Gestión de Incidentes y Triage (4 parte

Study Notes

Triage is a system used by healthcare or emergency personnel to prioritize limited medical resources when the number of patients needing assistance exceeds available resources.
Triage is crucial for incident management, providing a central point for information flow within an organization, enabling a holistic view of the activity.
It facilitates an initial assessment of incoming reports and logs them for processing, acting as a starting point for documentation and data input.
Triage provides a snapshot of all reported activity (open and closed reports, pending tasks, quantity of reports of each type).
This process helps identify potential security issues, prioritize tasks, and generate vulnerability and incident statistics for high-level executives. Only experienced team members should perform triage.
Prioritization is based on potential impact and capacity to address the incident.

Incident reports should be secured and numbered.
The incident life cycle is cyclical, not linear, focusing on resolution and information sharing with stakeholders, resulting in a completed incident.
Informational reports should be prepared for management regarding the incident.
Lessons learned from the incident should be documented for future use.
Data should be archived for future use.

Data sources represent various technological objects in an organization's infrastructure, offering data (properties/values).
Accurate data selection is crucial for effective threat detection, investigation, and response.
Prioritize data sources based on importance. Overwhelming information can hinder security management.
The MITRE ATT&CK framework provides a relevant table of data source examples.

Cyber intelligence involves structured, contextually assessed, and evaluated cyber threat information.
This analysis mitigates and helps identify and understand risks and opportunities.
The intelligence cycle is iterative with requirement setting, data collection planning and execution, results analysis, dissemination, and reevaluation based on new information.
Analysis differentiates cyber intelligence from data collection and dissemination.
Cyber threat analysis focuses on actor intent, capability, and methods (TTPs).

Strategic intelligence provides a high-level view of threats and helps develop policies.
Operational intelligence assesses specific incidents and aids in response.
Tactical intelligence addresses daily operations, such as incident response.

Cyber threat information sharing is vital in countering sophisticated adversaries.
Sharing allows a wider understanding of adversary actions, thereby aiding in efficient threat mitigation efforts.
The current practice of information sharing often requires manual processes.
Standardized exchange protocols (MISP, TAXII, etc.) facilitate effective information flow across organizations.

Ticketing systems facilitate interaction with varied stakeholders, enabling efficient issue resolution.
Ticketing systems feature separate queues for triage, report management, incident management, investigation, and response.
Communication between internal teams and external entities should be structured for effective incident management.
Clear communication, prioritization, and tracking of tickets, using customizable fields for personalization, enhance incident management.
Tools and features, such as automated reporting and ticket status tracking, contribute to efficient operations.

RTIR is open-source incident response software.
Provides predefined queues for efficient incident management (reports, investigations, countermeasures).
Capabilities that allow correlation between incident reports and automated or manual responses are available.
Data from multiple incident trackers can be linked for root-cause analysis.