Cyber Incident Management

If you are worried about leading or supporting a major cyber incident, then this is the course for you. You cannot predict or pick when your organization will face a major cyber incident, but you can choose how prepared you are when it happens. While there are broad technical aspects to cyber incidents there is also a myriad of other activities that generally fall to executives, managers, legal, press, and human relations staff. These include communicating both internally and externally, considering the battle rhythm, and a look at methodologies for tracking information gathered and released to the public. This cyber incident management training course focuses on the challenges facing leaders and incident commanders as they work to bring enterprise networks back online and get business moving again.

Course Key Learnings: 

• Implement various incident response frameworks
• Scoping incidents correctly
• Define the incident management team’s objectives
• Effectively managing a team under extreme pressure
• Awareness of human responses to facing catastrophically impactful urgent changes
• Structure, manage, and deliver briefings to upper management and the Board
• Planning and controlling communications when managing a serious incident
• Communicating with attackers and the pros and cons thereof
• Where and how track the incident
• Planning, coordinating, and executing counter compromise activities
• Mastery of incident reports both during and post closure
• Steps to close the incident and return to business as usual
• Understand the constraints of 3rd party or supply chain incidents
• Plan for and deal with a compromised supply chain organization
• Fostering better cyber incident management support in other departments through combined training and exercises
• How to plan, setup and run cyber incident management training exercises
• Integrating Cyber Threat Intelligence to the IM team and capabilities
• How Bug bounties can be supported and how they can cause major incidents
• Develop the team to be able to investigate cloud attacks
• Support the Legal team in Business Email Compromise attacks and the nuances of types
• Track and improve the IM team’s capability with playbooks and runbooks
• Comprehend the value and risks that AI could bring to the overall IR and IM process
• Improve readiness for ransomware attacks via simulate exercises

Course Content: Module1: Understanding and Communicating About the Incident Overview

In Section 1 we will focus on understanding the incident, gathering information from different groups and standardizing the language. To assist in this, we will remind ourselves of some of the common terms to optimize communications. From there we will define what the Incident Management (IM) group will seek to achieve, so we can state and focus on our objectives. This is important as retaining focus can be hard when it gets super busy.

With the objectives defined we then turn to initial tasks and delegating those to the team; this is to give us some breathing space to plan the next steps. Our initial tasking output will be based on one of the core tools in the Cyber Incident Response Tool Kit (CIMTK) the “IM Starting Grid”. This detailed list of Yes/No questions outputs a list of core IM tasks that aide rapid response. By identifying these tasks early, concurrent activity can be initiated for both support teams (Incident Response (IR), Information Technology (IT), Human Resources (HR), Legal etc.) and the IM team. As IM is totally dependent upon a good team, we will assess team composition and what different groups need to contribute to the mission. Finally, we dig into communication and how to interact with different stakeholders. Tracking activity, tasks, and communications is a big theme throughout this course.

Exercises

• Reviewing the initial incident briefing
• The incident management starting grid
• Setting the objectives for the IM team
• Crisis communications: briefing the executives

Topics

Initial Information Gathering

• Using common language
• Understanding the attack
• IR Frameworks, OODA loops and non-Zero-sum games
• Scoping your initial tasks

Defining your Objectives

• What are typical objectives in IR/IM?
• Mapping attacks to business impacts

Who’s on our Team

• Understanding the skills needed
• Where should the team be located
• How big does the team need to be?
• Managing people to create productive teams

Building our Communications Plan

• Communications planning
• Communicating with Execs, teams, and 3rd parties

Module2: Scoping the Damage, Planning the Remediation, and Executing the Plan Overview

After reviewing Section 1, we conclude the communications topic by looking at communications with the attackers. While you may have no plans to pay any ransom, by entering into dialogue with attackers, you can gain time to fix issues the attackers have uncovered, discovered, or could leak. While controversial and possibly contrary to your own beliefs, it is important to understand options are available to the organization. We will cover how attacker dialogue may occur and what factors will influence the response options and process.

