Section 24.230 Root Cause Analysis Flashcards
Objective 4.8 Explain appropriate incident response activities
Root Cause Analysis (RCA)
Systematic process to identify the initial source of an incident and prevent it from recurring
Steps in Root Cause Analysis
Define and Scope the Incident
Determine the initial cause and scope of the incident
● Understand how many systems/users have been affected and the operational impact
Goal is to idenitfy the initial attack vector e.g malicious thumbdrive.
we should know how what users have been impacted, what versions have been impacted, how many machines have been impacted and the operational issues.
Steps in Root Cause Analysis
Determine Causal Relationships
Identify the causal relationships that led to the incident
● Understand how the incident occurred, such as through malware
infection via USB drive or other vectors
e.g someone used a USB thumbdrive to install a virus
Steps in Root Cause Analysis
Identify Effective Solutions
Find solutions to prevent the incident from recurring
● Solutions may include adding antivirus, restricting data transfer from USB devices, or applying software patches
Upgradings security patches etc
Steps in Root Cause Analysis
Implement and Track Solutions
Execute the solutions and ensure the incident is fully resolved
● Use change management processes to update systems and configurations
● Look across the network and see if there are any other machines that
could have been affected
Benefits of Root Cause Analysis
Identifies vulnerabilities and weaknesses in security practices
■ Creates more robust protections against cyber threats
■ Encourages a no-blame culture, focusing on solutions and improvements rather than assigning fault
No-Blame Approach
RCA should not assign blame to individuals or teams
○ Encourages open and honest reporting to improve cybersecurity practices
○ Recognises that human errors often result from systemic issues within organisations, such as training procedures or regulatory oversight
