Just over a year ago I was launched the BETA of the MGT553 2-day Cyber Incident Management Course with the SANS Institute. The MGT553 course was originally developed in response to a Law Enforcement request to help them train their staff to better support major incidents that are regularly hitting large and small organisations.

I think what we built was unique in the market, and content wise, full of real-world cases and examples -- well I have been doing this for a while (my LinkedIn profile). The course sold well especially OnDemand and as it was written during COVID with that modality in mind.

The problem we had was the two-day limit - so sorry if you were in one of my classes that ran past 5pm. However, just over six months after MGT553 went into full production I was asked to expand it to five days! So if you wondered why I've been quiet on here, I've been writing 3 days of courseware and 18 new labs(!)

The new course, now branded under the Leadership abbreviation LDR (LDR553) being five days allows us to expand out some important topics (staff development and training) and to deep dive into lots of different incident types.

Below, I'll outline some of the new elements and to explain some of the design choices made.

Changes over MGT553

As you can imagine the main change is having the extra three days which has allowed me to bring some great new elements to the course. I'll touch on a few of the big additions in this post and over the coming months I'll pick out some others to highlight.

Team Development and IM Training - this was at the end of an already busy session two, but we have moved it to session three and have expanded it to talk about how to build good exercises and how to have fun with them. We cover how plan your exercises and how to run some great Table Top eXercises (TTXs) with almost no props and only about 30 mins planning.

So what new stuff did we add? Well..... here's some of the bigger chunks:

Cyber Threat Intelligence (CTI), is common place in many SOC/IR teams, but outside of these security teams awareness is generally low. As a result, CTTI is often that untaped resource in terms of incident support. So we look at what CTI can provide before and during incidents. So when you call for help they have templates of what they can do and how.

I've found that by considering what you might need before an incident you can get the CTI staff draft some glossy one-pager guides on Tactics, Techniques and Procedures (TTPs) used by the threat actors CTI are tracking as most likely to hit your organisation. This means you are super prepared with a quality product you can share with Execs and IM teams to inform them about their current adversary.

Timing wise we positioned this module before Supply Chain Attacks as many's-a-time my team has been tasked to undertake some Open Source Intelligence (OSINT) analysis of our partners to see if we can learn more about their just-notified attack and/or the attacker.

But some of you are probably thinking:

"Steve, in an supply chain attack there is no IR/IM work to do, what you covering?"

Well, I'm glad you asked!

Communication is an underlying theme on this course and a Supply Chain Attack is probably the pinnacle: Here, our goal is to assess the supplier notifications, comprehend the associated impact, and solicit further details as required. To support this we look at planning communications with suppliers (assuming that an opportunity for direct dialogue arises) and possibly leveraging our relationship (contractual and personal) to get the most information possible and the assurances we need for our execs (whom will then need briefing).

The accompanying Supply Chain Attack labs are fun, real-world-level frustrating and built upon actual cases. As we battle some of the tactics deployed by vendors to avoid direct answers we hope to equip students with the ability to identify such techniques but also allows us to try to defeat them, or at least learn these dark ways incase they need to stall in the future.

Having dealt with numerous instances of Business Email Compromise (BEC), I included a comprehensive module on these financially devastating attacks. By delving into the origins of such attacks and analysing the six distinct types of BEC, attendees have a deeper understanding of the attack's origins and can potentially support Legal as they work to allocate responsibility for ensuing financial losses. Our lab exercises have a captivating head-scratcher scenario inspired by real-life cases that make them my personal favourite.

Ransomware is a big subject and something that is probably one of the top risks for most businesses and because it leverages many of the issues we cover throughout the course we put this at the end. In this longer module we consider the stages of a ransomware attack, the relationship between Ransomware as a Service (RaaS) operators, Initial Access Brokers and Credential Theft attackers as well as the parts they play.

As we are not a technical course (try Ryan Chapman's Ransomware for Incident Responders course (FOR528) for that), we will look at the decisions/options that Execs will want to have, the types and volume of information they will need to make those decisions and how you get better at responding.

We'll dig into the sorts of things you want to be fast at for the the Golden Hour from initial impact and the challenges and goals for the first 24 hours. We will then review several public ransomware cases to see where things when wrong for the victims and if their response was the best course of action.

The Capstone lab is a time-sensitive high stress one that we believe will work both live in person, LiveOnline and OnDemand the main thing that will change is the number of people on you team and thus the level of work you will need to complete to be the best.

Sharing Experience

One of the different approaches we will be trying on this course is the use of open Polls to let people see how others think. As we go through the course and labs we will pose questions as we would in class about different aspects of incidents, labs and hot topics. To link Live, LiveOnline and OnDemand students we will use open polls where we pose a question, students go to a site and answer the question (the Poll) and after voting they get to see how others have voted. This will hopefully allow people to see if their thinking aligns with that of others.

Availability and Formats

We are launching the LDR553 in a BETA at the October London conference and in early 2024 it should be available on general release and OnDemand.

We haven't worked out the dates of the 2024 teaches, but given SANS finds the Hybrid (Live in person and LiveOnline) formats popular, I believe all teaches will be in this format. Location wise, I'm hoping to teach in the US and EU/APAC on alternative months to enable people to get to a Live in person event within a reasonable traveling distance.

Tune In To My Webcast

1. On Wednesday, 13 September at 10 am ET | 1400 UTC | 1500 BST I am hosting a new webcast and would love to have you join me. You came with that plan? You’re braver than I thought! will look at how to start running some fun IR incidents that you can scale super easily. We'll look at how you optimise inter-team relations and start to significantly reduce your response and decisive reaction times.

Learning Objectives:

• Learn how to develop Fun Tabletop Exercises
• Learn how to easily set low cost up quick technical artifacts for exercises
• Understand who else can get involved for key incident experience
• See how to develop a 6-month exercise plan to mature selected team aspects

Registration is free. If you cannot make it at the scheduled time, you can still register and download the slides and view the recording afterwards.

Wrap up

So there you go, that's a high level summary of some of the key changes we introduced when we developed LDR553. I think it's a solid base, I've been able to include the common attacks that impact all organisations, so students will be prepared to develop and improve their organisations to better detect, respond and recover for major attacks and incidents.

A reminder that the October course is a BETA (it's a reduced price as this is the first classroom run of the course), some things might not run to plan like class timings, but they should be close. Offered in Live in Person and LiveOnline at the October Event in London it will be a hoot. The post BETA class will not start until about February 2024 and the OnDemand version will probably not be until about February/March 2024.

I'd love to see you at the BETA, but hurry, it's only been announced two days and already it's selling well. There is about £1500 discount (1800 Euros) over the regular price.

Learn more about LDR553: Cyber Incident Management.