Incident Pruning

Maintaining Control within Incident Response Investigations

Incident response investigations are complex efforts, shifting between chaos and order, as the incident lead maintains investigation alignment with incident response policies, while the team chases down every possible clue, leaving no stone unturned. Without incident pruning, investigations can spin out of control within a few minutes simply due to the number of possibilities — associated indicators, adversary aliases, MITRE ATT&CK tactics or techniques, victims, attributes, sightings, etc.

In this paper, learn some of the strategies to effectively prune an investigation and maintain security operations efficiency and focus.