SEI Advanced Incident Handling - Day 2

30 November -0001

The Software Engineering Institute, part of Carnegie Mellon University, and the organization that comprises CERT, offers an Advanced Incident Handling (AIH) course that I am currently attending. The course is offered in several locations, I'm taking it in Pittsburgh at SIE. The class is being offered in the SIE building, which is right between CMU and University of Pittsburgh's campuses.

Day 2 of the Advanced Incident Handling class followed the same breakneck pace as Day 1. I should take this time to emphasize the quality and diversity of the other participants in the class. There are 11 students in the class who include folks from Allegheny Digital, CERT, the Japanese Army and Navy, the FBI training center in Quantico, VA, the British Ministry of Defense, and others. It's a very high quality group of peers, which helps the class flow and provides some very interesting sidebar discussions.

Day 2 covered rootkits and botnets primarily. Class exercises were designed to be more complex incident handling simulations where investigation was more difficult and answers were less clear cut. We spent quite a bit of time covering the basics of rootkits on Windows and Linux/Unix, from their purpose and design to their content and behavior. We also looked at some well known rootkits and rootkit prorogation, detection, and removal strategies. We then looked at Botnets, how they are created, their typical purposes and their impact on an organization and network.

We ran through a total of four exercises on day 2. These were simulated incidents delivered to the participants, who played members of a fictitious organization's CSIRT. The initial exercises were fairly straightforward and escalated from coordinating communication between external complainants of malicious activity to and from an internal systems administrator, up to the last exercise which covered a spear phishing attack that compromised a host and potentially critical information that could lead to legal action. Not only did the complexity of the incidents increase, but their scope did as well. Each incident involves the same fictitious organization, and many are escalations of previous incidents.

The simulation exercises are perfect proving grounds for the material covered in the lecture modules. Running through the exercises helps to ground participants in basics, as well as reinforce rudimentary investigative skills and strategies. You learn to synchronize time between reporters, to develop accurate timemlines, to quantify and verify all the principles in the incident, and we're beginning to learn how to document our incidents more and more carefully and thoroughly.

Day 2 again lacked wifi, but the food was much better than at any other training I've been to. Lunch was stuffed peppers, mashed potatoes and salad. The conference center is great, and we got a clear day so the walk to and from the training facility was actually pleasant. The small class size has given me a lot of opportunity to interface with other participants and develop some valuable contact that I'm likely to use later in my career.