In my last post I mentioned I will be speaking at another SANS IR event this summer. I just noticed a post on the ISC site titled
Incident Response vs. Incident Handling. It states:
Incident Response is all of the technical components required in order to analyze and contain an incident.
Incident Handling is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner.That's not right, and never was. I tried pointing that out via a comment on the ISC post, but apparently the moderators aren't willing to accept contradictory comments.
Incident response and incident handling are synonyms. If you need to differentiate between the role that does technical work and one which does leadership work, you can use incident response/handling for the former and
incident management for the latter.
Ten years ago I took a course at
CERT called
Advanced Computer Security Incident Handling for Technical Staff. The class covered technical methodologies for responding to and handling incidents. The successor to that class is
Advanced Incident Handling. Notice that CERT also offers the
CERT®-Certified Computer Security Incident Handler certification. To CERT, incident response and incident handling are synonyms. If anyone should understand incidents, it's CERT.
I think SANS is the organization that needs to examine how it uses the term incident handler or incident handling. The
GIAC Certified Incident Handler (GCIH) designation is 83% inappropriate. How do I arrive at that figure? If you review the day-by-day
course overview you'll see that only one day, the first, involves
Incident Handling Step-by-Step and Computer Crime Investigation. The next four days are Computer and Network Hacker Exploits, with the sixth day being an open lab. So, 5/6 of the class has little to nothing to do with incident response/handling.
This is a problem for three reasons. First, I have met people and heard of others who think they know how to "handle incidents" because they have the GCIH certification. "I'm certified," they say. This is dangerous. Second, respondents to the latest SANS 2008 Salary Survey considered their GCIH certification to be their most important certification. If you hold the GCIH and think it's important because you know how to "handle incidents," that is also dangerous. Third, SANS offers courses with far more IR relevance that that associated with GCIH, namely courses designed by
Rob Lee. It's an historical oddity that keeps the name GCIH in play; it really should be retired, but there's too much "brand recognition" associated with it at this point. If you want to learn IR from SANS, see Rob.
To be fair, the title for the course which prepares students for the GCIH is
Hacker Techniques, Exploits & Incident Handling. Putting IH at the end does list the subject in the proper context. I will also not deny that one should understand hacker techniques and exploits in order to do incident response/handling, but that knowledge should be its own material -- something to know
in addition to the skills required for IR. Also, track 504 is really good; I remember it fondly, before it had that label. The material is kept fresh and the instructors are excellent.
The bottom line is that incident handling and response are synonyms, and those who think they are certified to do incident handling and response via GCIH are kidding themselves.
Richard Bejtlich is teaching new classes in
Las Vegas in 2009.
Early Las Vegas registration ends 1 May.
Amazon.com just posted my four star review of Crimeware by Markus Jakobsson and Zulfikar Ramzan. Really, I'm not kidding. After a four month hiatus I'm posting book reviews. From the review:
