When dealing with adversary activity, you need to be aware of the different sources and types of attack that your business might face in order to coordinate an effective countermeasure.

We understand that starting to operate incidents can seem overwhelming, not knowing where to start may be daunting; however, Lumu Incidents provides you with an array of tools that you can use to view and prioritize attacks, allowing you to maximize efficiency and minimize downtime when dealing with a concerted adversary effort.

Let’s take a quick look at how to use these features.

Incident Prioritization

Sorting Incidents can be a daunting task when a network grows beyond a certain size. This is why Lumu gives you the means to easily and purposefully organize and prioritize all incidents that come your way.

There are two main criteria that you must rely on to sort incidents effectively: Business Relevance and Risk Level.

Business Relevance

Business relevance is an attribute assigned to a label when it is created. It can be set to three different values: low, medium, and high based on how important assets are. This means high business relevance should only be assigned to assets critical to your organization.

So, when you see an incident in the Lumu Portal with high business relevance, you are certain that an asset close to the heart of your operation is under attack. 

While it is true that all organizations have different circumstances and environments, and only their team truly understands the subtler aspects of it, always prioritizing incidents with high business relevance is a good rule of thumb as you would be thwarting attacks on critical assets in different stages. 

When deciding which incidents to operate on first, it is recommended to always look for business relevance first when looking at the Incidents view. Now, let’s look at the second criteria. 

To find them you can make use of the Lumu Portal’s filters and look for high business relevance incidents exclusively. 

Risk Level

Risk level is a value assigned to incidents by Lumu based on their threat type. It has three different possible levels: Critical, Significant, and Moderate, going from the threat types that require the most urgency, to the ones that don’t. 

These are the threat types for each risk level:

• Critical: C&C, DGA
• Significant: Malware
• Moderate: Phishing, Mining, Spam, etc.

It can be also seen as a measurement of the progress an attack has made within your network. 

You can find the risk level of an incident by going to the incident’s details and clicking on the highlights tab.

However, to make the most effective use of this criteria, you can look for the desired threat types using our filters. That way you can pinpoint the incidents that have progressed further down the cyber kill chain. 

By combining these two criteria effectively, you will find the incidents that your team should operate on with the most urgency, so we recommend filtering your incidents to find those with High business relevance and Critical Risk level first. The following graphic can serve as a good framework to follow when prioritizing incidents. 

Using these guidelines you should be able to prioritize your organization’s incidents optimally and operate on them timely and effectively. 

Incident Operation

Incident operation in Lumu is a simple procedure; it’s all about using status and notes effectively to communicate the state of an incident. 

There are four incident statuses: Open - Pending, Open - In progress , Closed, and Muted.

Let’s take a look at each one and what they should be used for:

• Open - Pending: It is the status of an incident when it is detected and it hasn’t been operated on by anyone from the team. Ideally, incident’s shouldn’t remain in this status for long, as that would imply the incident is being ignored and that would imply that either the adversary is progressing within the network, or that an irrelevant incident is making noise within the network and hindering your operation. 
  

1. Open - In progress: This status is assigned once the incident is picked up, either manually by an analyst, or automatically by a response integration. It lets the rest of the team know that someone is working on the incident actively. To know what actions are being taken regarding this incident, you should look at the incident timeline, more specifically on the notes and comments which serve to add context and provide details to the rest of the team. 
   

Remember that automated response integrations can react and start operating on an incident faster than any human could. Automated Response is a Lumu Defender feature. Read more in our Lumu Offerings article.

• Muted: This status should be assigned to incidents that the team deems unimportant, either because they are affecting an irrelevant asset, or because it is determined to be a false positive. There may be other reasons for its use, but the decision must be made because the incident is causing undesired noise and hindering your cybersecurity operation. Once this status is assigned, Lumu will stop actively notifying you about the incident. 
• Closed: This status must be assigned to the incident when the team has resolved it. After the team has operated on the incident by taking actions to mitigate, isolate, and expel it from the network successfully, they should communicate the actions taken using the notes feature, and close it to inform the rest of the team the attack is under control and focus their efforts where they are most needed. 

By following these guidelines during operation, your team can get the most out of Lumu as a tool to keep a clear picture of your organization’s cybersecurity landscape.