SEI Advanced Incident Handling - Day 5

30 November -0001

The Software Engineering Institute, part of Carnegie Mellon University, and the organization that comprises CERT, offers an Advanced Incident Handling (AIH) course that I am currently attending. The course is offered in several locations, I'm taking it in Pittsburgh at SIE. The class is being offered in the SIE building, which is right between CMU and University of Pittsburgh's campuses.

Day 5 of the Advanced Incident Handling class followed the same breakneck pace. I would again emphasize the quality and diversity of the other participants in the class. There are 11 students in the class who include folks from Allegheny Digital, CERT, the Japanese Army and Navy, the FBI training center in Quantico, VA, the British Ministry of Defense, and others. It's a very high quality group of peers, which helps the class flow and provides some very interesting sidebar discussions.

Day 5 commenced with an exercise that involved preparing an executive report based on the findings of the weeks previous exercises. This report involved high level concerns such as institutional impact of incidents, cost to recover, and mitigation strategies that could be employed in the future. This exercise resulted in a power point presentation delivered to the "CIO" played by the course instructor. This exercise was by far the most instructive and valuable as it called upon not only analysis of previous incident exercises, but also very heavily on the team member's own background and experience.

Day 5 then covered publishing information and vulnerability handling. These were two of the most valuable modules in the entire course. They explored topics such as the goals and responsibilities of a CSIRT in releasing information to a constituency. We discussed decisions around what sorts of information to publish, sources of that information, topics that could or should be covered and other concerns. Publication is a valuable service, but we explored how policy, mission, and CSIRT service definitions govern publication. We talked about how to craft effective incident and vulnerability reports as well as methods for delivery. Determining your audience and crafting your message carefully is key. We went over how publications can be used to expand trust in a CSIRT.

Our discussion of vulnerability handling was an interesting one. Vulnerability handling is the CSIRT response to vulnerabilities that are discovered, both before and after exploits may become present. We discussed the goals of vulnerability handling: operational, research and education. We also went over vulnerability reports, which are similar in many ways to incident reports. We also went through vulnerability assessment and remediation including vulnerability remediation strategies.

Overall the SEI Advanced Incident Handling class was outstanding! I would highly recommend anyone with interest in the field look into training with SEI. I had a few practical lessons-learned that I'd like to list out here as well, for my own benefit as well as for folks who come after me:


  • The binder of material is very large - be sure to account for it in terms of space when packing or inquire about shipping to get the binder home.
  • Your colleagues are one of the best resources for the class, and as professional contacts. Take the time to exchange business cards with people and go out to dinner with your classmates.
  • The food provided is very good - you won't leave hungry.
  • Stay close to the training site - class can get exhausting and you don't want to have to walk too far.
  • If you're training in Pittsburgh keep in mind that the taxi trip from the airport can be very expensive
  • Bring a laptop, but don't expect wireless access in class. If you have a 3G connection you can use that though.
  • Be prepared for rain and cold - Pittsburgh is up in the mountains.