• Course: GCHQ Certified Cyber Incident and Planning and Response Training
• Length: 3 day training workshop

SCHEDULE

Course Summary

Review the current threat landscape and cover the common attack vectors hackers are exploiting.

1. Analyse recent known and some unknown attacks and dive into the technical details on how they avoided detection.          
2. Review the basic application of incident triage, OODA and the Diamond Methodology and deep dive into the Cyber Kill Chain.
3. Explore the basics and intermediate skills for packet analysis - review some of the most common attack TCP/IP packets including, where possible, PCAP dump files of recent attacks like WANNACRY.
4. Help attendees understand the role log management plays in network based attacks followed by a review of the most common log types and log sources in your organisation.
5. Review most common SIEM features and related technologies including security analytic approaches to SIEM.  We will also review NBAC – network behaviour anomaly detection approach to identifying attacks.
6. Deep dive into some of the most relevant attack scenarios – analysing each attack with a technical and business focus.
7. Help attendees understand the critical role that vulnerability management and threat intelligence based penetration testing play in understanding cyber-attacks.
8. Identify and review results of current state of existing controls. This will include controls such as SIEM, Identity and access management, logging and monitoring and other relevant controls. 

Learn the basics and intermediate skills of incident response orchestration. Explore the building blocks of incident response playbooks. Create and optimize organisation specific playbooks.
&Response Examination (CIPR) exam.

Target Audience

- CIO, CTO and IT Directors.
- Project Managers and BCP Managers
- IT Managers and Service Managers
- Mid to Senior IT Administrator and Network Managers
- Change and Incident Managers
- Head of Audit & Senior Auditors,
- Information Security Managers and Head of Security
- Legal and compliance

TRAINING STYLE -
Instructor-led - Lecture, demo, and hands-on lab exercises 

Course Detail

Introduction & Overview
Understanding Threat Actors
-              Interactive exercise
-              Threat Actor Library and its purpose
-              Building the Threat Actor Profile
-              Crown Jewels - group exercise and strategies  to identify critical assets

The Cyber Attack
-              The Cyber Kill Chain - in detail
-              The tools and methods used by attackers
-              The 5D approach to mitigating the Cyber Kill Chain
-              Interactive exercise - 5D + Cyber Kill Chain
-              Detailed review of the most recent attacks

Define Normal
-              The concepts and theory
-              The application of Define Normal in an organisational context
-              Interactive exercise
-              Interactive session - Go Destroy

The Technologies
-              Review of various technologies to support an effective cyber incident management framework
-              Customer review of current tools, configurations and use-cases

Triage and the Golden Hour
-              The OODA Loop and its application in cyber incident response.
-              The Golden Hour -
-              Visibility - Log management
-              Interactive sessions

Threat Intelligence Based Incident Response
-              Understanding threat intelligence and its role in cyber incident response
-              Understanding the Bank of England Framework
-              Creating a threat intel based attack scenario - the basics               
Building an effective  team
Legal Considerations

Technical Analysis
-              Understanding the TCP /IP stack - basics
-              Basics of packet analysis - Demo of Wireshark
-              Application session - attendees explore Wireshark with supplied PCAP files
-              Review of basic TCP /IP traffic flows

Attack Manifestation & Scenarios
-             Active Directory based attacks & the Privileged User
-            LAN based attacks
-             DDoS & DoS
-             DNS
-              Advanced Persistent Threats

Public Relations
-              Understanding the basic principles of public relations
-              Communications - an interactive exercise
-              Case Study - review of a recent cyber attack      

Orchestration in Incident Response
-  What is incident orchestration
-              Using incident orchestration to significantly reduce time to respond to data breaches
-              How to semi-automate and fully automate incident management
-              Using orchestration to increase compliance to regulations like GDPR
-              Interactive session - create your own playbooks, checklists and incident management process flows

Group Exercise
-              Live attack and response exercise           

 

Economic Forum consistently featuring threats from cyberattacks in their annual reports. Consequently, instead of asking “Is my business protected?” the business executives must ask is, “Can my business timely detect and swiftly resume business operations during and after a cyber attack?” Building a cyber resilient business that swiflty returns to normality requires more than just a large budget. A resilient business requires its management to be aware of the risks and equipped