Make Sure You do Some Incident Pruning to Maintain Security Operations Efficiency and Focus
If you’re an avid gardener then you’re probably getting ready for pruning time – the season when you trim shrubs and trees to keep them healthy, blooming and the right shape and height so they don’t overtake your garden. As a security professional, it’s always pruning time.
“Incident pruning” may not be a term you’re familiar with, but it is an important process that helps keep investigations from becoming unwieldy and unproductive because of too much data or too many possibilities to pursue. Incident pruning involves removing “dead end” investigation paths during an incident that have been deemed benign, irrelevant or out of scope. The practice goes hand in hand with visualization, a capability that helps us see which threads to pull that will lead us to what is happening or has occurred. Incident pruning enhances visualization, allowing us to have a clear view of these threads – a view that isn’t blocked by unnecessary information.
There are two variations of incident pruning: incident deadheading and incident thinning. Deadheading involves stopping an investigation path and deleting data that isn’t viable or returns negative findings. Thinning involves removing less relevant data from that particular investigation’s visualization, but keeping it. Should the data become pertinent at a later time to another investigation, it can then be shared globally.
Incident pruning is an important, foundational activity, but it sometimes gets overlooked. As you search for ways to enhance your security processes, here are five things you should know about incident pruning and how to apply it to improve investigations, threat hunting and incident response.
1. Whether to remove data or track and archive it. This isn’t an either/or but a when/why discussion. Security organizations without dedicated incident response (IR) or threat hunting teams tend to find incident deadheading more useful. The practice of deleting data that isn’t immediately relevant narrows the investigation scope and helps security analysts maintain focus on higher risk efforts. Dedicated IR and threat hunting teams find value in incident thinning, decluttering an investigation by maintaining and de-prioritizing the data so that it is available for future reference. Organizations should identify a platform that supports both to grow with them as their security operations matures.
2. When to engage in pruning. While always a useful practice, here are some rules of thumb for when to prioritize incident pruning:
• When the number of analysts increases beyond four or five
• When more than three roles are involved
• If two or more analysts within the same role are involved
• When transitioning from simplistic, fact-finding efforts to analysis of more complex attack methods and multiple investigation paths
• When the attack extends beyond 10 infected victims requiring individual dissection of the attack
• When the attack reaches a point of lateral movement across five or more hosts
3. Managing the pruning process. The decision to deadhead an investigation to avoid inefficiency and confusion is typically driven from the top down, as it requires someone with a strategic view of the investigation, such as an IR team lead. In contrast, thinning is usually done bottom up, as analysts are in the best position to determine which data points are relevant and should be published globally to share with other teams.
4. The role of automation in pruning. The human element will always remain vital in security operations, but automation has its place. With respect to incident pruning, automation logic can be applied to perform incident pruning based on:
• A low threat or probability score provided by an analyst
• A stale node/object based on the lack of activity taken against an item over a prolonged period
• A lack of associated characteristics strongly suggesting the item is a conceptual stretch within the investigation and is irrelevant to the case
5. The stages of an investigation that benefit from pruning. Using the SANS Incident Response Checklist as a guideline for the investigation stages, incident pruning can provide value during four of the six stages:
• Identification – to minimize investigation clutter and duplicating efforts, pruning is essential in this phase
•Containment – to eliminate counter measures which are not effective
• Eradication – to help monitor status and keep track of hosts that are still infected and those that have been returned to a safe end state
• Recovery – to help track the implementation of defensive countermeasures for each attack phase
Investigations, threat hunts and incident response are complex efforts. Visualization helps you see patterns and linkages so you can quickly determine which threads to pull. But for the clearest view, make sure you do some incident pruning first to maintain security operations efficiency and focus.