Incident Analysis

This introductory-level course is aimed at a broad audience - anyone who is interested in learning about the Incident Response Life Cycle and how to analyze, contain, and recover from a security incident. This is the second course in the Incident Response series, taking students through the critical processes that occur once a security event has been elevated to the status of a confirmed security incident.

The goals of this 3-day course are to have students analyze log and sensor data, network traffic, host-based artifacts, emails, and contextual data for evidence related to the attack vectors and scope of a breach, using FIRST CVSS 4.0 and other tools. Once this analysis is complete, students will use playbooks and industry-recognized resources, such as the MITRE ATT&CK matrix, to determine the appropriate follow-on actions for containment and recovery.

Course Overview

Overall Proficiency Level

1 - Basic

Course Prerequisites

Basic understanding of operating system internals
Familiarity with the general use of Windows systems
Basic understanding of how network traffic traverses intranets, extranets, cloud, and the internet.

Related Courses:

OS-100 Understanding Operating Systems
IR-110 Event Monitoring and Incident Detection
IR-210 Incident Response Planning and Management (coming soon)
IR-220 Analysis, Containment, and Recovery (coming soon)

Training Purpose

Management Development

Skill Development

Specific Audience

All

Delivery Method

Classroom

Online, Instructor-Led

Course Locations

8890 McGaw Road
Suite 200
Columbia, MD 21045

625 W Adams Street
Chicago, IL 60661

5908 Headquarters Drive
Suite 400
Plano, TX 75024

201 N Franklin St
Floor 37
Tampa, FL 33602

40 E. Rio Salado Parkway
Suite 200
Tempe, AZ 85281

Course Location Map

Your Location
Providers
Courses
Course and Provider Quantity

Classroom
Online, Instructor-Led

Learning Objectives

Identify the types of data relevant to information security events
Analyze host-based artifacts for the presence of anomalous activity
Assess log and sensor data for detection of anomalous activity
Assess contextual data sources for detection of anomalous activity
Analyze email traffic for the presence of anomalous activity
Analyze network traffic for the presence of anomalous activity
Apply playbooks to contain and mitigate threats
Recommend actions for containment and recovery using the Mitre ATT&CK matrix and detection use cases
Simulate best practices for containment, analysis, and recovery in an incident response scenario

Framework Connections

The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):

Competency Areas

Work Roles

Feedback

If you would like to provide feedback on this course, please e-mail the NICCS team at NICCS@mail.cisa.dhs.gov. Please keep in mind that NICCS does not own this course or accept payment for course entry. If you have questions related to the details of this course, such as cost, prerequisites, how to register, etc., please contact the course training provider directly. You can find course training provider contact information by following the link that says “Visit course page for more information...” on this page.

Last Published Date: September 3, 2024