icon-carat-right menu search cmu-wordmark

Advanced Topics in Incident Handling

This four-day course, designed for cybersecurity incident management and security operations center (SOC) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging cybersecurity threats and attacks.

Building on the methods and tools discussed in the Foundations of Incident Management course, this course provides guidance that incident handlers can use in responding to more complex threats and attacks, including persistent threats. Through interactive instruction, facilitated discussions, and group exercises, instructors help participants identify and analyze a set of events and then propose appropriate response strategies. This course was updated over the 2022-2023 timeframe.

Participants work as a team throughout the week to handle a series of escalating incidents that are presented as part of an ongoing scenario. Work includes team analysis of information and presentation of findings and response strategies. Participants also review more advanced types of activities related to incident handling such as threat hunting, artifact and malware analysis, vulnerability handling, major or crisis events, and publishing and communicating information.

This CERT incident management course adds additional expertise for understanding incident handling and related practices and functions. Before registering for this course, participants are encouraged to attend the companion course, Foundations of Incident Management.

Audience

  • current cybersecurity incident management capability and security operations center (SOC) technical staff with six or more months of incident handling experience

Objectives

This course will help participants to

  • detect and characterize various attack types
  • develop a strategy for analyzing and responding to complex or major events and incidents within your organization
  • comprehend various methods for analyzing artifacts left on a compromised system and issues involved with such analysis
  • develop and execute cyber threat hunting goals, searching, and analysis
  • obtain practical experience in the coordination of vulnerability handling tasks
  • formulate and deliver effective publications and communications such as advisories, alerts, after-action reports, and management briefings

Topics

  • incident handling lifecycle and critical information review
  • new technologies and impacts on incident handling and mitigation (new module)
  • discussion of blockchain for incident handlers (new module)
  • discussion of advanced persistent threats
  • artifact and malware analysis categories and techniques overview
  • threat hunting processes and critical thinking (updated module)
  • fundamental causes of vulnerabilities
  • vulnerability handling overview, including vulnerability disclosure
  • analyzing and coordinating response to major cybersecurity events and incidents
  • developing and delivering effective communications

Materials

The course may be delivered virtually or in-person. In either case, materials will be provided to participants digitally through the SEI Learning Management System (LMS). Participants will be expected to download the materials and either print them or bring their laptop or mobile device with the materials on them. If laptops or other devices are brought, they may only be used during course lectures and exercises for course work.

Prerequisites

Before registering for this course, it is recommended that participants attend the Foundations of Incident Management course or have equivalent experience. It is also recommended that participants have the following:

  • at least six months or more of incident handling experience
  • an understanding of Internet services and protocols
  • familiarity with netflow and other network traffic analysis
  • experience with various types of cybersecurity attacks, response and mitigation strategies, and familiarity with incident handling tools

It is recommended but not required that participants also have experience programming in C, Perl, Java, or similar languages.

 

IMPORTANT NOTICE:

Carnegie Mellon University/Software Engineering Institute offices will be closed for winter break, December 21, 2024-January 1, 2025. SEI course registrations received during this period will be confirmed and enrollment completed upon our return on January 2, 2025.

Course Questions?

Email: course-info@sei.cmu.edu
Phone: 412-268-7388

Related Courses

Creating a Computer Security Incident Response Team

Cybersecurity Center Development, Cyber Workforce Development

This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT). This course provides a high level overview of the key issues and decisions that must be addressed when establishing a CSIRT.

Learn More

Foundations of Incident Management

Cybersecurity Center Development, Situational Awareness

This four-day course, recommended for those new to incident handling or security operations work, provides foundational knowledge for those who need to understand the functions of an incident management capability and how best to perform those functions.

Learn More

Managing Computer Security Incident Response Teams

Cybersecurity Center Development, Cyber Workforce Development

This 3-day course provides current and future managers of computer security incident response teams (CSIRTs) with a pragmatic view of the issues that they will face when operating an effective incident response team.

Learn More

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.