Advanced Incident Handling
This five-day workshop, designed for computer security incident
response team (CSIRT) technical personnel with several months of
incident handling experience, addresses techniques employed in
detecting and responding to current and emerging computer security
threats and attacks that are targeted against a variety of operating
systems and architectures.
Building on the methods and tools discussed in the Fundamentals of
Incident Handling workshop, this workshop provides guidance that
incident handlers can use in responding to system compromises at the
privileged (root or administrator) level. Through interactive
instruction, facilitated discussions, and group exercises, instructors
help participants identify and analyze a set of events and then
propose appropriate response strategies.
Participants work as a team throughout the week to handle a series
of escalating incidents that are presented as part of an ongoing
scenario. Work includes team analysis of information and presentation
of findings and response strategies. Participants also review broader
aspects of CSIRT work such as artifact analysis; vulnerability
handling; and the development of advisories, alerts, and management
briefings.
Audience
- current computer security incident response team (CSIRT)
staff
- system and network administrators responsible for identifying and
responding to security incidents
Prerequisites
Before registering for this workshop, it is recommended that
participants attend the Fundamentals of Incident
Handling workshop. It is also recommended that participants have
the following:
- at least three months of incident handling experience
- an understanding of Internet services and protocols
- experience with the administration of Windows and UNIX
systems
- an understanding of basic programming concepts and have experience
programming in C, Perl, Java, or similar languages
- experience with various types of computer security attacks,
response strategies, incident handling tools
Topics
- understanding issues and challenges in handling privilege
compromise incidents
- detecting, analyzing, and responding to malicious code,
distributed denial of service, and other common attacks
- understanding intruder toolkits
- handling major computer security events and incidents
- the role of artifact analysis in incident handling
- fundamental vulnerability causes
- vulnerability handling issues and processes
- publishing CSIRT information
- security case study
Objectives
This workshop will help participants to
- detect and characterize various attack types
- gain a practical understanding of various methods for analyzing
artifacts left on a compromised system
- understand the complexity of and effectively respond to privileged
and major events and incidents within your CSIRT
- obtain practical experience in the analysis of vulnerabilities and
the coordination of vulnerability handling tasks
- formulate effective advisories, alerts, and management
briefings
