New

LDR553: Cyber Incident Management™

GIAC Cyber Incident Leader (GCIL)
GIAC Cyber Incident Leader (GCIL)
  • In Person (5 days)
  • Online
30 CPEs

If you are worried about leading or supporting a major cyber incident, then this is the course for you. LDR553: Cyber Incident Management focuses on the non-technical challenges facing leaders in times of extreme pressure. Whilst you may have a full team of technical staff standing-by to find, understand and remove the attackers, they need information, tasking, managing, supporting, and listening to so you can maximize their utilization and effectiveness. We focus on building a team to remediate the incident, on managing that team, on distilling the critical data for briefing, and how to run that briefing. We look at communication at all levels from the hands-on team to the executives and Board, investigative journalists, and even the attackers. This course contains nine (9) case studies for hands-on learning.

What You Will Learn

Open in Case of Emergency

While you can't predict when a major cyber incident will hit your organization, you can control how ready you are to face it. In the aftermath, when incident response teams are engrossed in unraveling the attacker's moves within your networks, they often find themselves overwhelmed. This is where your incident management team steps in, taking charge of managing findings, communications, regulatory notifications, and remediation. With a multitude of tasks and challenges on their plate, many are unseasoned and unprepared for the magnitude of responsibilities.

This course equips you to not just be a member of the incident management team but a leader or incident commander. It ensures a comprehensive understanding of the immediate, short, and medium-term issues an organization might encounter. Beyond familiarizing yourself with the terminology, you'll grasp preparatory actions at different stages to stay ahead of the situation. LDR553 is designed for efficient management of diverse incidents, with a primary focus on cyber, yet its methodology, concepts, and guidance are applicable to various regular major and critical incidents.

"Great insights, examples and relevant tools. I applied the 3rd party incident tool within minutes to an ongoing 3rd party incident. So I can't dream of a more relevant and useful course than this." - Jonas Roos Christense, Copenhagen Airports

What Is Cyber Incident Management

Cyber Incident Management (IM) sits above Incident Response (IR) and is tasked to manage incidents that get too big for the Security Operations Center (SOC) and IR. These tend to be the more impactful or larger incidents that IR is not scaled to handle as it requires significant liaison with internal and external partners to coordinate the investigation, forensics, planning, recovery, remediation, and to brief the corporate comms, C-level staff and board as needed. Less technical and more business focused, the IM team will take the output from IR and relay it to the necessary teams as they coordinate wider investigations and hardening, hygiene and impact assessment as they plan towards recovery. A strong IR lead may fulfill the IM role, but during critical incidents IRs are often shoulder deep in malware, systems, logs and images to process to the point where all technically capable IR staff are kept focused on technical tasks. IMs are more business focused and IR is more technically focused.

Business Takeaways

This course will help your organization:

  • Cultivate a workforce adept at leading or contributing to cyber incident management teams.
  • Streamline incident management processes for quicker resolutions.
  • Identify and bridge gaps in security incident plans and response strategies.
  • Elevate the performance of security incident teams to meet evolving challenges.
  • Strategically plan and navigate through high-stakes attacks, including email compromise and ransomware, fostering a resilient response frameworks
  • Promote seamless collaboration between technical and non-technical teams during incident response for a more integrated approach.
  • Instill a culture of continuous improvement, leveraging lessons learned from incidents to refine future response strategies.
  • Proactively integrate threat intelligence to anticipate and mitigate potential threats before escalation.
  • Provide guidance on regulatory compliance and have an awareness of legal considerations, ensuring incident responses align with relevant laws and standards.

Skills Learned

  • Categorize and scope incidents correctly and the resulting incident management team's objectives
  • Design, draft, proof, release and control all communications when managing a serious incident
  • Manage a team under extreme pressure and to recognize the natural human responses that will emerge and what they mean
  • Lead the team, win the confidence of the execs and exceed the expectations of everyone involved
  • Calculate, coordinate, and execute both system and data counter compromise activities
  • Strategize and respond to ransomware incidents including how to develop exercises and training around these devastating attacks
  • Structure, manage, and deliver briefings to the team, execs and senior leadership or the board
  • Organize the transition from active incident to business as usual and how to execute that plan
  • Prepare, setup and run cyber incident management exercises

Hands-On Cyber Incident Management Training

LDR553 uses case scenarios, group discussions, team-based exercises, and in-class games, to help students absorb both technical and management topics. We follow along as a fictious company deals with a network breach from start to finish.

Section 1: Reviewing the initial incident briefing, capture initial information and generate initial tasks, Setting the objectives for the IM team, Crisis communications -- briefing the executives

Section 2: Dealing with the attackers, drafting public statements, Crisis communications -- briefing the wider team, Prioritizing data, and system remediation planning and conducting root cause analysis.

Section 3: Reviewing organizational exercise requirements, planning a Hot Seat exercise and running a tabletop one. Incorporating Cyber Threat Intelligence into the team, dealing with 3rd party incidents or a compromised supply chain. The benefits, needs and risks associated of a Bug Bounty program.

Section 4: How to present timelines to an audience, remediation plans and strategies. Cloud Attacks, Business Email Compromise (BEC) and how to investigate it. Host and Management plane cloud compromise incidents.

Section 5: Bringing more bad news to the public. AI for IM, Leveraging LLM (ChatGPT) for IR support, understanding the ransomware lifecycle and how to manage the impacts, DR planning, review of course ahead of the capstone exercise.

"It was awesome to have the opportunity to apply existing and newly-learned skills to the labs. It was obvious that a significant amount of time had been invested in these." - Andrew Kempster, DXC Technologies

The hands-on experiences and assignments have been exceptional and have significantly contributed to my learning experience." - Ben Radford, Law and Order

"The labs were perfect. Today's capstone exercise brilliantly brought together the elements we had learned, adopting tools to help deliver the products required. And whilst its goal was to deliver the final exercise of the course it really has sparked the imagination of everything we can do with what we have learned. Excellent work." - Lee T., Law Enforcement

Syllabus Summary

  • Section 1 - Scoping, defining, and communicating about the incident.
  • Section 2 - Damage control, reporting the incident, analysis of and closure of the incident.
  • Section 3 - Developing & running exercises, supply chain incidents, Cyber Threat Intel and bug bounties.
  • Section 4 - Credential Theft, Managing cloud-based incidents, Business Email Compromise.
  • Section 5 - AI in IM, Ransomware, Summary and Capstone exercise.

Additional Resources

What You Will Receive:

  • Printed course books
  • Online Electronic workbook for all the lab exercises
  • The Cyber Incident Management Tool Kit
  • MP3 audio files of the complete course lecture
  • Detailed video walkthroughs of the lab exercises
  • Access to a new Discord server to chat about the course
  • Immediate actions for dealing with Ransomware
  • Training plans, report templates, incident frameworks and other cheat sheets

WHAT COMES NEXT:

NOTE: While this course may sound like the 'SEC504, Hacker Tools, Techniques, and Incident Handling' course they are very different. SANS recommends SEC504 for those interested in technical course of study, and LDR553 for those focused in a leadership-oriented course. The SEC504 covers Incident Response (IR) and how to detect, find and understand what attackers have done on the systems. LDR553 covers what to do with that information and how to remediate the problem and manage the situation. LDR553 uses no virtual machines.

Syllabus (30 CPEs)

Download PDF
  • Overview

    In Section 1 we will focus on understanding the incident, gathering information from different groups and standardizing the language. To assist in this, we will remind ourselves of some of the common terms to optimize communications. From there we will define what the Incident Management (IM) group will seek to achieve, so we can state and focus on our objectives. This is important as retaining focus can be hard when it gets super busy.

    After defining our objectives, we shift our focus to the crucial task of assigning initial responsibilities to the team. This step provides a breathing space for planning the subsequent actions. The cornerstone of this phase is the Cyber Incident Management Tool Kit (CIMTK), specifically a key component called "The Grid." This comprehensive set of questions and core Incident Management (IM) tasks expedites our response. Identifying these tasks early allows for concurrent activities within support teams (Incident Response, Information Technology, Human Resources, Legal, etc.) and the IM team.

    Recognizing that effective Incident Management hinges on a strong team, we delve into assessing team composition and the unique contributions required from different groups to fulfill the mission. Lastly, we delve into the intricacies of communication and how to engage with various stakeholders. Throughout the course, a recurring theme is the meticulous tracking of activities, tasks, and communications-a critical aspect for successful incident management.

    Exercises
    • Setting up for the labs
    • Reviewing the initial incident briefing
    • The Cyber Incident Management Tool Kit: "The Grid"
    • Setting the IM Objectives and Priorities
    • Crisis Communications: Briefing the Executives
    Topics
    • Initial Information Gathering
      • Using common language
      • Understanding the attack
      • IR Frameworks, OODA loops and non-Zero-sum games
      • Scoping your initial tasks
    • Defining your Objectives
      • What are typical objectives in IR/IM?
      • Mapping attacks to business impacts
    • Who's on our Team?
      • Understanding the skills needed
      • Where should the team be located
      • How big does the team need to be?
      • Managing people to create productive teams
    • Building our Communications Plan
      • Communications planning
      • Communicating with Execs, teams, and 3rd parties
  • Overview

    After reviewing Section 1, we conclude the communications topic by exploring interactions with attackers. While ransom payment may not be in your plans, engaging in dialogue with attackers can buy time to address issues they've uncovered or prevent potential leaks. Acknowledging the controversy and the diverse beliefs surrounding this approach, it's essential to understand the available options for the organization. The course will delve into how attacker dialogue may occur and the factors influencing response options and processes.

    Moving on to the remediation of network and data damage, there's an extensive section on categorizing the damage inflicted by attackers. This involves mapping the necessary remediation work, prioritizing tasks, and ensuring the removal of all possible vulnerabilities. Often overlooked, the course discusses the inclusion of secrets in stolen data and systems and considers their impact on future operations.

    In the reporting and documentation phase, the course reviews outputs from the Incident Management (IM) process. While a robust Incident Response (IR) report is valuable, the course covers aspects that could be added to expand it to cover IM. This integration is crucial as Incident Management often dictates the direction of Incident Response, creating a more structured report while outsourcing some aspects to others.

    When planning the closure of the incident, the course explores which remediation and vulnerability closure tasks should transition to non-incident mainstream projects. It outlines reflection meetings to capture Root Causes Analysis (RCA) outputs and lessons learned. The course introduces the 5-why method for undertaking an RCA, providing examples, both good and bad.

    Exercises
    • Dealing with the Attackers
    • Drafting a Public Statement
    • Crisis Communications - briefing the team
    • Prioritizing the data and system remediation planning
    • What's a good Root Cause Analysis (RCA)?
    Topics
    • Talking to or working with the attackers
      • Understanding what results the attackers are trying to achieve
      • Choosing a communications medium
      • Attacker media and comms methods
      • Proxies, trusted 3rd parties and attacker reputation
      • Trying to control the narrative
      • Understanding what the attackers have
      • Options and impacts - The cost of doing nothing
      • Is paying the attackers really an option?
    • Tracking the Incident, tasks, people and progress
      • Review of the functions we might want to include in our IM solution
      • Incident Trackers and what they can look like
      • Evidence management
      • Task and work tracking
      • Building the right solution for the organisation
      • Using Google Docs as an emergency IM Platform
    • Remediation of network and data damage
      • Types of Remediation system & data
      • Tracking the remediation
      • CIMTK: Counter Compromise of systems and users impacted
      • Categorizing exposed assets
      • Identifying who owns the data
      • Documenting and notifying impacted parties - Counter Compromise Activities
    • Root Cause Analysis methods and outcomes
      • Understanding the need for a Root Cause Analysis meeting
      • Planning a good RCA (PALPATE)
    • Reporting and documenting the case
      • When do you start the report?
      • Types of reports
      • What goes in the report?
      • Graphics are great!
      • Getting input, support and consensus
      • Control and access to the reports
    • Planning the closure of the Incident
      • Reviewing the task and key objectives
      • Understanding Business As Usual (BAU) for the impacted teams?
      • Running a FRCA
      • Handing the ongoing initiatives to project managers
      • Breaking up the IM team
  • Overview

