A Post-Mortem Incident Modeling Method

Author

Ardi, Shanai ; Shahmehri, Nahid

Author_Institution

Dept. of Comput. & Inf. Sci., Linkopings Univ., Linkoping

fYear

2009

fDate

16-19 March 2009

Firstpage

1018

Lastpage

1023

Abstract

Incident post-mortem analysis after recovery from incidents is recommended by most incident response experts. An analysis of why and how an incident happened is crucial for determining appropriate countermeasures to prevent the recurrence of the incident. Currently, there is a lack of structured methods for such an analysis, which would identify the causes of a security incident. In this paper, we present a structured method to perform the post-mortem analysis and to model the causes of an incident visually in a graph structure. This method is an extension of our earlier work on modeling software vulnerabilities. The goal of modeling incidents is to develop an understanding of what could have caused the security incident and how its recurrence can be prevented in the future. The method presented in this paper is intended to be used during the post-mortem analysis of incidents by incident response teams.

Keywords

security of data; countermeasures; graph structure; incident post-mortem analysis; incident response teams; post-mortem incident modeling; security incident; software vulnerability modeling; Availability; Computer security; Computerized monitoring; Condition monitoring; Data security; Failure analysis; Information science; Information security; NIST; Performance analysis; Incident response; incident cause graph; incident modeling; post-mortem analysis;

fLanguage

English

Publisher

ieee

Conference_Titel

Availability, Reliability and Security, 2009. ARES '09. International Conference on

Conference_Location

Fukuoka

Print_ISBN

978-1-4244-3572-2

Electronic_ISBN

978-0-7695-3564-7

Type

conf

DOI

10.1109/ARES.2009.108

Filename

5066604