Advanced Topics in Incident Handling
This four-day course, designed for cybersecurity incident management and security operations center (SOC) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging cybersecurity threats and attacks.
Building on the methods and tools discussed in the Foundations of Incident Management course, this course provides guidance that incident handlers can use in responding to more complex threats and attacks, including persistent threats. Through interactive instruction, facilitated discussions, and group exercises, instructors help participants identify and analyze a set of events and then propose appropriate response strategies. This course was updated over the 2022-2023 timeframe.
Participants work as a team throughout the week to handle a series of escalating incidents that are presented as part of an ongoing scenario. Work includes team analysis of information and presentation of findings and response strategies. Participants also review more advanced types of activities related to incident handling such as threat hunting, artifact and malware analysis, vulnerability handling, major or crisis events, and publishing and communicating information.
This CERT incident management course adds additional expertise for understanding incident handling and related practices and functions. Before registering for this course, participants are encouraged to attend the companion course, Foundations of Incident Management.
- current cybersecurity incident management capability and security operations center (SOC) technical staff with six or more months of incident handling experience
This course will help participants to
- detect and characterize various attack types
- develop a strategy for analyzing and responding to complex or major events and incidents within your organization
- comprehend various methods for analyzing artifacts left on a compromised system and issues involved with such analysis
- develop and execute cyber threat hunting goals, searching, and analysis
- obtain practical experience in the coordination of vulnerability handling tasks
- formulate and deliver effective publications and communications such as advisories, alerts, after-action reports, and management briefings
- incident handling lifecycle and critical information review
- new technologies and impacts on incident handling and mitigation (new module)
- discussion of blockchain for incident handlers (new module)
- discussion of advanced persistent threats
- artifact and malware analysis categories and techniques overview
- threat hunting processes and critical thinking (updated module)
- fundamental causes of vulnerabilities
- vulnerability handling overview, including vulnerability disclosure
- analyzing and coordinating response to major cybersecurity events and incidents
- developing and delivering effective communications
The course may be delivered virtually or in-person. In either case, materials will be provided to participants digitally through the SEI Learning Management System (LMS). Participants will be expected to download the materials and either print them or bring their laptop or mobile device with the materials on them. If laptops or other devices are brought, they may only be used during course lectures and exercises for course work.
Before registering for this course, it is recommended that participants attend the Foundations of Incident Management course or have equivalent experience. It is also recommended that participants have the following:
- at least six months or more of incident handling experience
- an understanding of Internet services and protocols
- familiarity with netflow and other network traffic analysis
- experience with various types of cybersecurity attacks, response and mitigation strategies, and familiarity with incident handling tools
It is recommended but not required that participants also have experience programming in C, Perl, Java, or similar languages.
1 - Day Course
This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT) or similar capability. This course provides a high-level overview of the key issues and decisions that must be addressed in establishing an incident management capability. The course can also be...Learn More
4 - Day Course
This four-day course provides foundational knowledge for those in security-related roles who need to understand the functions of an incident management capability and how best to perform those functions. It is recommended for those new to incident handling or security operations work. This course was recently updated in September 2022, including a...Learn More
3 - Day Course
This three-day course provides current and future managers of computer security incident response teams (CSIRTs) with a pragmatic view of the issues that they will face in operating an effective team. The course provides insight into the work that incident management staff and managers may be expected to handle. The course also provides...Learn More
Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.