Source: Black Hills Information Security, Inc.
Author: BHIS
URL: https://www.blackhillsinfosec.com/the-goldilocks-zone/
ONE SENTENCE SUMMARY:
Effective incident triage balances urgency and efficiency by prioritizing severities, baselines, attacker objectives, detection intent, and contextual questions quickly consistently.
MAIN POINTS:
- Triage demands rapid assessment and clear classification to drive correct response decisions.
- Alert overload makes misclassification likely, so time management is critical.
- Low-severity findings usually provide poor investigative return and can often be ignored.
- Medium-severity alerts should be deferred until higher-priority signals shape investigation direction.
- High and Critical alerts typically reveal the core incident narrative and next steps.
- Baseline comparison quickly distinguishes normal behavior from true anomalies.
- Widespread “anomalies” across hosts may indicate expected operations or a broader problem.
- Evaluating attacker “actions on objective” highlights activity that advances exfiltration or lateral movement.
- Lack of meaningful progress toward goals often indicates benign behavior or non-impactful noise.
- Detection-intent focus reduces rabbit holes by validating only the specific TTP a rule targets.
TAKEAWAYS:
- Prioritize investigation time toward High/Critical alerts before revisiting Medium and Low.
- Use environment baselines to classify events faster and avoid chasing routine behavior.
- Look for goal-driven sequences like movement, escalation, or data access to confirm threat intent.
- Align analysis with what the detection rule actually tested for to improve investigation efficiency.
- Apply a consistent question-driven checklist: priority, frequency, attacker benefit, and success criteria.