Advanced Incident Handling

This 5-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures.

Building on the methods and tools discussed in the Fundamentals of Incident Handling course, this course provides guidance that incident handlers can use in responding to system compromises at the privileged (root or administrator) level. Through interactive instruction, facilitated discussions, and group exercises, instructors help participants identify and analyse a set of events and then propose appropriate response strategies.

Participants work as a team throughout the week to handle a series of escalating incidents that are presented as part of an ongoing scenario. Work includes team analysis of information and presentation of findings and response strategies. Participants also review broader aspects of CSIRT work such as computer forensics, artefact analysis; vulnerability handling; and the development of advisories, alerts, and management briefings.

This course is part of the curriculum for the CERT-Certified Incident Handler program. Before registering for this course, participants are encouraged to attend the companion course, Fundamentals of Incident Handling.

World leading course

This course is presented in association with Axenic, a member of the SEI (Software Engineering Institute) Partner Network, Carnegie Mellon University. SEI is a recognised world leader and one of the most respected names in computer, software and security research, development and education. Other courses in this series are:

Fundamentals of Incident Handling
Creating a Computer Security Incident Response Team
Managing Computer Security Incident Response Teams

Learning outcomes

This Advanced Incident Handling course will help participants to:

• detect and characterise various attack types
• understand the complexity of and effectively respond to privileged and major events and incidents within your CSIRT
• gain a practical understanding of various methods for analysing artefacts left on a compromised system
• explore new developments in the area of computer forensics
• obtain practical experience in the analysis of vulnerabilities and the coordination of vulnerability handling tasks
• formulate effective advisories, alerts, and management briefings

Who should attend

• current computer security incident response team (CSIRT) technical staff with three to six months incident handling experience
• system and network administrators responsible for identifying and responding to security incidents

Course contents

• understanding issues and challenges in handling privilege compromise incidents
• detecting, analysing, and responding to various types of malicious activity such as the use of rootkits, botnets, and distributed denial of service attacks
• responding to insider threats and attacks
• handling major computer security events and incidents
• understanding the role of computer forensic analysis in incident handling
• performing artefact analysis
• understanding the fundamental causes of vulnerabilities
• analysing and coordinating response to reported vulnerabilities
• publishing effective CSIRT information

Course fees

This course is currently available for in-house presentation only.  Please contact us for further information.

Prerequisites

Before registering for this course, it is recommended that participants attend the Fundamentals of Incident Handling course. It is also recommended that participants have the following:

• at least three to six months of incident handling experience
• an understanding of Internet services and protocols
• experience with the administration of Windows and Unix systems
• an understanding of basic programming concepts
• experience with various types of computer security attacks, response strategies, incident handling tools

It is recommended but not required that participants also have experience programming in C, Perl, Java, or similar languages.

Materials

Participants will receive a course notebook and a CD containing the course materials.

Certificate of Completion

Participants will receive a SEI–CERT branded Certificate of Completion.

CERT-Certified Computer Security Incident Handler

SEI has available the CERT-Certified Computer Security Incident Handler (CSIH) certification program.  The awarding of the certification is upon application to SEI and is based on a combination of demonstrable experience plus performance in the CSIH certification examination.  For further details please refer to this link.