Exercises

• Dealing with the attackers
• Drafting a public statement
• Crisis communications – briefing the team
• Prioritizing the data and system remediation planning
• What’s a good Root Cause Analysis (RCA)

Topics

Talking to or working with, the attackers

• Understanding what results the attackers are trying to achieve
• Choosing a communications medium
• Attacker media and comms methods
• Proxies, trusted 3rd parties and attacker reputation
• Trying to control the narrative
• Understanding what the attackers have
• Options and impacts
• The cost of doing nothing
• Is paying the attackers really an option?

Tracking the Incident, tasks, people and progress

• Review of the functions we might want to include in our IM solution
• Incident Trackers and what they can look like
• Evidence management
• Task and work tracking
• Building the right solution for the organisation
• Using Google Docs as an emergency IM Platform

Remediation of network and data damage

• Types of Remediation system & data
• Tracking the remediation
• CIMTK: CC Systems and users impacted
• Categorizing exposed assets
• Identifying who owns the data
• Documenting and notifying impacted parties – Counter Compromise Activities
• Root Cause Analysis methods and outcomes

Reporting and documenting the case

• When do you start the report?
• Types of reports
• What goes in the report?
• Graphics are great!
• Getting input, support and consensus
• Control and access to the reports

Planning the closure of the Incident

• Reviewing the task and key objectives
• Understanding Business As Usual (BAU) for the impacted teams
• Running a FRCA
• Handing the ongoing initiatives to project managers
• Breaking up the IM team

Developing the wider team

• Why train others?
• Training the wider organization
• Planning enterprise-wide training
• Developing and running Cyber Incident Exercises

Planning the closure of the Incident

• Reviewing the task and key objectives
• Understanding Business As Usual (BAU) for the impacted teams?
• Running a FRCA
• Handing the ongoing initiatives to project managers
• Breaking up the IM team

Module3: Training, Leveraging Cyber Threat Intelligence, Bug Bounties and Remediation Strategies Overview In this session we are deep diving on training of IR/IM and the wider organization. We will examine the need for training and depending upon maturity, the type of training. We will have several labs to support this including a example of an exercise to onboard non-IR types to cyber incidents.

Exercises

• Choosing Cyber Training Exercises
• Example table-top exercise for non-IM Specialists
• Planning a HotSeat exercise
• Submitting an Request For Intelligence (RFI)
• 3rd Party Supply Chain: Reviewing the incident notification
• 3rd Party Supply Chain: Assessing the impact and developing an RFI
• 3rd Party Supply Chain: Planning the call with the 3rd party
• 3rd Party Supply Chain: Updating the Execs

Topics

Developing the wider team

• Why train others?
• Training the wider organization
• Planning enterprise-wide training
• Developing and running Cyber Incident Exercises

Developing the wider team

• Types of training
• Leaning needs analysis
• Maturity of exercises

Developing the SOC/IR/IM team

• Working and developing people on the exercises
• Who to include in the exercises
• External groups to include in exercises
• Planning and running hotseat exercises

Leveraging Cyber Threat Intelligence

• What is CTI
• Strategic/Operational/Tactical products
• What can CTI produce for IM?
• Developing CTI requirements
• Generating a PIR
• Avoiding common mistakes
• Intelligence feedback loops

3rd Party Supply Chain Compromise

• What is a supply chain and why is it attacked?
• Notification routes
• CIMTK: 3rd Party compromise IM Planning
• Analysis of the exposure
• Planning around the data void
• Developing an Request for Information (RFI) from 3rd Party
• Planning the 3rd party meeting
• Closing 3rd party incidents.

