Framework Category

Incident Analysis

Incident Analysis focuses on investigating and understanding cybersecurity incidents by identifying root causes, estimating impact, and categorizing events according to response plans.

It ensures proper handling of disclosed vulnerabilities, maintains detailed records with integrity, and supports informed response through structured analysis.

Implementation Questions

RS.AN-01

Notifications from detection systems are investigated

Does your organization have a documented process for investigating notifications from security detection systems?

This question assesses whether your organization has established procedures to analyze and respond to security alerts generated by detection systems such as intrusion detection systems (IDS), security information and event management (SIEM) tools, or endpoint detection and response (EDR) solutions. Proper investigation of these notifications is crucial for identifying potential security incidents, determining their scope and impact, and initiating appropriate response actions.

RS.AN-02

The impact of the incident is understood

Does your organization have a formal process to assess and document the impact of security incidents?

Understanding the impact of security incidents is crucial for effective incident response and recovery. This involves evaluating the technical, operational, financial, and reputational consequences of an incident to prioritize response actions and allocate appropriate resources. Impact analysis should consider affected systems, data compromise, service disruptions, and potential regulatory implications.

RS.AN-03

Analysis is performed to establish what has taken place during an incident and the root cause of the incident

Does your organization have a documented process for reconstructing the chronological sequence of security incidents, including all affected assets and resources?

This question assesses whether your organization can effectively trace and document the timeline of security incidents, which is crucial for understanding attack vectors, impact scope, and developing appropriate remediation strategies. Proper incident timeline reconstruction helps identify which systems were compromised first, how the attack propagated through your environment, and what data or resources may have been accessed or modified during each phase of the incident.

Does your incident response process include identification and analysis of vulnerabilities, threats, and threat actors involved in security incidents?

This question assesses whether your organization systematically identifies the root causes and contributing factors of security incidents, including technical vulnerabilities exploited, threat types, and potential threat actors. A comprehensive incident analysis helps prevent similar incidents in the future by addressing specific weaknesses and understanding attack patterns and motivations.

Does your organization conduct root cause analysis to identify systemic issues when investigating security incidents?

Root cause analysis goes beyond addressing the immediate symptoms of a security incident to identify the fundamental, systemic issues that allowed the incident to occur. This process helps prevent similar incidents in the future by addressing underlying vulnerabilities in technology, processes, or human factors rather than implementing superficial fixes. Effective root cause analysis typically involves methodologies like the '5 Whys' technique, fishbone diagrams, or fault tree analysis to trace the incident back to its origins.

Does your organization utilize cyber deception technologies to gather intelligence on attacker behavior and tactics?

Cyber deception technologies (such as honeypots, honeyfiles, or decoy systems) can provide valuable insights into attacker methodologies, tools, and objectives by monitoring how adversaries interact with fake assets. These technologies act as early warning systems and can reveal attacker patterns that might otherwise go undetected in your actual production environment.

RS.AN-04

Incidents are categorized consistent with response plans

Does your organization categorize security incidents according to established incident response plans?

This question assesses whether your organization has a structured approach to classifying security incidents based on predefined categories in your incident response plans. Proper categorization ensures appropriate response procedures are followed based on incident type, severity, and impact (e.g., data breach, malware infection, denial of service).

RS.AN-05

Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

Does your organization have a formal process to receive, analyze, and respond to security vulnerabilities disclosed from both internal and external sources?

This question assesses whether your organization has established systematic procedures for handling vulnerability disclosures from various sources such as internal security teams, vendor bulletins, or external security researchers. An effective vulnerability management process ensures timely identification, prioritization, and remediation of security weaknesses before they can be exploited.

RS.AN-06

Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved

Does your organization require incident responders and other relevant personnel to maintain immutable records of all actions taken during incident response activities?

Maintaining immutable records of incident response actions creates an audit trail that cannot be altered after the fact, ensuring accountability and providing crucial forensic evidence. These records should capture all actions taken by incident responders, system administrators, and cybersecurity engineers during an incident, including system changes, communication logs, and investigative steps.

Does your organization require incident leads to document security incidents in detail and maintain the integrity of all incident documentation and information sources?

This question assesses whether your organization has formal requirements for incident documentation that preserve the chain of custody and accuracy of information during security incidents. Proper documentation by a designated incident lead ensures accountability, provides a reliable record for post-incident analysis, and supports potential legal or compliance requirements. It also helps maintain consistency in how incidents are recorded across the organization.

RS.AN-07

Incident data and metadata are collected, and their integrity and provenance are preserved

Does your organization have documented procedures for collecting, preserving, and safeguarding incident data and metadata while maintaining chain-of-custody?

This question assesses whether your organization has formal processes to handle digital evidence during security incidents in a way that maintains its integrity and admissibility. Proper evidence handling includes documenting when and how data was collected, securing it against tampering, and maintaining detailed records of who accessed it and when.

RS.AN-08

An incident's magnitude is estimated and validated

When responding to a security incident, does your organization have a process to identify and examine other potential targets for indicators of compromise and evidence of attacker persistence?

During a security incident, attackers often compromise multiple systems or accounts to maintain access even if the initial entry point is discovered. This question assesses whether your organization conducts lateral investigation beyond the initially identified compromised system to detect the full scope of the breach. For example, if a server is compromised, your team should examine other servers in the same network segment, systems that share credentials, or systems that communicate with the compromised host.

Does your organization employ automated tools to detect indicators of compromise and evidence of persistence across your systems?

Automated tools like endpoint detection and response (EDR), security information and event management (SIEM) systems, or threat hunting platforms should continuously monitor your environment for signs of malicious activity. These tools can identify unusual behaviors, known malware signatures, unauthorized access attempts, and persistent threats that may have established a foothold in your systems.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron