Sign In

TR0.8 Asset Prioritization and Blast Radius

· Module 0 · Free
Operational Objective
The Prioritization Problem: A SOC analyst with 15 open alerts cannot triage all of them simultaneously. An SSH brute force against a development VM and an AiTM phishing compromise on the CFO's account both fire alerts — but the business impact, attacker sophistication, and regulatory exposure are completely different. The triage responder must prioritise based on: what system is affected (Tier 1 critical vs Tier 3 low-impact), what the attacker can reach from this system (blast radius), and what data is at risk (regulatory exposure). This subsection teaches the prioritisation framework used at NE and applicable to any hybrid Microsoft environment.
Deliverable: The 3-tier asset classification, the blast radius assessment checklist, and the triage escalation criteria.
Estimated completion: 25 minutes
3-TIER ASSET CLASSIFICATION — TRIAGE PRIORITYTIER 1 — CRITICALDomain controllers, Entra Connect serverGlobal Admin accounts, AD FS serversDatabase servers with PII/financial dataTRIAGE: IMMEDIATE (SLA: 15 min)TIER 2 — HIGHMember servers, file serversSenior leadership accountsContainer hosts, K8s control planeTRIAGE: 1 HOUR (SLA: 60 min)TIER 3 — STANDARDWorkstations, development VMsStandard user accountsNon-production serversTRIAGE: 4 HOURS (SLA: 240 min)

Figure TR0.8 — 3-tier asset classification. Tier determines triage SLA. A compromise of a Tier 1 asset (domain controller, Global Admin) triggers immediate triage regardless of alert severity. A compromise of a Tier 3 asset (development VM) follows the standard queue.

Blast radius assessment — the 4-question framework

When a system is confirmed compromised (TP classification), the blast radius determines how many other systems, accounts, and data stores are potentially affected. The triage responder answers 4 questions:

Question 1: What credentials are accessible from this system?

A compromised workstation holds: the logged-in user’s credentials (NTLM hash in memory, Kerberos tickets), any cached credentials (previous logins), and any credentials stored in applications (browser saved passwords, SSH keys, configuration files with database connection strings). A compromised domain controller holds: the NTDS.dit (ALL domain passwords). A compromised Entra Connect server holds: the sync service account credentials (which have DCSync-equivalent permissions in AD).

The blast radius MULTIPLIES by the number of accessible credentials: if the compromised workstation has cached credentials for 3 users (the primary user + 2 IT admins who logged in for support), all 3 accounts are potentially compromised.

Question 2: What can those credentials access?

Map each credential to its access scope:

  • Standard user → their mailbox, their OneDrive, shared resources they have access to
  • IT administrator → all servers they manage, admin portals, Azure subscriptions
  • Domain admin → EVERYTHING in the AD domain
  • Global admin → EVERYTHING in the Entra ID tenant and all M365 workloads
  • Service account → the specific services it connects to (database, application, API)

At NE, the blast radius table for key accounts:

svc-dbadmin: MySQL on SRV-NGE-BRS-DB01 (customer PII database — 85,000 records, GDPR-scoped). If svc-dbadmin is compromised: the attacker can read, modify, or exfiltrate the entire customer database. This is a Tier 1 regulatory event.

j.morrison (engineering manager): Outlook, Teams, SharePoint engineering site, OneDrive. Access to no servers. If compromised: BEC risk (financial fraud via email impersonation), intellectual property exposure (engineering documents in SharePoint), but no infrastructure access. This is a Tier 2 event unless BEC is confirmed.

Question 3: What network segments can this system reach?

A compromised system on a flat network can reach EVERY other system. A compromised system behind a properly segmented network can reach only systems in the same segment. Check: can the compromised Linux server SSH to other servers? (Check ss -tnp for outbound SSH connections.) Can the compromised Windows endpoint reach the domain controller? (Check DeviceNetworkEvents for connections to port 445/389/88 on DC IPs.)

Question 4: What data is at risk, and what are the regulatory implications?

Map the accessible data to regulatory categories:

  • Customer PII → GDPR Article 33 (72-hour notification)
  • Financial data → GDPR + potential fraud reporting
  • Health data → GDPR Article 9 (special category data, heightened obligations)
  • Employee data → GDPR (internal breach, still requires assessment)
  • Intellectual property → No GDPR trigger but business-critical
  • No personal data → No GDPR trigger, standard incident handling

The blast radius assessment output feeds directly into: (1) the triage report scope section, (2) the regulatory notification assessment (TR0.6), and (3) the investigation team’s initial scope definition.

Investigation Finding — IF-2026-TR0-SCOPE-001

Artifact: Blast radius assessment for CHAIN-DRIFT attack on SRV-NGE-BRS-DB01

Source: 4-question blast radius framework applied to the confirmed TP.

Findings:

Q1 Credentials: svc-dbadmin (MySQL service account), /etc/shadow contents (all local accounts), SSH key for deploy@ridgeline-ci (deployment pipeline). Q2 Access: svc-dbadmin → MySQL customer database (85,000 records, PII). /etc/shadow → potential credential reuse on other NE Linux servers. deploy key → CI/CD pipeline access. Q3 Network: SRV-NGE-BRS-DB01 can reach all servers on the 10.1.2.0/24 segment (12 Linux servers, no Windows). Outbound internet access (no egress filtering). Q4 Data: Customer PII database (GDPR Article 33 triggered — 72-hour notification to ICO).

