The “response” is and organized approach to addressing and managing the aftermath of a security breach or IT incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. The response should also correspond to the priority of the incident and the risk to the organization.

Comsec’s incident response training workshop will teach your team about the Incident Response Life Cycle that guides the Incident Response Team on what actions they should take during certain incidents. The life cycle is divided into mandatory phases in which the Incident Response Team must go through.

We are confident that our tailored training sessions, as described below and carried out by Comsec’s team of experts, will help to improve and maintain a high degree of security for your organization needs.

Syllabus

Intractive theoretical lectures and hands-on lab. Length: 2 days

Day 1:

1. Introduction to Incident Response – In this chapter, we will start with going over the concepts of incident response as a policy and process. In addition, we will discuss what cyber attacks are and why they occur. Finally, we will review a well-known incident briefly to see how it was handled.
2. Incident Response Lifecycle – The core part of being an incident responder is to understand the incident response workflow and the attack’s sequence (a.k.a. execution chain/kill chain). It’s important that your incident response team knows how to categorize each step in the attack and follow the correct stage in the incident response life cycle.In this section, the class will discuss the response flow for different attack scenarios given in the class as well as understanding the kill chain process.
3. Incident response lifecycle

Prepare

The participants will be presented with measures to ensure that effective preparations take place, prior to security incidents occurring.

• Incident handling team duties and responsibilities
• End users and analysts training basics
• Login banners and warning messages concepts
• Incident handling documentation
• Backups activities

Identify

• Incidents identification practices by various stakeholders, including end users or even clients
• Incident declaration, and team assembly
• Key system files, records preservation
• Detailed incident documentation

Contain

• System information basic analyze, including key files, backups of the compromised machine for later forensic analysis
• Powering off machines vs. LAN disconnection discussion

Eradicate

• The use of boot CDs to access data on compromised machines
• Rebuilding machines images
• Backups testing, prior to deployment
• Documentation procedures

Recover

• Systems post-incident retest
• Customer notification – concerns, policies, practice
• Monitoring for security incidents

Review

• Final reporting and event review, describing the incident and how it was handled using the Incident reporting form

Following the training session, students will conduct an investigation on a given use-case for malware and lateral movement attacks. As part of the exercise, students will implement the entire incident response methodology by using different tools to investigate and analyze the entire kill-chain as an overview.

Day 2:

Forensics in Support of Incident Response – As digital forensics in an integral part of incident response, this unit allows the students to understand the basic approach of forensic investigation during an incident, from golden rules to actual practice. During this session the students will exercise the basic static and dynamic analysis of suspicious files and more.