Module4: Cloud Incidents, Business Email Compromise, Credential Theft Attacks and Incident Metrics Overview With the increase in incident complexity, we need to look at how to visualize the key facts. Timelines are a great way to do this, but we have to be careful. A badly thought out and poorly scoped timeline not developed for the target audience can be confusing and fail to convey the desired message. We will look at how to scope a timeline and the different styles that can be used. We will refer to some case study materials as examples of different lenses on the same incident. Exercises

• Reviewing Incident Timelines
• Credential Loss Impact Assessment
• We paid the wrong account! (BEC)
• The cloud bill is vast (Cloud Management attack)
• Updating the public statement

Topics Timelines for visualization

• Scoping the timeline
• Considering the audience
• Levels of detail

Defining Cloud Attacks

• Shared responsibility models
• MITRE for Cloud reference

Credential Theft Attacks

• What attackers are after and why
• BYOD vectors
• How do attackers get the access they want
• Credential Harvesting
• Underground Marketplaces
• Initial Access Brokers
• Malicious Browser Extension
• Password Manager Attacks
• MFA Fatigue
• Illicit Consent Grant Attacks
• CMITK: Credential Loss Immediate Actions (CLIA)

Business Email Compromise (BEC)

• Stages of BEC
• MITRE Refence to O365
• Where does liability fall?
• Supporting Legal staff
• Detailed step through the 6+ types of BEC
• Points to understand to support BEC
• Inbox investigations
• Multi-site and Multi-vendor compromises
• CIMTK: BEC Initial Actions (BECIA)

Cloud Asset Attack

• MITRE TTPs for Cloud Assets
• Differences between Cloud and On-Prem
• Finding the Pivot
• Forensicating the Cloud Virtual Machines
• Closing Policy Holes and Network Gaps

Cloud Management Console Attacks

• Defining the attack and the goals
• Goals for the Attacker
• Focusing the team
• Policy Checks and leveraging Auditors
• Considering the other vectors to ‘touch’ the console
• Cloud Focused RCA
• Reporting the Incident

Module6:  AI for Incidents, Attacker Extortion, Ransomware, and Capstone Overview In this last session we will look at some of the bigger issues facing the organizations. We start by looking at how to improve the team by working with others, linking to other teams and groups. We will consider KPIs and internal metrics and what they can show you and what they can hide. As IM is largely focused on big impact incidents, we will look at the wider DR piece for the organization and how you can tap into those teams, processes and exercises for a smoother operation. Exercises

• Leveraging AI and LLM in IM
• Reviewing Ransomware cases
• Analysis and leadership in the middle of a Ransomware event
• Capstone exercise phase 1
• Capstone exercise phase 2
• Capstone exercise phase 3

Topics Improving IR/IM

• Policies, playbooks and run books
• People vs Tools
• Metrics vs KPIs — what’s the difference
• The message behind the metrics
• Leveraging outside groups
• Getting in on the DR party
• Relationship management and approaches with different groups

Leveraging AI for IM

• What do we mean by AI
• What AI can we use where?
• What is an Large Language Model (LLM) and are they all the same
• Risks associated with leveraging LLMs
• Is there such a thing as a bad LLM? Are they evil?
• ChatGPT syntax and prompt considerations

Ransomware

• The history of Ransomware
• The stages of a ransomware compromise from start to end
• How the dirty get dirtier
• Does size matter
• Planning to meet the threat
• Exercising to meet the threat
• What are the DR options
• What are the key questions to answer
• What to execs really want
• Remember to breathe
• Documenting the impacts/reports and decisions

Summary and review of the sessions

• How to use the understanding from the course
• What to do on Monday/Day 1
• How to move the super tanker
• What does success look like
• How to continue to grow and improve

Capstone Exercise

• This is a multi stage time sensitive incident
• Analysis of reports will need to be undertaken
• Policies and procedures will need to be read and plans made
• Plans will need to be briefed to Leadership and Executives
• An initial end of day summary will need to be developed

Course Prerequisite

this course covers the core areas of cyber incident management and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, the recommended starting point is the  Introduction to Cyber Security course.

Who Should Attend