    In this session, our focus is a deep dive into the training of Incident Response (IR) and Incident Management (IM), not only within our own teams but extending to the wider organization. We'll explore the imperative need for training, considering the type of training required based on organizational maturity. Engaging in hands-on labs, including an exercise exemplifying the onboarding of non-IR personnel to cyber incidents, we aim to provide practical insights.

    Turning our attention to team training, we assess historical practices and their limitations in fostering individual growth and development. Emphasizing both long-term training strategies and tactical, engaging exercises, our approach aims to address specific gaps and areas where practical experience is needed, moving beyond mere frequency compliance.

    Delving into the realm of Cyber Threat Intelligence (CTI), often featured prominently in the press, we address the challenge many organizations face in integrating it effectively into IR/IM efforts. Beyond its acquisition, we tackle the issue of maintaining CTI availability during an incident. Equipping participants with the knowledge and a prep-list, we empower them to leverage high-quality CTI in the midst of a Ransomware incident, supporting IR/IM efforts and executive decision-making. Furthermore, we explore how to provide input to the CTI team to optimize their skills and tools for local and strategic needs.

    With the increasing prevalence of supply chain or 3rd party compromises, we dedicate an extended section to dissecting the limitations in handling these incidents and strategies to improve our position. Through an in-depth case study of our Submarine Studios, we guide students in understanding the scope, impact, and immediate remediation options, as well as investigative actions falling within our purview. We unravel the intricacies of planning a call with the 3rd party, ensuring clarity of objectives, and navigating scenarios where required information may not be readily available. Lastly, we tackle the crucial aspect of when and how to effectively close down a 3rd party incident.

    Exercises
    • Choosing Cyber Training Exercises
    • Example table-top exercise for non-IM Specialists
    • Planning a HotSeat exercise
    • Submitting an Request For Intelligence (RFI)
    • 3rd Party Supply Chain: Reviewing the incident notification
    • 3rd Party Supply Chain: Assessing the impact and developing an RFI
    • 3rd Party Supply Chain: Planning the call with the 3rd party
    • 3rd Party Supply Chain: Updating the Execs
    Topics
    • Developing the wider team
      • Why train others?
      • Training the wider organization
      • Planning enterprise-wide training
      • Developing and running Cyber Incident Exercises
    • Developing the wider team
      • Types of training
      • Leaning needs analysis
      • Maturity of exercises
    • Developing the SOC/IR/IM team
      • Working and developing people on the exercises
      • Who to include in the exercises
      • External groups to include in exercises
      • Planning and running hotseat exercises
    • Leveraging Cyber Threat Intelligence
      • What is CTI
      • Strategic/Operational/Tactical products
      • What can CTI produce for IM?
      • Developing CTI requirements
      • Generating a PIR
      • Avoiding common mistakes
      • Intelligence feedback loops
    • 3rd Party Supply Chain Compromise
      • What is a supply chain and why is it attacked?
      • Notification routes
      • CIMTK: 3rd Party compromise IM Planning
      • Analysis of the exposure
      • Planning around the data void
      • Developing an Request for Information (RFI) from 3rd Party
      • Planning the 3rd party meeting
      • Closing 3rd party incidents.
  • Overview

    In response to the escalating complexity of incidents, our focus turns to visualizing key facts, with timelines emerging as a powerful tool. However, we stress the importance of careful scoping, as a poorly conceived timeline, not tailored to the target audience, risks confusion and fails to convey the intended message. Our exploration delves into the art of scoping timelines, exploring various styles, and drawing insights from case studies that exemplify different perspectives on the same incident.

