Extended Slovník

Triage

In cybersecurity, triage is the initial process of assessing and prioritizing security alerts, events, or incidents to determine their severity, impact, and the appropriate level of response required.

Cybersecurity triage is a critical first step in the incident response lifecycle, focusing on the rapid evaluation of incoming security alerts and events. Its primary goal is to quickly distinguish between benign activity, false positives, and genuine threats, then prioritize the latter based on factors such as potential impact, urgency, and likelihood of exploitation. This methodical process involves collecting initial information, categorizing the event, determining its severity, and assigning it to the appropriate team or automated workflow for further investigation and resolution. Effective triage ensures that limited security resources are focused on the most critical threats, preventing alert fatigue and minimizing potential damage from successful attacks.

What is triage in cybersecurity?

In cybersecurity, triage refers to the structured process of rapidly evaluating and sorting security alerts, events, and potential incidents to determine their legitimacy, severity, and priority. Borrowed from medical terminology, where triage is used to prioritize patients based on the urgency of their condition, cybersecurity triage applies the same principle to digital threats. Security analysts in a Security Operations Center (SOC) perform triage by examining incoming alerts generated by tools such as SIEM systems, intrusion detection systems (IDS), endpoint detection and response (EDR) platforms, and firewalls.

The triage process typically involves three core activities:

  • Verification: Confirming whether an alert represents a real security event or a false positive.
  • Classification: Categorizing the event by type (e.g., malware, phishing, unauthorized access, data exfiltration).
  • Prioritization: Assigning a severity level based on the potential impact to the organization, the assets involved, and the threat's urgency.

As outlined in the NIST Special Publication 800-61 Rev. 2, triage is an essential component of the detection and analysis phase of incident response, ensuring that genuine threats receive the attention and resources they demand.

Why is triage important in incident response?

Triage is indispensable in incident response for several critical reasons:

  • Combating alert fatigue: Modern SOCs can receive thousands or even tens of thousands of alerts per day. Without effective triage, analysts become overwhelmed, leading to missed threats and burnout. Triage filters the noise so analysts can focus on what truly matters.
  • Optimizing resource allocation: Security teams operate with finite personnel, time, and tools. Triage ensures that the most severe and impactful incidents receive priority attention, while lower-risk events are queued or handled through automated workflows.
  • Reducing response time: By quickly identifying and escalating high-severity incidents, triage significantly shortens the mean time to detect (MTTD) and mean time to respond (MTTR), which are key metrics tracked by organizations following SANS Institute incident response frameworks.
  • Minimizing damage: Rapid triage can be the difference between containing a breach early and suffering a catastrophic data loss. The faster a genuine threat is identified and escalated, the less time an attacker has to move laterally, exfiltrate data, or deploy ransomware.
  • Maintaining compliance: Many regulatory frameworks require organizations to detect, assess, and report incidents within specific timeframes. Effective triage supports compliance with these requirements.

How to conduct incident triage?

Conducting effective incident triage requires a combination of well-defined processes, skilled analysts, and supporting technology. Here is a step-by-step approach:

  1. Collect initial data: Gather all available information about the alert, including timestamps, source and destination IP addresses, affected systems, user accounts involved, alert type, and any related log data.
  2. Validate the alert: Determine whether the alert is a true positive, false positive, or benign true positive. Cross-reference the alert with threat intelligence feeds, known indicators of compromise (IOCs), and contextual information about the environment.
  3. Classify the event: Categorize the incident type using a standardized taxonomy. Common categories include malware infection, phishing attempt, unauthorized access, denial-of-service, insider threat, and data exfiltration.
  4. Assess severity and impact: Evaluate the potential business impact by considering factors such as the criticality of affected assets, the sensitivity of data at risk, the scope of the compromise, and the threat actor's capabilities.
  5. Prioritize and escalate: Assign a priority level (e.g., critical, high, medium, low) and route the incident to the appropriate response team or automated playbook. Critical incidents should trigger immediate escalation to senior analysts or incident response leads.
  6. Document findings: Record all triage decisions, observations, and actions in the incident tracking system for audit trails, reporting, and future reference.

For example, if a SIEM system generates an alert for multiple failed login attempts on a critical server, the triage analyst would verify whether this represents a brute-force attack or simply user error by examining login patterns, source IPs, and account lockout policies. Similarly, when an email security gateway flags a phishing email in an executive's inbox, triage involves assessing the malicious payload, checking if any users clicked the link, and determining the scope of potential compromise.

Organizations can enhance triage efficiency by leveraging Security Orchestration, Automation, and Response (SOAR) platforms, which automate repetitive triage tasks and enrich alerts with contextual threat intelligence, as recommended by CISA.

When does incident triage occur?

Incident triage occurs at the very beginning of the incident response process, specifically during the detection and analysis phase. It is triggered immediately when a security alert or event is generated by monitoring tools, reported by users, or identified through threat hunting activities. In a well-functioning SOC, triage operates continuously as a 24/7 process, with Tier 1 analysts serving as the first line of defense responsible for initial assessment.

Triage is not a one-time activity. It can also recur during the lifecycle of an incident as new information emerges. For instance, an event initially classified as low severity may be re-triaged and escalated to critical if additional evidence reveals a broader compromise. This iterative approach aligns with the guidance provided in the NIST Incident Handling Guide, which emphasizes continuous reassessment throughout the response process.

Which incidents require immediate triage?

While all security alerts should go through the triage process, certain types of incidents demand immediate and urgent triage due to their high potential for damage:

  • Ransomware and destructive malware: Any indicator of ransomware deployment or wiper malware requires instant triage and escalation, as delays can lead to widespread encryption or destruction of data.
  • Active intrusions and lateral movement: Alerts indicating an attacker is actively moving through the network, escalating privileges, or accessing sensitive systems must be triaged immediately.
  • Compromise of privileged accounts: Unauthorized access to administrator, root, or executive-level accounts represents a critical threat that can enable full network compromise.
  • Data exfiltration in progress: Alerts showing large volumes of data being transferred to external destinations, especially from sensitive repositories, require urgent assessment.
  • Exploitation of zero-day or critical vulnerabilities: Active exploitation of unpatched or newly disclosed vulnerabilities, particularly those listed in CISA's Known Exploited Vulnerabilities Catalog, warrants immediate triage.
  • Attacks on critical infrastructure: Any incident targeting systems essential to business operations, public safety, or regulatory compliance must receive the highest priority.
  • Targeted phishing against executives: Spear-phishing or business email compromise (BEC) attempts directed at C-level executives or employees with access to financial systems require rapid assessment, as recommended by OWASP application security principles.

By establishing clear criteria for immediate triage, organizations can ensure that the most dangerous threats are addressed before they escalate into full-blown security incidents.

← Back to Glossary