A post-mortem incident modeling method
2009 (English)In: 2009 International Conference on Availability, Reliability and Security (ARES), Vol. 1-2, IEEE , 2009, 1018-1023 p.Conference paper (Refereed)
Incident post-mortem analysis after recovery from incidents is recommended by most incident response experts. An analysis of why and how an incident happened is crucial for determining appropriate countermeasures to prevent the recurrence of the incident. Currently, there is a lack of structured methods for such an analysis, which would identify the causes of a security incident. In this paper, we present a structured method to perform the post-mortem analysis and to model the causes of an incident visually in a graph structure. This method is an extension of our earlier work on modeling software vulnerabilities. The goal of modeling incidents is to develop an understanding of what could have caused the security incident and how its recurrence can be prevented in the future. The method presented in this paper is intended to be used during the post-mortem analysis of incidents by incident response teams.
Place, publisher, year, edition, pages
IEEE , 2009. 1018-1023 p.
Incident response, incident cause graph, incident modeling, post-mortem analysis
IdentifiersURN: urn:nbn:se:liu:diva-43575DOI: 10.1109/ARES.2009.108ISI: 000270612000157Local ID: 74252ISBN: 978-1-4244-3572-2ISBN: e-978-0-7695-3564-7OAI: oai:DiVA.org:liu-43575DiVA: diva2:264435
4th International Conference on Availability, Reliability and Security (ARES 2009), 16-19 March 2009, Fukuoka, Japan