    Before delving into Business Email Compromise (BEC) and other Cloud-focused attacks, we clarify aspects of responsibility and attack focuses, referring to prevalent cloud and MITRE models. Credential attacks take center stage, probing what attackers seek to obtain and how they leverage credentials, intricately linking back to the MITRE framework. We analyze attacker options, from breaking in and harvesting credentials to purchasing access. Concepts like Initial Access Brokers, Underground Marketplaces, and various user targeting strategies, including MFA fatigue and Illicit Consent Attacks, come under scrutiny.

    With stolen credentials as our foundation, we embark on an in-depth exploration of BEC, elucidating its stages and examining the crucial Incident Management (IM) support it necessitates. This extends to supporting legal arguments, determining liability, and directing Incident Response (IR) efforts for forensics. Addressing the aftermath of a third-party compromise, we unravel the complexities of discussions where a supplier's compromise impacts the client's financial loss.

    The session further dissects the nuances of six-plus types of BEC attacks, delineating the attacker's position and the affected parties. Our detailed breakdown serves as a template for easier BEC investigations, complemented by a hands-on lab challenging participants with an underrated investigative influence - that of doubt in everything you see and are told.

    Navigating the cloud model, our focus shifts to Infrastructure as a Service (IaaS) host compromise, examining vectors, impacts, investigation requirements, and the nuanced management of cleanup for completeness.

    Concluding our journey, we explore cloud management console compromises, assessing their impact, investigative approaches, and the requisite cleanup strategies. The session also touches on preventive controls and the origins of the attacker's credentials, emphasizing that, for certain attackers, the management console is a means to an end, shaped by attacker motivation rather than the defensive measures of the blue team.

    Exercises
    • Reviewing Incident Timelines
    • Credential Loss Impact Assessment
    • We paid the wrong account! (BEC)
    • The cloud bill is vast (Cloud Management attack)
    Topics
    • Timelines for visualization
      • Scoping the timeline
      • Considering the audience
      • Levels of detail
    • Defining Cloud Attacks
      • Shared responsibility models
      • MITRE for Cloud reference
    • Credential Theft Attacks
      • What attackers are after and why
      • BYOD vectors
      • How do attackers get the access they want
      • Credential Harvesting
      • Underground Marketplaces
      • Initial Access Brokers
      • Malicious Browser Extension
      • Password Manager Attacks
      • MFA Fatigue
      • Illicit Consent Grant Attacks
      • CMITK: Credential Loss Immediate Actions (CLIA)
    • Business Email Compromise (BEC)
      • Stages of BEC
      • MITRE Refence to O365
      • Where does liability fall?
      • Supporting Legal staff
      • Detailed step through the 6+ types of BEC
      • Points to understand to support BEC
      • Inbox investigations
      • Multi-site and Multi-vendor compromises
      • CIMTK: BEC Initial Actions (BECIA)
    • Cloud Asset Attack
      • MITRE TTPs for Cloud Assets
      • Differences between Cloud and On-Prem
      • Finding the Pivot
      • How do we Forensicate the Cloud Virtual Machines
      • Closing Policy Holes and Network Gaps
    • Cloud Management Console Attacks
      • Defining the attack and the goals
      • Goals for the Attacker
      • Focusing the team
      • Policy Checks and leveraging Auditors
      • Considering the other vectors to 'touch' the console
      • Cloud Focused RCA
      • Reporting the Incident
  • Overview

    In this last session we will look at some of the bigger issues facing the organizations. We start by looking at how to improve the team by working with others, linking to other teams and groups. We will consider KPIs and internal metrics and what they can show you and what they can hide. As IM is largely focused on big impact incidents, we will look at the wider DR piece for the organization and how you can tap into those teams, processes and exercises for a smoother operation.