  • Proves: The blast radius extends beyond the compromised server to: (1) the customer database (85,000 PII records at risk), (2) 12 other Linux servers on the same network segment (credential reuse risk), and (3) the CI/CD pipeline (supply chain risk). GDPR Article 33 notification is REQUIRED — personal data exposure is confirmed.
  • Does not prove: Whether the attacker accessed the database (check MySQL query log or docker logs for the database container). Whether /etc/shadow hashes have been cracked (offline analysis needed). Whether the deploy key was used for pipeline access (check CI/CD audit logs).
  • Next step: (1) Notify DPO: GDPR Article 33 clock started at triage classification time. (2) Check MySQL query log for unauthorized data access. (3) Rotate ALL credentials identified in Q1. (4) Network scan: nmap -sV 10.1.2.0/24 from the analyst’s workstation to verify the 12 reachable servers.
Try it: classify your top 10 systems using the 3-tier model

List the 10 most critical systems in your environment. For each, determine: (1) Tier (1/2/3) based on data sensitivity and infrastructure role. (2) Blast radius if compromised — what credentials are accessible, what can they reach? (3) Regulatory exposure — does compromise trigger notification obligations? The resulting table becomes your triage prioritisation reference.

Compliance Myth: "All alerts should be triaged in the order they arrive"

The myth: First-in-first-out (FIFO) alert triage ensures fairness and prevents cherry-picking.

The reality: FIFO triage treats a cryptominer on a development VM the same as a compromised domain controller — both wait in the queue. The domain controller compromise has blast radius covering the entire AD domain (all users, all servers, all workstations), while the cryptominer affects one non-production VM. The 3-tier prioritisation ensures that HIGH-IMPACT incidents receive IMMEDIATE attention. FIFO is appropriate only when all alerts have equivalent business impact — which never happens in practice. The NE SOC uses tier-based prioritisation: Tier 1 alerts interrupt whatever the analyst is doing, Tier 2 alerts are next in queue, Tier 3 alerts are handled in order.

The escalation decision framework

Not every TP requires immediate escalation. The triage responder must determine: does this incident need the full investigation team NOW, or can it be contained and queued for next-business-day investigation?

Immediate escalation criteria (wake people up at 3 AM): Tier 1 asset compromised (domain controller, Global Admin, Entra Connect server, database with PII). Active data exfiltration in progress (large outbound transfers detected in network logs). Ransomware indicators (encryption in progress, shadow copy deletion). Cross-environment attack chain confirmed (the attacker has traversed multiple environments and the blast radius is expanding). Any incident where containment cannot be completed without additional expertise (the attacker is actively fighting containment — re-establishing access as fast as the responder removes it).

Standard escalation criteria (begin investigation next business day): Tier 2 or 3 asset compromised with containment successful. Credential compromise without confirmed lateral movement (password reset + MFA enforcement contains the immediate risk). BEC attempt detected but not executed (the fraudulent email was sent but finance has not acted on it). Cryptominer on a non-production system (contained, no data exposure, no regulatory trigger).

The escalation decision should be documented in the triage report Section 5 (Next Steps) with explicit justification: “Escalation: IMMEDIATE — Tier 1 asset (database server with 85,000 PII records) confirmed compromised. Active C2 channel detected. GDPR Article 33 triggered.” This justification enables the investigation team lead to understand WHY they were woken up at 3 AM and to validate the escalation decision during the post-incident review.

At NE, the escalation matrix is: Tier 1 = page the on-call IR analyst + notify the CISO. Tier 2 = page the on-call IR analyst (no CISO notification until the investigation confirms scope). Tier 3 = queue for the next available analyst during business hours. The on-call rotation covers the IR analyst and the SOC lead — both are reachable via PagerDuty within 15 minutes.

Troubleshooting

“I do not know the tier classification for the alerted system.” Check: is it a domain controller? (Tier 1.) Is it the Entra Connect server? (Tier 1.) Does it hold customer data? (Tier 1.) Is it a member server or senior user? (Tier 2.) If none of the above: Tier 3. When in doubt, escalate to the SOC lead for classification.

Beyond this investigation: Asset prioritisation connects to Practical GRC (where the asset register, data classification framework, and risk-based prioritisation are formalised as governance documents), SOC Operations (where the tier classification is implemented in Sentinel incident severity rules and analyst assignment logic), and Detection Engineering DE2 (where threat modeling uses asset tiering to prioritise which attack techniques to detect first).
Operational Artifact — Blast Radius Quick Assessment

At TP classification, answer these 4 questions:

  1. Credentials: What accounts/keys/tokens are accessible from the compromised system?
  2. Access scope: What can each credential reach? (mailbox, server, database, admin portal, domain)
  3. Network reach: What other systems can the compromised system connect to?
  4. Data + regulatory: What data is at risk? Does exposure trigger GDPR/NIS2/SEC notification?

Blast radius determines: investigation scope, containment urgency, regulatory notification, and executive communication priority.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← TR0.7 Triage vs Investigation — Where This Course Ends TR0.9 The Triage Scorecard →