headlines in 2017 when the WannaCry variant of ransomware was released. It was able to spread laterally using the EternalBlue exploit. While the damage stemming from WannaCry was less than originally feared, this emerging method of spreading malware was concerning and for good reason.

In July 2017, Equifax discovered that their network had been compromised as early as the previous May.  More importantly, that the initial exploit spread to more than 17 other servers, setting up 30 web shells in the process.

That bad actors have long been able to infiltrate a network and wait for the right moment to attack is alone enough to expand incident response processes. Now that some of these attacks have the capacity to spread laterally, it’s an imperative.

To that end, incident response may be best considered in a framework that mirror’s Maslow’s Hierarchy with three primary organizational needs:  triage, scoping and threat hunting.

Triage as Incident Response Need 1

For many organizations, this entry level of the hierarchy is all that is possible. During this process, a team will sift through the many alerts generated by their various detection systems to determine which alerts require immediate attention and which may be more safely deprioritized or ignored.

Success with this strategy assumes that the deployed detection solutions can identify the most important threats and that remediating the initial threat target will also completely stop the threat.

As recent events have shown, the increase in laterally moving malware makes exclusive dependence on this process alone problematic.  In the Equifax breach, the threat actors rapidly moved from the initially compromised target to other systems within the network to establish a “beachhead” should the initial target become discovered and remediated.

There’s more that needs to be done following triage.

Also see these related posts:
7 Key Cybersecurity Factors Shaping Threat Hunting Technologies
What is Bro? And Why IDS Doesn’t Effectively Describe It [Overview and Resources]
What is File Carving and How Does it Enhance Network Security?

Scoping as Incident Response Need 2

The middle category of the hierarchy includes a more comprehensive approach to determine the true extent of an event. Thorough scoping will ensure that an incident response team doesn’t remediate the initial target while leaving a broader breach unaddressed.

This would include identifying the root cause of the event, identifying whether the threat also compromised other systems, and determining what, if any, data was exfiltrated. In an ideal environment, these questions would be answered as part of the initial response and triage, and the incident responders would have the tools available to address these concerns rapidly.

Scoping is most effective when a threat spreads from an initial target that the incident response team has positively identified. However, it does not address the threat that may have been introduced outside of the visibility of the detection systems installed in the network, which leads us to the third need.

Threat Hunting as Incident Response Need 3

Threat hunting is the process of searching for threats that have potentially gone undetected and are currently hiding on the network. Usually, threat hunters, based on the combination of experience and data, have a hunch to pursue.

The process may begin with identifying the behaviors of other attacks and then looking for signs of those attacks present on the network. It may also begin with observing unusual traffic patterns, abnormal protocol activities, or anomalous resource usage on the network.

Engaging in threat hunting means that you are taking a more proactive approach to cyber defense. It often begins with the assumption that, regardless of the defenses in place, that there is always the potential that there is a threat that may have evaded detection.

This is a reasonable assumption, given the 2017 Cost of Data Breach Study by the Ponemon Institute found the mean-time-to-identify (MTTI) was 191 days, while the mean-time-to-compromise (MTCC) was 66 days and ranged anywhere from 10 to 164 days.

Building Organizational Maturity in Incident Response

Not all incident response processes are created equal. The resources available to an organization often dictate what level of incident response is possible. However, when viewing incident responses in the likeness of Maslow’s Hierarchy, it provides a sense of the maturity security organizations have achieved in the current threat environment.

To climb the hierarchy, security organizations must:

1) Provide personnel with the goal, focus, and training to improve incident response maturity

2) Implement scoping and threat hunting requirements as a matter of policy

3) Provide the technological resources that facilitate scoping and threat hunting as a natural progression in incident response

A little effort will help advance your organization higher up on the hierarchy and may help you prevent an advanced targeted threat from spreading within your organization.

Note: A version of this post was originally published as part of the CSO Online contributor network under the title, Maslow’s hierarchy of needs for incident response.

If you enjoyed this post, you might also like:
This Independent Cybersecurity Product Review Doubles as an Outline for How to Start Threat Hunting with Existing Tools and Skills  


Back to Blog

Bricata and Garland Technology Announce Partnership
Technology Partnership delivers total network visibility and threat hunting to accelerate detection and response
+ +