Professional Documents
Culture Documents
Fim D03 S03 T01 Step PDF
Fim D03 S03 T01 Step PDF
Table of Contents
Notices .......................................................................................................................................... 19
Page 1 of 19
Root Cause Analysis
A root cause is
• an initiating cause of either a condition or a causal chain that leads to
an outcome or effect of interest
(source: Wikipedia, https://en.wikipedia.org/wiki/Root_cause)
• the highest level cause of a problem; “the evil at the bottom” that sets
in motion the entire cause-and-effect chain causing the problem(s)
(source: American Society for Quality (ASQ),
http://asq.org/learn-about-quality/root-cause-analysis/overview/overview.html)
[Distribution Statement A] This material has been approved for public release and unlimited
4
distribution.
Page 2 of 19
So root cause analysis is analyzing
the root cause. Again, other
definitions are a method of problem-
solving using for identifying the root
causes of particular problems or
faults. Again, the American Society
for Quality defines root cause
analysis as a collective term that
includes a wide range of different
approaches, tools and techniques
that can be used to uncover the
cause of particular problems. And
the Forum of Incident Response and
Security Teams, FIRST, has drafted
an initial framework for security
incident response teams and they've
identified a number of different
processes, and one of these is root
cause analysis, and they define root
cause analysis as the understanding
of a flaw, and specifically designer
implementation flaws, but it may be
other types of flaws that allow a
particular attack or incident to occur.
Page 3 of 19
Why Do Root Cause Analysis?
[Distribution Statement A] This material has been approved for public release and unlimited
5
distribution.
Page 4 of 19
And depending on the individual
circumstances of that incident, there
may be some types of follow-up
responses-- such as mitigation and
recovery-- that might not necessarily
be the same or appropriate, and
perhaps then could even be delayed
to a later time, depending on the
specific circumstances of that
particular incident.
Page 5 of 19
Who Does Root Cause Analysis?
It depends…
Root cause analysis, at some level, is often performed by CSIRT
incident analysts.
Many teams might not have a defined approach or process for
formally conducting root cause analysis.
• Informal (ad hoc) root cause analysis may be performed at
lower levels of effort or rigor, as needed.
• Constituents or system owners with direct access to the
available incident information may be more capable and likely to
perform this analysis than a coordinating CSIRT.
[Distribution Statement A] This material has been approved for public release and unlimited
6
distribution.
Page 6 of 19
they're doing, just trying to answer
questions and understand what is
basically happening with the incident
so they can move on to the other
steps in following up on responses.
Page 7 of 19
When to Do Root Cause Analysis
[Distribution Statement A] This material has been approved for public release and unlimited
7
distribution.
Page 8 of 19
having to do some level of root cause
analysis.
Page 9 of 19
How to Do Root Cause Analysis
[Distribution Statement A] This material has been approved for public release and unlimited
8
distribution.
Page 10 of 19
reported or seen or you've detected
in the past? Looking at these trying
to come up with some way of
organizing these and cataloging them
and identifying those various types of
causes is going to be one way to be
able to map those causes to the
different activities that you're
analyzing.
Page 11 of 19
vulnerabilities, threats, weaknesses
that might be used as methods or
mechanisms to cause an incident to
occur.
[Distribution Statement A] This material has been approved for public release and unlimited
9
distribution.
Page 12 of 19
definition we're trying to identify why
or how an incident occurred. So this
root cause analysis is fundamentally
different than other types of incident
analysis, such as impact analysis, risk
analysis, those types of things. So to
answer these "why" questions, you
often have to answer some other
types of related questions, like,
again, how, and depending on how
you word the question, how and why,
you can use different terms to
answer the same information, but
also underlying what-- that may be a
different way to phrase a question--
and sometimes other questions, such
as the who and the when questions,
may also need to be addressed too to
get to the underlying why or how.
Page 13 of 19
There may be other types of
analyses, like vulnerability analysis,
looking at the underlying
vulnerabilities that may exist in
software or systems that allow an
exploitation to occur to create an
incident, and other things like
retrospective or trend analysis, what
the attacker may have done, or
trends in what has been seen in the
past and maybe be able to predict
what might be happening in the
future.
[Distribution Statement A] This material has been approved for public release and unlimited
10
distribution.
Page 14 of 19
investigate them, you may find out
that there might be multiple root
causes. So don't be constrained into
thinking that we only have to identify
one particular category in our
different lists. You expect that there
might be a variety of different things
that are identified that'll map to a set
of incident activities. So having this
as part of your analysis process and
the ability to identify the various
multiple root causes is going to be
something that's important.
Page 15 of 19
different indicators from different
data sources that may be unrelated,
and so drawing the correlations and
linking these different root causes
together is something you're just
going to have to watch out for.
Page 16 of 19
Root Cause Analysis Preparatory Tasks
(source: [DRAFT] FIRST SIRT Services Framework, Tasks and Sub-Tasks for Function 2.4 Vulnerability/Exploitation Analysis – Sub-
Function 2.4.2 Root cause analysis (Task 2.4.2.1)
[Distribution Statement A] This material has been approved for public release and unlimited
11
distribution.
Page 17 of 19
thing to have, but it's something
that's not necessarily essential to do
root cause analysis, but it can
definitely provide better insight to
what's happening.
Page 18 of 19
Notices
Notices
Copyright 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US
Government use and distribution.
This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie
Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the
United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN
“AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY
MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR
RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND
WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S.
government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission
from the Software Engineering Institute at permission@sei.cmu.edu.
The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical
Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any
reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends
attendance to ensure proper understanding.
Carnegie Mellon®, CERT® and CERT Coordination Center® are registered marks of Carnegie Mellon University.
DM-0003588
[Distribution Statement A] This material has been approved for public release and unlimited
2
distribution.
Page 19 of 19