SEI Advanced Incident Handling - Day 1
The Software Engineering Institute, part of Carnegie Mellon University, and the organization that comprises CERT, offers an Advanced Incident Handling (AIH) course that I am currently attending. SIE offers and educational and government discount so I was able to afford the training despite fairly massive budgetary cutbacks at my employer. The AIH course has a prerequisite of either the Fundamentals of Incident Handling or comparable field experience. There are networking, systems administration, programming, and incident handling prerequisites as well, that I felt I qualified for after working in the field, so I skipped the fundamentals course.
The course is offered in several locations, I'm taking it in Pittsburgh at SIE. The class is being offered in the SIE building, which is right between CMU and University of Pittsburgh's campuses. The location is great, and the building is new. My only complaint with the facilities so far is that no wireless access is available, which means you're cut off form the internet during the day. Also, the location is a long way away from the airport, so expect a $40 cab ride in.
The class runs from 9 AM to 5 PM each day except the last which ends at 3 PM. My class is being taught by Pete Sullivan, who is an excellent presenter and obviously has mastery of the subject matter. I was worried that the class might be more theoretical than technical after a quick glance through the syllabus, but the OSI model quickly made an appearance and allayed my fears. If you're not familiar with networking basics a lot of the material may be difficult to grasp.
The first day covered reasons for having a Computer Security Incident Response Team (CSIRT) and the composition of such a team. There was a discussion of the need to write up an incident response strategy before a security incident developed and the stakeholders who should be involved (including non-technical staff). A distinction was made between "incident response," which generally connotes forensics, and "incident handling" which generally connotes all aspects of response. The course was said to cover incident handling, primarily.
The course then went through an overview of the Fundamentals of Incident Response materials. This included a review of CSIRT management issues. The issues ranged from the relationship between incident management and the CSIRT. We also went over requisite knowledge for incident handlers, including the import of information assets, a valuation usually derived from a risk assessment. The handler should also understand their mission as well as their role within the organization, including their alignment with information security.
We discussed the fact that incidents are guaranteed to happen and that plans should help determine response speed and efficiency in dealing with incidents. The class also covered strategies for an effective response as well as a definition for incident management. We discussed the need for an organization wide response to a computer security incident. There was emphasis added to the fact that a complete incident response plan helps to clearly identify roles and responsibilities to help assign responsibility so that it could not be avoided, and define responsibility so it could not be appropriated. This non-technical process is necessary to develop a consistent, repeatable, quality-driven, and measurable response that can be understood by all stakeholders.
The class covered preparedness as well as protection strategies, including acknowledging that there are "known unknowns" that must be accounted for. We also covered the integration of business continuity within incident handling. A distinction was made between incident management (which is a mixed technical and non-technical endeavor) and incident handling which is a technical task. We also covered the difference between incident management and security management (which is an operational risk management activity).
We covered strategies for defining a CSIRT as well as typical CSIRT structures and composition. We defined the goals of incident management and appropriate CSIRT responses. Further, we discussed the definition of "incident" and how that relates to organizational response and CSIRT composition.
Next we covered critical information necessary for incident handling. This included questions to ask and information gathering necessary to an appropriate incident response.
The skills review covered log file analysis. This went over log file format as well as types of log files. The review also covered the basics of TCP/IP and timestamps. We also went over e-mail header formats and technical challenges to e-mail.
Finally we reviewed privilege compromise (distinguished from a user account compromise as a compromise that lead to attacker control of a system, root, or administrative account or process) and various compromise scenarios. This covered types of compromises and typical attack and compromise paths. We also went over post-compromise steps an attacker might take to elevate or maintain privilege, or escape detection. We discussed the challenges posed to responders in a privilege compromise and steps and strategies to responding to a privilege compromise.
The day concluded with an exercise that involved managing an incident based on e-mail communication between two disparate entities. The exercise was designed to highlight some challenges to response as well as common assumptions that could be pitfalls to response. The exercise also highlighted response and communication strategies between parties involved in an incident.
Overall the first day was great. The volume of material was large, but the topics were pertinent and helpful. I had quite a few take-aways by the end of the first class that I could immediately and directly apply to my day to day operations (as well as a bunch of fancy new vocabulary :). Pete is a great instructor and could expound upon the subject as well as make it approachable. My colleagues in the class were professional and knowledgeable. Everyone was engaged and the material was extremely good. The massive binder we got full of the course material will definitely deserve some review after the class.