What is threat investigation?
Before deciding on a course of action, SOC analysts must determine the nature and tactics of a threat to appropriately respond to it. Threat investigation and digital forensics is the process of gathering evidence related to a flagged threat to validate the alert and inform response and recovery activities. The goal of any investigative effort is to validate, understand, and react to events happening simultaneously in an environment, before they become major incidents. Fast and accurate threat investigation can reduce the overall impact of a threat, saving the business from bad press, a dented wallet, and lots of agita.
Going from an event to an incident
The SOC leverages detection solutions with correlation capabilities to sort through, classify, and prioritize millions of events. High-risk events are then investigated by analysts to determine whether the alert merits incident status. SecOps teams rely on further investigative analysis of threat vector, tactics, business impact, functional context, and recoverability to determine the best-laid response plan.