CERT-CSIH Domain #3: Triage & Analysis

Triage and Analysis is the third domain of the CERT-CSIH certification exam and constitutes 28% of the overall objectives of the exam. Triage and analysis go hand-in-hand to help a CSIRT team in classifying events, conducting correlation analysis, prioritizing events, assigning events for further analysis, identifying the cause of an incident, analyzing intrusion artifacts and malware, performing vulnerability analysis and determining risks, threat level or a business impact of the incident.

Triage and Analysis techniques are applied when the Incident Detection phase has been completed. The incident data and intrusion artifacts that have been collected during the Incident Detection phase are now available for the Triage and Analysis phase. Further investigation is based on that data.

The following sections will take a deep dive to define how Triage the Analysis phase works.

Categorize Events/Incidents

Organizations should categorize events to determine their severity level and business impact. Since events occur in numerous ways, it’s inappropriate to establish step-by-step instructions for handling every event separately. Therefore, organizations should develop a general incident-handling plan that is able to deal with every event or events that are very common.

Some common events are listed below. However, they are neither comprehensive nor definitely classified.

• Theft or Loss of Equipment: Theft or loss of a media or any computing device, which contains an organization’s sensitive data, may trigger a serious event
• Performing Illegal Activities: Most organizations have “Acceptable Usage Policies” that bind users to only use authorized devices or applications within the organization’s facility. Employing any device/application illegally, such as installing third-party media applications, may provide an opening to malicious actors and then cause a significant event
• Email: Email messages often contain malicious links or attachments that cause an incident
• Web: An attack can be executed on the Web by exploiting browser vulnerabilities or (Read more...)