Profile from the front line - Don M., ISSO at a Virginia University
Each day when I get into work I start up two applications on my system before I begin the days work. The first is my email client, and the second is a SSH window where I monitor our IDS on my secondary display (then I start up other applications as needed). Throughout the day as alerts go by frequently something catches my eye - a repeating pattern of alerts, the same address, or a victim system registering hundreds of alerts per second. I work for a large University - and the skills I have learned doing my GCIA and GCIH practicals are about to come to bear on systems on our network. For me, detection is the name of the game.
A typical scenario goes like this. A system generates hundreds of alerts in a short amount of time. Normally, I run a tcpdump trace for the offending system (ours or theirs) and monitor the IDS, while a second member of our group starts to track down the user (out of a possible 26,000 users on the network). Usually about the time we have captured enough data to start analyzing the traffic - often using some modification of the GCIA ten step practical approach I have identified that the system is involved in some attack.
Next, I often search the IDS logs over the past day or two and perform a variety of data reduction techniques in order to determine "who talked with whom." I am going after "actionable intelligence" - that's the name of the game for me in a large, decentralized organization. Armed with enough information to make a judgment call I usually start leaning on the Incident Handling skills I developed from my GCIH practical process and begin to contain the incident by blocking the offending system(s), informing the user/system owner, and helping them to repair their computer. Oftentimes I scan the network looking for other victims. Here I am after "actionable work product" - clues and information that will aid and assist the user in getting back to normal. I have even gone so far as disconnecting the system from the network by disabling the port.
Next, after the action is taken comes report writing. Here is where I need to put word to paper that shows the sequence of events. Many times I have written a three or more page report that merges several of the steps in Part Two of the GCIA practical with the Incident Handling process of the GCIH practical. At this point it's all about record keeping - because all too often I will be challenged on the decision that I made.
My name is Don - and I work for a Virginia University. Without the honed skills I learned by working through the GCIA and GCIH practicals my job would be a dozen times more difficult. Thanks SANS and GIAC for great education and the practical process - I am combat ready.