Function: Information security incident root cause analysis (d83afb89-203e-57ae-81d4-ded2000b30ed)
This function involves the process and actions required to understand the architecture, usage, or implementation flaw(s) that caused or exposed systems, networks, users, organizations, etc. to the kind of attack or exploit or compromise as exercised against the targets of an information security incident. It is also concerned with the circumstances in which an attacker could compromise more systems based on the initial access to gain further access. Depending on the nature of the information security incident, it may be difficult for a CSIRT to perform this function thoroughly. In many situations, this function may best be conducted by the affected target itself, as especially in the context of Coordinating CSIRTs no detailed technical knowledge is available about systems or networks that have been compromised.