Incident Coordination 1

What to expect

Alerts are going off, “What do we do?” your CISO says. Do we have an incident? Shall we unplug the entire organization from the internet? Incidents require different responses for your situation and responding poorly could lead to additional unforeseen pain. In this course you will learn how to approach an incident in a calm, collected manner to effectively respond even as the world is currently burning down around you.

Most responders are technically capable, but does your organization have procedures, organization, and experiences to handle an all-hands-on-deck incident? This course focuses on the Incident Response Lifecycle to prepare attendees to prepare and manage a cyber incident. You will gain understanding of the data required to perform a proper response to an incident and how to recover when data is not present. You will also learn how to coordinate between multiple technical areas to assure an effective response. This course will cover how to lead a team full of deep technical workers and translate findings to present to leadership and guide the overall response process.

Participants should have a basic level of understanding of incident response operations such as host forensics, malware analysis and/or network traffic analysis involved with day to day security operations. This course will utilize case studies and exercises to reiterate and build on concepts learned throughout the class. Participants will work in teams and will present findings from the case studies and exercises to perform executive level briefings.

Technical Content intermediate

Audience

  • Incident response team leads
  • Senior incident responders
  • Security operations managers
  • Security operations team leads
  • Managers of CSIRTs and SOCs
  • Personnel who interact with CSIRT’s or SOC’s on a daily basis
  • ISSMs
  • CIO, CISOs

Applicability

This class is to help assist IR personnel that are responsible for coordination and communication in incidents. Often the technical aspects of an incident work themselves out but it is the human side of an incident that can be frustrating. There are processes and best practices that you can learn to help you maneuver through the maze of incident coordination and creating and working an incident response plan. If you are a new or seasoned IT operations or security manager, or are called to represent your team for communications, notifications, or coordination, this class is for you!

Objectives

  • Understand best practices for managing incident response efforts
  • Have familiarity with team dynamics in crisis situations
  • Understand standard reporting mechanisms, templates, and how to use them

Typical Agenda

Day 1

  • Course outline and overview
  • Introductions
  • Case Study
  • Incident response lifecycle
  • MITRE ATT&CK lifecycle and exercise
  • Incident response preparation and exercise
  • Incident response plan best practices

Day 2

  • Investigative process and exercise
  • Generating leads and indicators with a case study
  • Incident response communications exercise
  • Documentation best practices
  • Visualization, reporting and presentation

Day 3

  • Incident remediation
  • Data driven incident response operations
  • Incident response tabletop exercise
  • Improving Incident Response with social maturity in multi team systems

Setup

Laptop is required with an office productivity suite and text editor.