Friday, September 02, 2005

Request for Comments on CERT and SEI Training

I have been taking a closer look at training offered by the CERT® Coordination Center and the Software Engineering Institute. Six years ago as an Air Force captain from the AFCERT I enjoyed the Advanced Incident Handling for Technical Staff. Now I may have a chance to teach or develop course materials for some of these courses. I am also considering the value of the
CERT®-Certified Computer Security Incident Handler

Has anyone attended any of these courses recently? If yes, what do you think of them? If no, why not? What alternatives have you considered or attended?


Clint said...
This comment has been removed by a blog administrator.
Sean said...

When I worked at the AFCERT I went to the Advanced Incident Handling for Technical Staff and thought it was ok. It didn't seem to focus on any minute detail, but rather more of any overview of starting an IR team and creating policies and procedures. It didn’t even really outline to great of a plan. However, it did go into how to write Vulnerability Advisories in more detail (that was needed after all the TCNO's I've written ;).

I believe it should be a more in-depth look at handling incident's and events from beginning until end. But leave room for individual organizations to develop it into their needs. For example, I always found that the Event Matrix was a good tool for analysts. It gave a more defined role in what actions should be taken for different types of categories of events. For a "real incident", then you can go through handling procedures, such as tracking and reporting (non-editable logs, etc.). You would want to do the forensics without getting into detail about specific OS's/architectures. I kind of go into a five step plan with my handling, but it breaks down something like this:

I. Identification/Verification of Incident
II. Tracking incident (track incident in a DB or whatever IR tool you have, including as much info as possible)
III. Gather logs/images/etc. (update the tracking tool with all evidence you can find)
IV. Forensic work (ie. check logs, images, etc. as needed) (again, updating the tracking tool)
V. Reporting (internally or externally as needed) (one more time, update the tracking tool to show close status and final conclusions to the incident)

It isn't perfect, but it does give a rough guide of things to accomplish and can be expanded a bit.