Any advice for an experience CF examiner getting into security/incident response?

Hello all,

I'm in law enforcement and have been a computer forensic examiner for the last 15 years. In addition I've worked part time in several consultant type roles. I've had my EnCE since 2004. I've had quite a bit of training in that time, mostly through Guidance Software, but also Access Data, FLETC, and some others. Most of it geared toward cold box and mobile forensics, although I did take the Network Intrusion Investigations course from Guidance.

I no longer want to work child victimization cases. That is about half of my current case load. In a little over a year I can retire (at least partially) but am still in my early 40's and would like to start working toward another career. I am interested in incident response and have a few contacts in this field. An ideal situation for me would be a position on a CIRT team. I've had a few interviews and discussion already and I feel that my knowledge in areas such as network protocols, malware analysis, etc., is lacking.

I would like to work over the next year toward some certifications to gain the knowledge and also demonstrate that knowledge to potential employers. I have looked at SANS and possibly pursuing their certificate program in incident response (4 classes). Obviously this is very expensive so I'm looking for advice on maximizing the benefit with fewer courses if possible.

Another option I looked at is the Software Engineering Institute at Carnegie Melon and taking some of their incident handling courses and pursuing the CERT-Certified Computer Security Incident Handler (CSIH) certification.

Any thoughts or insight you provide are greatly appreciated. Thank you!

Find more posts tagged with

Comments

LionelTeo

mc25a wrote: »

I would like to work over the next year toward some certifications to gain the knowledge and also demonstrate that knowledge to potential employers. I have looked at SANS and possibly pursuing their certificate program in incident response (4 classes). Obviously this is very expensive so I'm looking for advice on maximizing the benefit with fewer courses if possible.

GIAC course can be self study, and is relatively easy if you had the experience
http://www.techexams.net/forums/sans-institute-giac-certifications/100210-giac-certifications.html

YFZblu

SANS is the top-tier training for responders, and will get you started with response methodologies/frameworks; so you're on the right track there.

On the purely technical side, start on your weakest area by learning TCP/IP - That will be paramount. From there, you'll probably naturally find your way towards the Windows environment and understanding that ecosystem as it will be your workbench on CIRT engagements. As far as the malware analysis is concerned, you could begin by learning a scripting / programming language to get your feet wet, and move from there - Personally I learned Python and made my way down to C, and hopefully some assembly down the road; that way I can eventually perform initial analysis before handing things off to a reverser, who will do the heavy lifting. It's one thing to know how to write code, and a completely different arena to discover the capabilities of any given malware sample that has been obfuscated and features anti-analysis functionality - Reversing is an art in itself, and the average CIRT member will not be expected to do much of that.

As I'm sure you're aware, you have a huge leg up with your experience in forensics.

mc25a

Thank you both for your insight. As far as the SANS courses go, any specific recommendations or order of priority? I think I'll do self study for sec+ first. Then I've been considering FOR 508, SEC 504, and SEC 503. I think I can get a discount on the forensic track courses.

veritas_libertas

SANS has a suggested order for the Incident Response path: http://digital-forensics.sans.org/media/courses/forensics_curriculum.pdf. It starts with SEC504 (which is a great class by the way).