Application Of Formal Methods To Root Cause Analysis of Digital Incidents

Numerous current regulations and standards mandate incident response for virtually all segments of the private sector. According to most incident response experts there is the need to perform a root cause analysis (or “incident post mortem”) following recovery from such incidents. To date there has not been a structured, formal approach to conducting this type of post incident analysis. This paper proposes a methodology based upon formal modeling of the security processes in an enterprise under attack. The enterprise is segmented into manageable and securityrelevant policy domains and the interactions of those domains including both pre- and postincident states are modeled. The paper then shows how to analyze the nature of the state changes that occurred as a result of the incident and, finally, how to insert appropriate safeguards and countermeasures to prevent future occurrences of the same type of incident. This methodology is based upon an ongoing research project, field testing, and other peerreviewed papers. The formalism selected is Colored Petri Nets.