GCIH (GIAC Certified Incident Handler) – Part 1

Week 1

Back in July, I had the privilege of participating in my first SANS course and I would like to share some of that experience and my journey to certification which is a direct result.

As I prepared for SEC504, I have to admit that I wasn’t sure what to expect.  Anyone worth their salt in InfoSec knows that SANS is the highest and most respected and far-reaching security education outfit anywhere, hands down.

I was lucky enough to have Mr. Jonathan Ham as an instructor who is both incredibly intelligent and equally seasoned in our industry.  The class itself was an awesome experience complete with lab work and an amazing amount of information.

At the advice of everyone who has ever taken this exam, I’m painstakingly going back over ALL of the course material (6 books, 6 days…not kidding) and manually indexing all of it.

Some of my indexing so far has included the stages of Incident Response which I have forced into my memory, PICERL…

P – Planning, ensure that procedures and policies are appropriately laid out and all expectations are set.

I – Identification, taking appropriate steps to identify incidents and reduce false positives.

C – Containment, Once an incident has occurred, ensuring that triage is performed in a timely matter as to not affect production or other lines of business.

E – Eradication, as cool as it sounds.  Find it, fix it, squash it and generally bounce back.

R – Recovery, per your contingency plan, should the asset be wiped or just re-provisioned etc..? The main goal here is to minimize the production impact and either restore or replace affected computers.

L – Lessons Learned…Don’t let it happen again!


Hope everyone enjoys this little insight, I’ll try to keep current with this as I’m studying.











Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s