What Do You Investigate First?

A colleague of mine who runs another Fortune 10 CIRT asked the following question:

Let's say for example, there is a cesspool of internal suspicious activity from netflow, log and host data. You have a limited number of resources who must have some criteria they use to grab the worst stuff first. What criteria would you use to prioritize your investigation activities?

There are two ways to approach this problem, but they will likely converge at some point anyway:

1. Focus on the assets.


2. Focus on the threats.

Focus on the assets means identify the most critical assets in your organization. You pay the most attention to them regardless of who you think is causing suspicious or malicious activity that may or may not affect those assets. In other words, whether you believe a mindless malware sample or an advanced threat may be affecting those critical assets, you still devote resources to collection and analysis of activity involving those assets.

Focus on the threats means identifying the most worrisome threats to your organization. You pay the most attention to them regardless of what assets they may target. In other words, whether you see these threats conduct reconnaissance or enterprise-wide exploitation, you still devote resources to collection and analysis of activity involving those threats.

I say these two approaches are likely to converge, because at some point you will see your most critical assets targeted by your most worrisome threats. In fact, you are likely to determine that a threat is the most worrisome precisely because it spends the most time and effort trying to access your critical assets.

I think operationalizing both approaches is tough, because many don't really know what is most important, or how to identify the most worrisome threats. Identifying critical assets is probably easier. If you identify critical assets, and then identify dedicated threats to those assets, you're probably in a position to now deal with both approaches.

You probably notice I've mentioned two of the three components of the risk equation -- assets and threats. I did not mention vulnerabilities yet. Yes, you could decide what assets have the most vulnerabilities and focus on suspicious and malicious activity affecting those assets. A lot of shops do this because it is probably the easiest approach, since identifying and categorizing vulnerabilities is probably easier than doing the same for assets and threats. However, you might waste a lot of time chasing assets which aren't as important as others. Still, this is another approach if you find that you can't make any progress on the asset- or threat-centric approaches.
Tweet