bluespock.bsky.social
6 posts
1 followers
6 following
comment in response to
post
These are some of the questions to find answers for during triage.
This is the "what" to do & not the "how" to do it.
How do we get those answers - that will depends on the data sources/telemetry available aka logging or via host forensics.
comment in response to
post
contd...
on the dst host was activity was done in the login session?
does any of that activity match known threat actor behaviours?
comment in response to
post
The questions to ask for that alert to traige it are:
what is the src ip/host?
what is the dst ip/host?
what was the user name used to log in over SMB?
is there a correlation between the human who owns the src host & the user name to log in to the dst host?
comment in response to
post
If the conclusion of triage is "likely to be malicious" - then the work of figuring out the answers to: what happened, how did it happen, what is the extent & impact and how do we contain/mitigate/remediate takes place.
comment in response to
post
Step 1 - for any human when presented with a cyber security alert is to triage it. Triage means - determine (with a high degree of confidence) if this is likely to be malicious or likely to be benign.
comment in response to
post
Investigate in general means ask the right questions & find the answers. Investigations happens in many fields (apart from cyber) - police cases, medical work, accidents, IT troubleshooting, code debugging, etc. At the core of any investigation is framing the tight questions in the right order.