SANS: Incident Handling Step-by-Step and Computer Crime Investigation

SANS Institute

The most trusted source for computer security training, certification and research.

select a course

Generic course descriptions, individual event descriptions may vary. Be sure to read the course description for exact training event you're interested in carefully.
>> Upcoming Events for this Course <<
Sort Within Discipline By: Popularity | Title | Course Number

Global Information Assurance Certification

Global Information Assurance Certification
Number of Certified Professionals
28,186

SANS courses bring the best of the best to one place to learn cutting edge information.
-Jeremy Baca, LMIT at Sandia National Labs

Security 504

6 Day Course

(Portal Account Required)

(SelfStudy Available)

GIAC Certification Available

SANS Cyber
Guardian Program
Click here to Learn More.

SECURITY 504 - Day 1

Incident Handling Step-by-Step and Computer Crime Investigation

6 CPE Credits

Laptop RequiredFree

NOTE: Includes access to the Virtual Training Lab

Securing an infrastructure is a complex task of balancing business needs against security risks. With the discovery of new vulnerabilities almost on a daily basis, there is always the potential for an intrusion. In addition to online intrusions, physical incidents like fires, floods and crime all require a solid methodology for incident handling to be in place, in order to get systems and services back online as quickly and securely as possible.

The first part of the course looks at the invaluable Incident Handling Step-by-Step model. Incident Handling Step-by-Step was created through a consensus process involving experienced incident handlers from corporations, government agencies, and educational institutes, and has been proven effective in hundreds of organizations. This section is designed to provide students a complete introduction to the incident handling process, using the six steps (preparation, identification, containment, eradication, recovery and lessons learned) one needs to follow to prepare for and deal with a computer incident.

The second part of this course examines from-the-trenches case studies to understand what does and does not work in identifying computer attackers. This section provides valuable information on the steps a systems administrator can take to improve the chances of catching and prosecuting attackers.

Preparation

Building a Jump Kit
Identifying the Core Team
Instrumentation of the Site and System

Identification

Signs of an Incident
First Steps
Chain of Custody

Containment

Documentation Strategies: Video and Audio
Containment and Quarantine
Pull the Network Cable, Switch and Site
Identifying and Isolating the Trust Model

Eradication

Evaluating Whether a Backup is Compromised
Total Rebuild of the Operating System
Moving to a New Architecture

Recovery

Who Makes the Determination to Return to Production?
Monitoring to System
Expect an Increase in Attacks

Special Actions for Responding to Different Types of Incidents

Espionage
Inappropriate Use
Sexual Harassment

Incident Record Keeping

Pre-built Forms
Legal Acceptability

Incident Follow-Up

Lessons Learned Meeting
Changes in Process for the Future

504 was a great course to better enhance my understanding of attack methods and how to better defend my systems
-Dustin Odsa, Indiana University

Training Events By Course

SECURITY 504 :: Hacker Techniques, Exploits and Incident Handling
SANS 2010	Orlando, FL	March 06, 2010 - March 15, 2010
SANS CDI East 2009	Washington, DC	December 11, 2009 - December 18, 2009
SANS Security East 2010	New Orleans, LA	January 10, 2010 - January 18, 2010
SANS Security West 2010	San Diego, CA	May 07, 2010 - May 15, 2010
Mentor Session - Security 504	Sacramento, CA	December 07, 2009 - December 16, 2009
SANS London 2009	London, United Kingdom	November 28, 2009 - December 06, 2009
Community SANS Ottawa 2010	Ottawa, ON	March 22, 2010 - March 27, 2010
Community SANS Salt Lake City Winter 2009	Salt Lake City, UT	November 30, 2009 - December 05, 2009
Community SANS Rome 2010	Rome, Italy	February 01, 2010 - February 17, 2010
Community SANS Mexico 2010	Mexico City, Mexico	March 22, 2010 - March 27, 2010
Mentor Session - Security 504	Honolulu, HI	January 19, 2010 - March 23, 2010
Mentor Session - SEC504	Houston, TX	January 14, 2010 - March 18, 2010
SANS Northern Virginia Bootcamp 2010	Reston, VA	April 06, 2010 - April 13, 2010
Mentor Session - Security 504	Greenwood Village, CO	January 08, 2010 - March 12, 2010
Mentor Session - SEC504	Portland, OR	December 08, 2009 - February 23, 2010
Mentor Session - 504	Slidell, LA	January 27, 2010 - April 07, 2010
Community SANS Colorado Springs 2010	Colorado Springs, CO	March 08, 2010 - March 13, 2010
Community SANS Madison 2010	Madison, WI	April 26, 2010 - May 01, 2010
Community SANS Honolulu 2010	Honolulu, HI	May 03, 2010 - May 08, 2010
Mentor Session - SEC504	Greentree, PA	January 05, 2010 - March 09, 2010
Pensacola 2010	Pensacola, FL	January 25, 2010 - January 30, 2010
SANS vLive! - SEC 504 - Ed Skoudis and John Strand	Webcast Classroom Training, VA	May 04, 2010 - June 10, 2010
SANS Dublin 2010	Dublin, Ireland	March 15, 2010 - March 20, 2010
SANS India 2010	Bangalore, India	February 22, 2010 - February 27, 2010
SANS OnDemand	Online Training & Assessments	Anytime
SANS SelfStudy	Books and .MP3s Only	Anytime