Introduction to Incident Response
Overview
While preventative controls remain a critical component of an effective information security program, the ability to detect and respond to security incidents continues to increase in importance. The number of breaches reported each year, combined with evidence of increasingly sophisticated attacks, only serves to emphasize the need for organizations to have staff members skilled in managing information security incidents. This course is designed to provide the knowledge and experience you need to develop critical incident response policies and procedures, as well as identify technologies that can help you effectively manage security incidents. Through discussion and hands-on exercises, participants gain specialized knowledge of security incident response. The course covers cyber-attacks, computer forensics, incident response detection and assessment, controls and preparation, communications, post-incident activity, and reporting. It also covers third-party incident response considerations, training and recovery, and key considerations when preparing audit programs. Another feature of the class is the review of guidance from organizations like the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST), the US Computer Emergency Readiness Team (CERT), the Federal Financial Institutions Examination Council (FFIEC), the Financial Services Information Sharing and Analysis Center (FSISAC), the National Cybersecurity and Communications Integration Center (NCCIC), and the Cloud Security Alliance (CSA).
Here are the topics we'll cover.
- What is Incident Response?
- Fundamental concepts and incident types
- Incident continuum and response planning timeline
- The link to business continuity (BC) and disaster recovery (DR)
- Need for Incident Response
- Industry reports, key statistics, and costs
- Illustrative case studies
- Current and future cybersecurity challenges
- Cybersecurity maturity
- Cyberliability insurance and common reasons for claim denials
- Cyber Attacks
- Types, characteristics, and trends
- Vulnerabilities
- Computer Forensics
- Key concepts and legal considerations
- Types of evidence, gathering, and handling
- Digital forensic tools and analysis
- Top forensic mistakes
- Incident Response (IR) Controls
- Review of key controls
- Incident Response (IR) Preparation
- IT risks and security governance
- Key steps for incident response preparation
- Risk assessment strategy and steps, policies, standards and procedures
- Asset inventories, public statements, vulnerability management and penetration testing
- Formation and Training of a Computer Security Incident Response Team (CSIRT)
- Definitions and key considerations
- Function and skills differences between CSIRT, CERT, SOC
- Selection criteria, team composition, and outsourcing options
- Incident Response Communications
- Communication plans, essential components and characteristics
- Internal and external communications
- The link between timing, incident escalation and related procedures
- Review of legal requirements, liability issues, card industry requirements, and incident response organizations
- Incident Response Documentation and Reporting
- Documenting incidents and reporting to various stakeholders
- Best practices and common issues with incident reports
- Incident Detection and Analysis
- Detection challenges and what to do during the first hours
- Compromise indicators and thresholds for reportable incidents
- Tips and tools for incident detection and categorization
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
- Log management systems best practices
- Incident Assessment and Investigation
- Incident assessment methodology, analysis, and team activities
- Incident investigation checklist and key considerations
- Incident Containment, Eradication, and Recovery
- Key steps for damage limitation and to eliminate the cause
- Essential activities and requirements for recovery
- Recovery checklist and key questions to ask
- Setting, monitoring, and achieving key metrics and plan goals
- Post Incident Activity
- Post action review and gathering of lessons learned
- Avoiding common mistakes
- Incident Response Plans
- Techniques to create and manage response plans
- Key components, design, metrics, and what is often overlooked
- Testing the playbook, tools, and essential resources
- Key forensic actions
- Training
- Differences between training and awareness
- Training: Who, what, when, where, why, and how
- Training objectives, materials, metrics, and tailoring to various stakeholders
- Incident Response Testing
- Types of testing
- Test plan development and deployment
- Third-Party and Cloud Incident Response Considerations
- Third-Party risks
- Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for third parties
- Incident response actions based on cloud service models
- Contracts and service level agreements (SLAs)
- Incident response framework and the shared responsibility matrix
- Final Incident Response Thoughts and Audit Considerations
- Key objectives, deliverables, and examination areas
- Essential KPIs and KRIs
Learning Style
Level
Who this course is for
NASBA Certified CPE
Field of Study
Length of course
Prerequisites
Advanced Preparation
Here are the learning objectives we'll cover
- Describe incident response preparation, detection, and response techniques.
- List key incident response documents and practices.
- Identify key risks, controls, and audit techniques.