The Cybersecurity Incident Command course is designed to provide students with the foundational concepts and techniques necessary to manage a cybersecurity incident.

The focus is on building knowledge and skills in the operational and strategic levels of incident response such as crisis communications, crafting containment and eradication plans and managing the various teams leveraged during an incident.

Students will first be exposed to incident command fundamentals. From here, they will be guided through the various stages of incident response activities such as properly scoping an incident response, addressing escalations, crafting a containment plan, removing the threat actor from the network, and returning to normal. Throughout this process, they will also be shown how to incorporate technical actions such as digital forensics and network modifications in response to an incident. In addition to the technical aspects, students will also be instructed to address the operational concerns in incorporating various business units such as legal, senior management, marketing, and facilities during an incident.

To reinforce these concepts, students will work through a realistic incident scenario during which they will be required to apply the concepts taught using the IRIS-DFIR platform and document templates.

Key Takeaways

Students will be guided through managing a cybersecurity incident through a combination of instructions and practical exercises that will leverage IR Tools and techniques. Specific focus will be on specific decisions and actions that take place during an incident, how to coordinate strategic, operational, and technical teams, addressing crisis communications and getting the organization back to normal.

To put these concepts into a practical framework, a realistic scenario will be used throughout the course where they will have to put into action the key concepts such as assisting an executive committee with crisis communications or integrating digital forensic concepts into the IR process.

The critical role that the Cybersecurity Incident Commander plays
Managing the entire incident response process
Key actions and decisions that the IC needs to consider
Managing the various teams that are part of an incident response
How to leverage applications and IR templates to capture key data points
Getting back to normal operations
Properly documenting and closing out an incident

Who Should Take This Course

This course is geared toward security operations, incident response or security managers that may have to assume responsibility for handling cybersecurity incidents. Other cyber defenders that also have roles or responsibilities associated with cybersecurity handling will gain value as well.

Note: This will not be a technically heavy course and even junior level security operations personnel or novices will gain value.

Audience Skill Level

Students should have a basic understanding of security operations and digital forensics. Further, they should be comfortable preparing short PowerPoint briefings and working in software applications.

System Hardware Requirements:

Supports VMWare
Virtual Box

Host Configuration and Software Requirements:

Students will be provided an OVA file containing a Linux system with the Incident Management application IRIS-DFIR. Students will need either a version of VMWare or Virtual Box.