41

I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.

schroeder
  • 123,438
  • 55
  • 284
  • 319
victor26567
  • 503
  • 4
  • 6
  • 8
    It means the same thing, just applied to tech/business issues rather than medical issues. – Matthew Read Apr 09 '19 at 21:45
  • 3
    Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process *triage*. For example, [Google uses this term](https://www.chromium.org/for-testers/bug-reporting-guidelines/triage-best-practices) in the Chromium project. – Fabio says Reinstate Monica Apr 09 '19 at 23:38
  • 2
    Just to add the definition: _the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties._ Now replace wound with a computer word and replace patient with server/workstation. – JPhi1618 Apr 10 '19 at 03:58
  • There was an Arabic website for hackers called something like "TrYaG AlArab" but it is shut down about 9 years ago, your question just reminded me with this website. This same word exists in the Arabic language also but it comes with the meaning "medicine" – AccountantM Apr 10 '19 at 06:45

3 Answers3

75

We just got reports that 4000 of our systems are infected with ransomeware.

3000 are end users, 800 are non-critical servers, 200 are critical servers.

Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'

It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.

The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.

Monica Apologists Get Out
  • 4,021
  • 1
  • 14
  • 21
  • 2
    wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right? – victor26567 Apr 09 '19 at 19:39
  • Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources. – Monica Apologists Get Out Apr 09 '19 at 19:51
  • 36
    Poor lil' Inspiron :( – Kyle Vassella Apr 09 '19 at 21:10
  • 6
    In the modern medical world I think there is very little "letting one go so the other might live" - it's more about making the person with a broken leg wait (they probably won't die in the meantime) while they fix the unconscious person who's been knifed (who probably will). – Martin Bonner supports Monica Apr 10 '19 at 17:18
  • 8
    @MartinBonner Then assume by 'doctor' I meant 'battlefield medic'. :) – Monica Apologists Get Out Apr 10 '19 at 18:18
  • 4
    @MartinBonner it depends of the context, usually there is time to provide some assistance to everyone and it is just a matter of avoiding that you do not fail to provide care to the urgent cases because you are dealing with the non-urgent ones (you just will not get 400 hearts attacks at the same time at an hospital). But if there are suddenly lots of critical cases (for example, after an earthquake or other disaster) then the part about deciding who is too injured to survive (and hence a drain of much needed resources) may kick in. – SJuan76 Apr 10 '19 at 20:19
  • 2
    @Adonalsium - and "battlefield medic" is the environment where the term and practise was originally invented. – Martin Bonner supports Monica Apr 11 '19 at 05:49
  • @MartinBonner The term itself comes from the practice of categorising patients in to three broad categories. The choice of care is a secondary process, and not directly related. In IT, Triage refers to a similar process of assessing tasks as either trivial, simple or complex and/or small, medium or large depending on the exact context. Again, the next step leads to different processes. – Mike Brockington Apr 11 '19 at 09:41
  • @MartinBonner the "tri" in "triage" is a division into three: those who will be okay without your help, those who can't be saved even with your help, and the cases where you can make a difference. – hobbs Apr 11 '19 at 22:16
  • 2
    @hobbs: actually, 'triage' comes from the french word 'trier' for sorting, the number three has very little to do with it. START triage is one of the most commonly used and consists of four categories ('cannot be saved either way', 'needs immediate attention', 'needs attention but can wait', 'needs no or very little attention') – JDT Apr 12 '19 at 09:17
14

In addition to Adonalsium's fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.

A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.

yoozer8
  • 810
  • 2
  • 7
  • 17
John Deters
  • 33,650
  • 3
  • 57
  • 110
  • Worth noting that this can also be an ongoing process. Alerts are always numerous, so an initial sift, sort, and send is typically conducted by one person, while the rest of the team deep dives into the issues raised. – Jozef Woods Apr 10 '19 at 07:26
7

In addition to the other great answers, the term triage is also used in the bugbounty bug report process to mean the process of initially reproducing the issue and assigning a priority to it.

Triage

The process of validating a vulnerability submission from raw submission to a valid, easily digestible report.

Source: https://www.bugcrowd.com/resources/glossary/triage/

Or when talking about various states of a reported bug:

Triaged: A submission that may be valid, but needs to be reviewed again and validated.

Source: https://docs.bugcrowd.com/docs/submission-status

The term is used in similar context by HackerOne as well (though they have less states for a submission so this covers more than the same-name state by BugCrowd):

Triaged - The report is evaluated but hasn't been resolved. It is in the state of being fixed.

Source: https://docs.hackerone.com/hackers/report-states.html

Torin42
  • 281
  • 1
  • 3