Does your incident response process include identification and analysis of vulnerabilities, threats, and threat actors involved in security incidents?
Explanation
Root-cause analysis during incident response is the focus, namely whether your process identifies and analyzes the vulnerabilities, threats, and threat actors involved in security incidents. A comprehensive incident analysis helps prevent similar incidents in the future by addressing specific weaknesses and understanding attack patterns and motivations.
Evidence could include incident response documentation templates with dedicated sections for vulnerability, threat, and threat actor analysis; completed incident reports showing this analysis; or a formal incident response procedure document that explicitly includes these analysis requirements as mandatory steps.
Implementation Example
Attempt to determine what vulnerabilities, threats, and threat actors were directly or indirectly involved in the incident
ID: RS.AN-03.322
Context
- Function
- RS: RESPOND
- Category
- RS.AN: Incident Analysis
- Sub-Category
- Analysis is performed to establish what has taken place during an incident and the root cause of the incident
Related questions
- Does your organization have a documented process for investigating notifications from security detection systems?
- Does your organization have a formal process to assess and document the impact of security incidents?
- Does your organization have a documented process for reconstructing the chronological sequence of security incidents, including all affected assets and resources?
- Does your organization conduct root cause analysis to identify systemic issues when investigating security incidents?
- Does your organization utilize cyber deception technologies to gather intelligence on attacker behavior and tactics?
- Does your organization categorize security incidents according to established incident response plans?