    ChatGPT is now a common word in press and is used by tech and non-tech people alike. With organizations seeming to rush to invest and claim they are using AI we will take some time to understand what we are talking about. We will look at the collective AI term and break it down types including (NLP, Neural Networks, Generative AI, Machine Learning and Robotics) before we focus on Large Language Model (LLM) and Generative AI (especially ChatGPT) etc. Then with this understanding we can better understand what we can use where and how. We will examine the risks associated with AI and see how we can minimize those. Finally, as part of our LLM exercise we will leverage LLMs to review some of the work we did with Submarine Studios various cases.

    Ransomware is headline news almost every day. It's the one thing that keeps more CISOs and Boards awake each night, so we will go deep to look at it's history and where it is now in terms of development. We will look at the stages of a ransomware compromise and what detections points were missed as the attackers moved from initial access to the final closing blow of encryption. We will talk about the tasking of the IR team to support the learning of the details of the attack, and we will examine the IM function to coordinate and provide context to the executives as we press them for decisions.

    We will extensively refer back to previous sessions on team exercising, planning, cloud attacks, initial access and credential attacks we pull together the plan to minimize the impact so we might salvage the network and organization.

    We will consider the alerts that often trigger what most consider the start of the ransomware incident, but we will establish what those alerts mean in terms of the over ransomware stages and what has really happened. We will cross-map that with what instant checks can be done and how automating these could give you early warning of an adversary in the preliminary stages of an attack.

    We will talk about what the options are to organizations and what we need to get to execs to be able to get decisions from them. We will focus on no-regret options and consider the impacts of "going dark".

    Building on our talking with attackers in Session two, we will consider how negotiation could and should be conducted; again, we will look at how this can be exercised and planned for.

    Finally, we will look at the need to investigate the network compromise in parallel to the remediation so the organization can repel a further attack that may come depending upon their decisions to pay/no-pay. We will consider the rebuild options and what records might help such activities.

    We will cover the need for decisions to be recorded and careful tracking of impacts, systems and availability data. In the aftermath of an incident the 20-20 vision glasses will suddenly be being worn by everyone, so we discuss the need to log and document who knew what where and when.

    Exercises
    • Updating the public statement
    • Leveraging AI and LLM in IM
    • Reviewing Ransomware cases
    • Capstone exercise
    Topics
    • Improving IR/IM
      • Policies, playbooks and run books
      • People vs Tools
      • Metrics vs KPIs -- what's the difference
      • The message behind the metrics
      • Leveraging outside groups
      • Getting in on the DR party
      • Relationship management and approaches with different groups
    • Leveraging AI for IM
      • What do we mean by AI
      • What AI can we use where?
      • What is an Large Language Model (LLM) and are they all the same
      • Risks associated with leveraging LLMs
      • Is there such a thing as a bad LLM? Are they evil?
      • ChatGPT syntax and prompt considerations
    • Ransomware
      • The history of ransomware
      • The stages of a ransomware compromise from start to end
      • How the dirty get dirtier
      • Does size matter
      • Planning to meet the threat
      • Exercising to meet the threat
      • What are the DR options
      • What are the key questions to answer
      • What do execs really want
      • Remember to breathe
      • Documenting the impacts/reports and decisions
      • CIMTK: Ransomware Initial Actions (RIA)
    • Summary and review of the sessions
      • How to use the understanding from the course
      • What to do on Monday/Day 1 when back in the office
      • How to move the super tanker
      • What does success look like
      • How to continue to grow and improve
    • Capstone Exercise
      • This is a multi stage time sensitive incident
      • Analysis of reports will need to be undertaken
      • Policies and procedures will need to be read and plans made
      • Plans will need to be briefed to Leadership and Executives
      • An initial end of day summary will need to be developed

GIAC Cyber Incident Leader

The GIAC Cyber Incident Leader (GCIL) certification validates a practitioner's ability to manage a cyber incident and lead an incident management (IM) team of diverse skillsets, with the goal of restoring an organization's normal operations. GCIL certification holders have demonstrated knowledge of preparing for, assessing, handling, tracking and documenting an incident, developing the IM team, managing vulnerabilities, threats, and attacks, facilitating communications, and improving the IM process and team.

