Module 6: Incident Detection and Identification

Passive Incident Alerting

Using Alerts as a Starting Point

Use an alert as your starting point and move forwards/backwards.

How to Correlate Alerts

Are they logically related? Look further into 'em to confirm.

Active Incident Discovery

Threat Hunting

SOCs react, Threat Hunters proactively hunt.

Third-Party Sources

Third parties sometimes provide alerts of suspicious activity.

Identifying False Positives

Understanding the Impact of False Positives

They waste time, increasing alert fatigue.

Understanding Incident vs Event

A cyber security event is an observable occurrence in a system or network that may have an impact on an organization.
A cyber security incident is an event or a set of events that have a negative impact on the security of an organization.
A precursor is an event that is a sign of potential future incidents.
An indicator is evidence that an incident may have already occurred or is currently occurring.

False Positive Case Studies

This was a walkthrough of a challenge.

Automating Away False Positives

Remove old alerts, adjust thresholds, etc.

Identifying Attack Chains

Identifying Single-Host Compromise

Make a list of CVEs, search on them.

Identifying a Full Compromise

No big difference, again, follow the event timeline.

PreviousModule 5: Common Attack Techniques NextModule 7: Initial Impact Assessment

Last updated 1 year ago

hashtagPassive Incident Alerting

hashtagUsing Alerts as a Starting Point

hashtagHow to Correlate Alerts

hashtagActive Incident Discovery

hashtagThreat Hunting

hashtagThird-Party Sources

hashtagIdentifying False Positives

hashtagUnderstanding the Impact of False Positives

hashtagUnderstanding Incident vs Event

hashtagFalse Positive Case Studies

hashtagAutomating Away False Positives

hashtagIdentifying Attack Chains

hashtagIdentifying Single-Host Compromise

hashtagIdentifying a Full Compromise