Light Dark
March 10, 2016 By Koen Van Impe 5 min read
Incident Response

The Need for Training

Information technology, and especially information security, is a quickly evolving playing field. Those working in incident handling and incident response always need to stay on top of what’s new and what is trending in their area of expertise.

By attending quality security training, you can stay knowledgeable on what is going on and react quickly to new threats and dangers. Additionally, by potentially getting certified, you prove to your constituency and customers that you have acquired more applicable knowledge.

The type of training that you want to attend depends strongly on the environment that you are working in or the goal that you want to achieve. There are several kinds of training that you may want to consider.

Vendor-Specific Security Training

Vendor-specific training can be very useful if you want to focus on one specific product or environment. They are sometimes more beneficial for security operations center (SOC) activities but are also useful for CERT activities.

Microsoft

For example, if you are working primarily in a Windows environment, then you should definitely have a look at the Microsoft Virtual Academy. Microsoft provides guidance for using Sysinternals (a set of tools for analyzing Windows systems) and Powershell. Powershell is a popular tool to automate incident handling tasks on Windows systems. There are also courses for basic and advanced Windows security, system forensics and for setting up a secure Azure environment.

Cisco

Similarly, people working at ISPs, network environments or in data centers can benefit from the material that is provided by Cisco in its training and certifications program.

IBM

IBM offers a broad set of authorized training programs that cover cloud, security services and development tracks. Among the material is a training path for:

  • Security intelligence via QRadar;
  • QRadar Incident Forensics configuration and usage; and
  • Log management and security information and event management (SIEM) foundations.

General Training

There are also the more generic trainings offered by commercial partners. These sessions provide a broader view on a topic and will often include some sort of methodology to be used when applying the newly acquired knowledge.

Some courses are also offered through an online- or remote-learning portal, giving access to anyone interested.

SANS

Some of the most well-known trainings are the SANS courses. Most of these classes consist of an intensive five- or six-day course. SANS training can be expensive, and consequently, the target audience mostly consists of employer-paid students.

SANS has specific training for general incident handling via “Hacker Tools, Techniques, Exploits and Incident Handling” but also provides in-depth content if you want to explore more regarding:

SANS courses can be completed with a certification track called Global Information Assurance Certification (GIAC). The exams are strongly focused on understanding the methodologies and gaining insight into security events. You can bring along all your printed material; there’s no need to learn all the configuration switches for a specific tool by heart, but you do have to understand how and when to use the tool.

SANS Events

The SANS courses are often organized at locations where other sessions take place at the same time. This allows you to connect with fellow students also working in the security field. These events or summits sometimes include bonus sessions covering new trending topics or the implementation of tools.

Offensive Security

If you do incident handling or incident response, it is important that you understand how attackers work and get more insight into what type of methodologies are being applied and the tools they use. If you want to become more knowledgeable on the offensive side, then the trainings from Offensive Security are very well-fitted.

The intense live courses focus on Windows and Web exploitation. The online courses get you up to speed using Kali for penetration testing. Offensive Security also offers in-house sessions for organizations, consisting of an intensive five-day training with two trainers.

EC-Council

The EC-Council offers a broad set of training both for the offensive side (e.g., penetration testing) and defensive side (e.g., forensics ad incident handling). Some courses last a couple days and are online, on-site or via self-learning. Note that “EC” does not stand for European Commission.

Community-Driven Trainings

Building trust and getting to know your peers is important in the security community. This is especially true in incident handling because you will have to rely on other people and organizations to cooperate when dealing with an incident. There’s no better way to do this than by meeting people in real life. You have this opportunity not only during conferences, but also during community-driven trainings.

FIRST.org

The Forum of Incident Response and Security Team (FIRST) is well-known for its yearly conference. It is often preceded by a couple short, one-day or half-day trainings.

If you want to dive into information that is immediately useful for your team, you should attend a FIRST Technical Colloquia (TC). These TCs are very cheap — or sometimes even free if you are a member — and are organized by people working in the field. They provide a discussion forum to share information about vulnerabilities, incidents, tools and all other issues that affect security operations.

The colloquia are sometimes also held jointly with other organizations such as TF-CSIRT or a sectoral ISAC. Topics covered include things like building a national CERT, incident handling case studies, using volatility and the use of STIX and CybOX.

TRANSITS

The TRANSITS trainings are the result of a European Commission-funded project to help CERTs train their staff members. They take place at least twice a year in Europe and are ideal for bringing new staff up to speed on how to work within a CERT (TRANSITS I) or to extend the knowledge of more experienced team members (TRANSITS II).

The basic TRANSITS I course focuses on organizational, technical, operational and legal aspects of working within a CERT. Because most people attending the basic training are newly hired staff members, it’s a great opportunity for getting to know future peers.

The advanced TRANSITS II course is for more experienced incident handlers and covers netflow analysis, forensics, communication and real-life exercises. A testimonial from one of the participants is a good way to check if this workshop is right for you.

ENISA

The European Union Agency for Network and Information Security (ENISA) organizes a number of workshops and trainings that cover topics such as inner CERT workings and how to collaborate with law enforcement agencies.

ENISA has online training material available, as well, encompassing:

  • Artifact analysis for mobile threats and incident handling;
  • Identification and handling of electronic evidence;
  • Triage and basic incident handling; and
  • Incident handling procedure testing.

You can request the live training of ENISA via your national or governmental CERT.

Conclusion

Training for incident handling and incident response can sometimes be expensive, but most of the time the sessions give you good value for the money. Do not forget that a lot of the training material is sometimes available online. This allows you to get a preview of the content and judge if it fits your needs.

The community-driven events have an additional benefit: You get to know your peers in real life. It is a good occasion for talking to people working in the field and learning from their experiences. Because of the community focus, it might also help you to introduce your peers to a topic on which you are very knowledgeable.

 |  |  |  |  | 
Koen Van Impe
Security Analyst

More from Incident Response
October 6, 2023

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

September 27, 2023

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

August 31, 2023

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature