In my experience as a SOC Manager, one of the challenges I am often faced with is hiring resources with the right skillset to investigate and respond to alerts from a SIEM. In my attempt to overcome this challenge, I often must hire fresh graduates from colleges, train them on the tools and platforms we leverage to support our clients to continue to build a pipeline of skilled resources due to the shortage of qualified cybersecurity professionals in the market.

Some of the questions I am often asked by new analysts are highlighted below.

• How do I qualify an alert as a True positive or False positive?
• How do I know what extended searches to carry out during my investigation process to qualify an alert?

These are the questions that I seek to answer in this article. Let’s dwell on the first question a bit.

There is no single way to address the first question and In my attempt to answer it, I will build a premise on what alerts are. What are alerts? Alerts are triggers that occur based on a set of conditions. In the cybersecurity landscape, one of the major pillars of any Cybersecurity program is detect. The detect function serves as key risk indicators for perceiving cyber threat based on a given set of conditions. Therefore, a security alert is a notification on a perceived threat or suspicious behavior that could affect the Confidentiality, Integrity, and Availability of information assets which if left unchecked could result in an incident.

The definition forms the basic questions you should ask when investigating a security alert. Let’s break this further down by examining it within the context of a security use case.

Investigation Process

Example Use Case: Outbound communication with a TOR URL

Step 1: Validation of the Alert

Before you answer the question, you should validate if there was an actual communication as stated by the rule and check that the actual URL is classified as TOR. How do you do this?

1. Think about the information or traffic flow from the source to the destination? Identify the log sources that captured the flow and review the logs.
2. Leverage threat intelligence to determine if the URL is categorized as TOR.

Having validated that all the conditions of the rules are met, and the alert triggered as expected, you proceed to answering the questions within the context of the definition as highlighted below.

Step 2: Risk Identification and Analysis

What risks does this pose to my information assets? Remember that earlier in this article we had said that security alerts are key risk indicators on a perceived threat. To understand the threat this poses, you must understand the threats associated with TOR URLs. Within the context of the threats, how would this apply to your organization? A technique we leverage in this stage is the 5 basic questions. The What, The Why, The How, The when, The where

Furthermore, you cannot identify the risks without identifying its cause. Key questions to ask here are:

1. What is initiating the outbound communication?
2. Is it a user or a process?
3. How is the communication being initiated?
4. What ports are involved?

Another technique I learnt about is the 5 Whys. According to Sakichi Toyoda, by repeating why 5 times, the nature of the issue becomes clear as well as the solution is revealed.

Step 3: Draw Conclusions based on Findings from Step 2

Based on the information gathered, does this pose a perceived threat to my environment or not? If left unchecked, could this create bigger risks?

Is this a suspicious behavior? In answering this question, a position of Zero trust should be assumed. If the behavior being see does not align with business expectations and established security policies and standards, no matter how benign it looks, it should be addressed immediately.

Step 4: Recommendations

Provide ways to mitigate the risks identified in step 2 and address possible impact identified in step 3. Your recommendations should be steps that should be taken to mitigate the risks identified in your findings. This implies that security controls shouldn’t just be thrown around if it does not address any of the risks identified in step 2.

In conclusion, A decision on whether this is true or false positive, can only be determined when all the steps are put together and the risk the threat possess have been confirmed, based on your previous findings.”

Based on the example use case we walked through, I hope at a high level, I was able to provide some clarifications on how to qualify an alert as a True positive or False positive.

To be continued.