  • Preparing for, assessing, remediating and closing an incident
  • Developing, managing and improving the IM team and process
  • Identifying threats, vulnerabilities and common malicious attacks, and handling each incident type
  • Managing incident tasks and facilitating communications
More Certification Details

Prerequisites

This course covers the core areas of cyber incident management and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, the recommended starting point is the SEC301: Introduction to Cyber Security course. While SEC301 is not a prerequisite, it will provide the introductory knowledge to maximize the experience with LDR553.

Laptop Requirements

A laptop or mobile device with the latest web browser is required to access the Google Docs that form the Cyber Incident Management Tool Kit (CIMTK) used on the course.

The CIMTK used in this course was built and is hosted on Google Drive and Google Suite. Students must have a computer that does not restrict access to Google Suite services. Corporate machines may have a VPN, intercepting proxy, or egress firewall filter that causes connection issues communicating with AS. Students must be able to configure or disable these services to be able to access the Google Suite.

Due to the interoperability between MS Office and Google Docs and Google Spreadsheets, the student will be able to complete all course labs using MS Office. Some of the takeaway files and components of the CIMKT were built on Google Spreadsheets and we are 99% confident that they will work on MS Office. However, due to the frequent updates and changes to both platform we cannot guarantee this and so students will be asked to use Google Docs if they find their Office based program not functioning as expected.

Students will also need and account (free will be fine) on and be able to access to the ChatGPT website and be able to interact with the browser based functionality on that site for some of the day 5 labs. We highlight this as some organizations are blocking access to Generative AI tools in the corporate browsers.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org

Author Statement

"Of my 28 years in cyber security, I've spent over 12 of them in incident response and later incident management. During that time, I've seen a wide range of approaches to handling cyber incidents, some good and others less so. One common issue was that most people on the Incident team had never been part of a major incident and thus they lacked confidence, forward planning, and were easily stunned when the incident took a turn they had not predicted.

This course is designed to demystify incident management, to provide attendees with a framework to not only deal with the matters at hand, but also to plan for the subsequent phases, so they are technically ready and mentally prepared. Cyber incidents, such as ransomware, can be devastating, not only to the networks, but also the team charged with investigating, mitigating, reporting and remediating the damage. In addition to the core incident management aspects, we cover the mental health of the team, the operational tempo and how to spot people suffering under pressure. I believe that this course, enriched with the anecdotes of the SANS incident response instructors' own toe-curling incidents will prepare your team for anything attackers and bots throw at them. When you are prepared and ready, you can respond better, faster and get control of the situation quicker facilitating a rapid return to business as usual."

- Steve Armstrong-Godwin

"Excellent. Very skilled, and fun to listen to." - Jan Olav Walldal, TV 2 Norway

"Steve has been great, very clear and enthusiastic about the topic which kept the days interesting and the content moving. Shared good insight, relatable tips and examples that made it easier to grasp the content and real-world application." - Rachael Ward, RSA Insurance

Reviews

Highly relevant content and immediately useful tools delivered by a knowledgeable subject matter expert actively working in the field they are teaching.
Carl Urban
e2e-assure Ltd
It's a perfect course for those leading cyber incidents. I've found nothing else that comes close.
Lee Taylor
Leicestershire Police
Brilliant insight. Excellent content. An absolute must course for anyone dealing with incident management.
Gary Smith

    Register for LDR553

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...