Context Gathering
The objective of context gathering is to enhance the analyst's understanding of the incident by collecting additional information that provides context and background to the alert. This step aims to provide a more comprehensive view of the situation, aiding in the accurate assessment of the incident's significance and potential impact.
Process:
Source IP Address Investigation:
- Identify the source IP address triggering the alert.
- Investigate historical data associated with the source IP to determine if it has been involved in previous incidents.
- Evaluate the source IP’s reputation and any known malicious activity.
Destination IP Address Analysis:
- Determine the role and function of the destination IP address within the organization.
- Assess whether the destination IP is a critical asset, server, or endpoint.
- Analyze any historical patterns of communication involving the destination IP.
Activity Patterns:
- Examine the patterns of activity leading to the alert.
- Look for anomalies or deviations from typical behavior.
- Consider whether the alert is part of a larger pattern of incidents.
Historical Context:
- Review historical data related to similar incidents or alerts.
- Identify any recurring themes or trends that could provide insights into the current incident.
- Consider past incident resolutions and their effectiveness.
Asset Sensitivity:
- Evaluate the sensitivity of assets involved in the incident.
- Identify if the incident involves access to sensitive data or critical systems.
- Determine the potential impact on the organization based on the sensitivity of the assets.
Communication Context:
- Understand the nature of communication between the source and destination IPs.
- Analyze the protocols, ports, and services involved in the communication.
- Consider the legitimacy of the communication based on organizational policies.
External Correlation:
- Correlate internal alerts with external threat intelligence.
- Check for any indicators of compromise (IOCs) associated with the incident.
- Determine if the incident aligns with known threat actor TTPs (Tactics, Techniques, and Procedures).
Outcome: The context gathering process should provide the analyst with a more nuanced understanding of the incident, enabling informed decision-making regarding the severity, impact, and appropriate response actions. The information collected during this phase contributes to a more accurate incident categorization and risk assessment.
Previous & Next
