SC190: Information Security Incident Management

Agenda:

• Fundamentals and first response
  • Presentation of a multi-stage attack on an information infrastructure
  • Interaction between attack and defense
  • Significance of the timeline for rapid incident detection
  • Principles and guidelines of IR management
  • Establishment of a reliable escalation chain and first response
  • Introduction of a fast response concept based on the roles first responder, SIRT and emergency response team
    
    
• Forensics and incident handling in practice
  • Live demo of attacks on Windows and Linux machines
  • Triage process by IT ops and downstream SOC and CSIRT
  • Sec ops forensics 1: Searching for traces in Windows machines
  • Sec ops forensics 2: Searching for traces in Linux machines
  • Sec ops forensics 3: Searching for traces in OT
  • Remediation of infected systems
  • Workshop: working with playbooks and runbooks in a self-hosted emergency system
  • Malware and ransomware analysis: typical traces, behavior, Indicators of Compromise (IoCs)
    
    
• Network attacks and escalation:
  • Attacks on the network from outside and inside
  • The significance of delivery and command&control servers
  • Sec ops forensics 4: Searching for traces in distributed LDAP and AD services
  • Sec ops forensics 5: Searching for traces in networks and firewalls
  • Sec ops forensics 3: Detection of ICMP/DNS tunnels and backdoors
  • Best practices and validation of attack sources
  • Roles and functions in incident management: Interaction of first responder, incident manager, SIRT, IT ops and emergency response team
    
    
• Advanced topics, exercises and collaboration with external partners:
  • Individual deep dive of topics from modules 1-3
  • Practical exercise: handling of security incidents
  • Experience exchange
  • Collaboration with external situational extensions such as cyber insurers, forensic service providers and criminal investigators
    
    
• For in-house training/closed courses that take place online, we are happy to accommodate your individual scheduling requirements. We can conduct the course over 4 days with 4 hours each instead of two days with 8 hours each. Contact us!
  
  

Objectives:

After completing the workshop, you will be able to identify security incidents and disruptions and initiate appropriate measures to restore operations as quickly as possible. You will gain in-depth understanding and learn primarily the implementation and operation of an Information Security Incident Management process.

Furthermore, you will learn current best practices from fast-response concepts, structured work with playbooks and runbooks, as well as malware and ransomware analysis. You will practice collaboration with internal and external roles to remain confidently capable of action even in complex incidents.

Target audience:

The training SC190 Information Security Incident Management is targeted at:

• Information Security Officers
• IT Operations Managers
• Incident Managers
• Process Owners

Prerequisites:

To be able to follow the course content and learning pace of the workshop SC190 Information Security Incident Management effectively, you should bring prior knowledge from the following areas:

• Basic knowledge of information security
• Knowledge of day-to-day IT operations business

Description:

Most incidents start out quite innocently. A user opens a ticket, and after a while, the help desk addresses the problem. Then the technician gets nervous, informs his boss—and the boss gets nervous too.

Is it an attack or a bug – what effects and damage can be expected, and what measures should be taken now? You will learn this and more in this workshop, which is divided into four sections:

• Incident detection and general principles of fault and incident acceptance
• Detecting attacks on the network
• Incidents with clients and servers
• Workshops and exercises in which you consolidate and practice what you have learned

The addition of modern topics such as malware and ransomware analysis, fast response concepts, and the use of playbooks/runbooks in a self-hosted emergency system makes the course even more practical and gives participants the confidence to respond methodically and purposefully even in stressful scenarios.