CERT-CSIH Domain #2: Event/Incident Detection

January 15, 2019 by Graeme Messina

Note: The CERT-CSIH certification is being retired on April 30, 2021. Browse current IT and security certifications.

“The SEI will be retiring this CSIH certification program and exam on April 30, 2021. After that date, the SEI will no longer process any candidate applications or certification renewals, it will no longer grant any new CERT CSIH certifications, and the CSIH certification exam will no longer be available for certification candidates. The SEI will maintain existing CERT CSIH certifications on the certified professionals list until they have expired.” — Software Engineering Institute at Carnegie Mellon University

The CERT-CSIH has multiple domains that need to be well understood if you are going to pass the exam. Just as we saw in our previous article relating to Domain #1 and its requirements, we will be taking a deeper look at Domain #2: Event/Incident Detection. This domain is more heavily weighted than the first one, and as such, there is more to learn and understand.

Below are the exam objectives and their weighting:

  • Protect Infrastructure 7%
  • Event/Incident Detection 17%
  • Triage & Analysis 28%
  • Respond 40%
  • Sustain 8%

Event/Incident Detection covers a whole host of different technologies and practices, so we will take a look at some common examples that you should be familiar with for the exam. Some of these concepts are probably already familiar to most candidates that are looking to certify their CSIH, so we won’t look at too much detail. We will focus on what the exam is looking to gauge in terms of your understanding and knowledge on the subject.

Event/Incident Detection

There are many different elements that go into this section of the exam, from monitoring event activity to creating reports in the aftermath of an incident. Even though the exam weighting is at 17%, there is still a lot of information to get through and to understand. We will look at each of the exam subheadings and then go into a little detail about what you could be facing in the exam.   

Monitor networks and information systems for security

This is a major part of the incident-handling job role. The main reason is primarily because the detection phase of an incident can mean the difference between a close call, and major damage to the business — both reputational and financial. Detecting suspicious behavior early means that any potential damage that might come about from such an attack is mitigated and disaster is averted.

System logs are generally monitored via a SIEM (Security Information and Event Management) system. This data can then be fed into a number of additional systems to generate real-time information about the state of the network, as well as any potential threats that need to be corrected before they become an issue. The CERT-CSIH will test your knowledge of best practices in the field so that you are able to demonstrate proficiency in monitoring and maintaining IT systems. You will also learn valuable skills, such as how to seek out and identify common threats so that you can respond to them quickly and effectively.

Analyze the data or indicators from the networks and systems being monitored

Once all of the critical information has been captured, it still needs to be analyzed. The analysis can be done in real time, but most of these deep level investigations are done after a breach or security event has occurred. The CERT-CSIH validates your abilities to search for suspicious activities within the log files and tests your abilities to identify indicators in data. These are crucial skills for incident response professionals and incident handlers that are hands on and proactive in their approach to cybercriminal defense.

Enter event/incident reports received from the constituency into the incident management knowledge base

Each organization has its own particular templates for event and incident reports, but there are a few fundamentals that should be present in any event/incident report. This information must be gathered and developed into a central incident management knowledge base that is accessible to all team members. This makes it very easy for similar incidents to help with combatting current threats, especially if the resolution of the issue is the same for both threats. As a certified CERT-CSIH professional, you will be expected to distill all of the most important information within an event/incident report and synthesize it into a single informative entry in the knowledge base.

Collect incident data and intrusion artifacts (e.g., malware, logs) to help mitigate incidents

Being able to gather evidence is important both during and after an incident, and the CERT-CSIH ensures that successful candidates are competent at doing just that. By collecting these artifacts and potential evidence, incident handlers are able to share this data and information with supporting teams.

These teams consist of threat hunters and forensics teams that are able to isolate specific malware instances and conduct rapid analysis operations. This helps to identify and counter specific threats if they are found and is a critical step in mitigating ongoing threats.

Perform initial, forensically-sound collection of images for forensic analysis and investigation

If a security event takes place and the affected parties need to press criminal charges or wish to investigate further with the help of the authorities, then forensic evidence collection methods must be adhered to at all times.

The CERT-CSIH tests standard collection methods and teaches candidates how to go about interacting with evidence in a forensically-sound manner without compromising the integrity of the proceeding investigations to follow. Incident handlers might find themselves as the initial response team members that are dealing with a threat, which makes every action that they undertake critical. Learning how to forensically image a system without compromising or corrupting evidence on the target information source is beyond critical, which is why it is such an important skill for CERT-CSIH professionals to have at their disposal.

Identify missing data or additional sources of information and artifacts

Incident handlers should be familiar with the operational environments that they are supporting. This is because there are sometimes subtle changes to a system’s file structure, or additional files or system artifacts that are pointing towards a far more serious issue.

Candidates must understand the basic operating system requirements of the systems that they are working on and must exhibit knowledge of how to document and query any suspicious changes to a system. Files that are missing, or files that have been added that are not usually present on a specific class or system type need to be treated with caution. The CERT-CSIH exam tests candidates and checks to see how proficient they are at identifying suspicious conditions in a system, as well as what the next steps should be in combating such a threat.


This domain covers a lot of different techniques, both practical threat detection and system monitoring. There is also quite a bit to understand about how reports are structured and put together, as well as how they are consumed by other members of the CSIRT and members of the business or organization that they are serving. This is all vital information for an incident handler and is important for the CERT-CSIH exam. More information and study material can be found here.


  1. CERT-Certified Computer Security Incident Handler Qualification Examination, SEI
  2. Benefits of the Computer Security Incident Handler Certification, SEI
  3. Webassessor, SEI
Posted: January 15, 2019
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.