This course covers advanced topics in incident response coordination in daily operations and large incident management. In the focus area of incident response daily operations, the course will cover several topics in improving the social maturity of your incident response team to increase the effectiveness or your daily operations and sections on driving operations with data by selecting key performance indicators and presenting this information in a more impactful and efficient manner. The second focus area covered is the handling and coordination of large incidents. The course will cover how to manage large, high priority incidents more efficiently through data and project management, how to effectively remediate from these types of incidents through planning and perform proactive lessons learned to better protect, detect and response to incidents in the future.

Learners must understand incident response and technical ability in core incident response areas such as host forensics, malware analysis and/or network traffic analysis. Learner should have experience in handling an incident and be involved with daily incident response operations.

• Incident response team leads
• Senior incident responders
• Security operations managers
• Security operations team leads
• Managers of CSIRTs and SOCs
• Personnel who interactive with CSIRT’s or SOC’s on a daily basis

This class is for incident responders who want to learn more about handling breaches and best practices on daily incident response and operations. In the end apply what they learned and already know to responding to a capstone exercise involving multiple breaches. Ideally you would have taken all Cyber Fire courses and/or have day to day experience in incident response work.

• Know differences between systems thinking versus siloed analysis.
• Know what Multi team systems are.
• Know what social maturity of teams are.
• Able to map their team’s social maturity.
• Understand effective metrics and KPI’s for incident response operations.
• Generate dashboards showing of effective metrics and KPI’s.
• Understand decision making best practices in incident response.
• More effectively solve problems collaboratively
• Understand how to manage attention and focus over time for incident response operations.
• Know how to effectively communicate daily operations and large incident updates.
• Know how to better share team’s knowledge and create shared unique experiences.
• Understand best practices of Fly Away teams including personnel tools and usage of fly away kits.
• Effectively share incident and threat information during an incident and apply these concepts.
• Understand the importance of continually learning for your operations.
• Understand best practices of large incident management applied specific use cases.
• Know how to manage tasks and reporting for large incidents.
• Know how to best plan for remediation and recovery from an incident.
• Understand best practices for lessons learned and blameless post mortems.

We expect learners in the class to have the ability to perform forensic, network, log and malware analysis and have this tooling already setup on the systems they bring to this course. We will provide some centralized logging for analysis and the learners should be familiar with SIEMs such as Splunk and ELK