What is the meaning of Triage in Cybersec world?

We just got reports that 4000 of our systems are infected with ransomeware.

3000 are end users, 800 are non-critical servers, 200 are critical servers.

Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'

It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.

The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.


In addition to Adonalsium's fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.

A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.


In addition to the other great answers, the term triage is also used in the bugbounty bug report process to mean the process of initially reproducing the issue and assigning a priority to it.

Triage

The process of validating a vulnerability submission from raw submission to a valid, easily digestible report.

Source: https://www.bugcrowd.com/resources/glossary/triage/

Or when talking about various states of a reported bug:

Triaged: A submission that may be valid, but needs to be reviewed again and validated.

Source: https://docs.bugcrowd.com/docs/submission-status

The term is used in similar context by HackerOne as well (though they have less states for a submission so this covers more than the same-name state by BugCrowd):

Triaged - The report is evaluated but hasn't been resolved. It is in the state of being fixed.

Source: https://docs.hackerone.com/hackers/report-states.html