March 10, 2016 By Koen Van Impe 5 min read

The Need for Training

Information technology, and especially information security, is a quickly evolving playing field. Those working in incident handling and incident response always need to stay on top of what’s new and what is trending in their area of expertise.

By attending quality security training, you can stay knowledgeable on what is going on and react quickly to new threats and dangers. Additionally, by potentially getting certified, you prove to your constituency and customers that you have acquired more applicable knowledge.

The type of training that you want to attend depends strongly on the environment that you are working in or the goal that you want to achieve. There are several kinds of training that you may want to consider.

Vendor-Specific Security Training

Vendor-specific training can be very useful if you want to focus on one specific product or environment. They are sometimes more beneficial for security operations center (SOC) activities but are also useful for CERT activities.

Microsoft

For example, if you are working primarily in a Windows environment, then you should definitely have a look at the Microsoft Virtual Academy. Microsoft provides guidance for using Sysinternals (a set of tools for analyzing Windows systems) and Powershell. Powershell is a popular tool to automate incident handling tasks on Windows systems. There are also courses for basic and advanced Windows security, system forensics and for setting up a secure Azure environment.

Cisco

Similarly, people working at ISPs, network environments or in data centers can benefit from the material that is provided by Cisco in its training and certifications program.

IBM

IBM offers a broad set of authorized training programs that cover cloud, security services and development tracks. Among the material is a training path for:

  • Security intelligence via QRadar;
  • QRadar Incident Forensics configuration and usage; and
  • Log management and security information and event management (SIEM) foundations.

General Training

There are also the more generic trainings offered by commercial partners. These sessions provide a broader view on a topic and will often include some sort of methodology to be used when applying the newly acquired knowledge.

Some courses are also offered through an online- or remote-learning portal, giving access to anyone interested.

SANS

Some of the most well-known trainings are the SANS courses. Most of these classes consist of an intensive five- or six-day course. SANS training can be expensive, and consequently, the target audience mostly consists of employer-paid students.

SANS has specific training for general incident handling via “Hacker Tools, Techniques, Exploits and Incident Handling” but also provides in-depth content if you want to explore more regarding:

SANS courses can be completed with a certification track called Global Information Assurance Certification (GIAC). The exams are strongly focused on understanding the methodologies and gaining insight into security events. You can bring along all your printed material; there’s no need to learn all the configuration switches for a specific tool by heart, but you do have to understand how and when to use the tool.

SANS Events

The SANS courses are often organized at locations where other sessions take place at the same time. This allows you to connect with fellow students also working in the security field. These events or summits sometimes include bonus sessions covering new trending topics or the implementation of tools.

Offensive Security

If you do incident handling or incident response, it is important that you understand how attackers work and get more insight into what type of methodologies are being applied and the tools they use. If you want to become more knowledgeable on the offensive side, then the trainings from Offensive Security are very well-fitted.

The intense live courses focus on Windows and Web exploitation. The online courses get you up to speed using Kali for penetration testing. Offensive Security also offers in-house sessions for organizations, consisting of an intensive five-day training with two trainers.

EC-Council

The EC-Council offers a broad set of training both for the offensive side (e.g., penetration testing) and defensive side (e.g., forensics ad incident handling). Some courses last a couple days and are online, on-site or via self-learning. Note that “EC” does not stand for European Commission.

Community-Driven Trainings

Building trust and getting to know your peers is important in the security community. This is especially true in incident handling because you will have to rely on other people and organizations to cooperate when dealing with an incident. There’s no better way to do this than by meeting people in real life. You have this opportunity not only during conferences, but also during community-driven trainings.

FIRST.org

The Forum of Incident Response and Security Team (FIRST) is well-known for its yearly conference. It is often preceded by a couple short, one-day or half-day trainings.

If you want to dive into information that is immediately useful for your team, you should attend a FIRST Technical Colloquia (TC). These TCs are very cheap — or sometimes even free if you are a member — and are organized by people working in the field. They provide a discussion forum to share information about vulnerabilities, incidents, tools and all other issues that affect security operations.

The colloquia are sometimes also held jointly with other organizations such as TF-CSIRT or a sectoral ISAC. Topics covered include things like building a national CERT, incident handling case studies, using volatility and the use of STIX and CybOX.

TRANSITS

The TRANSITS trainings are the result of a European Commission-funded project to help CERTs train their staff members. They take place at least twice a year in Europe and are ideal for bringing new staff up to speed on how to work within a CERT (TRANSITS I) or to extend the knowledge of more experienced team members (TRANSITS II).

The basic TRANSITS I course focuses on organizational, technical, operational and legal aspects of working within a CERT. Because most people attending the basic training are newly hired staff members, it’s a great opportunity for getting to know future peers.

The advanced TRANSITS II course is for more experienced incident handlers and covers netflow analysis, forensics, communication and real-life exercises. A testimonial from one of the participants is a good way to check if this workshop is right for you.

ENISA

The European Union Agency for Network and Information Security (ENISA) organizes a number of workshops and trainings that cover topics such as inner CERT workings and how to collaborate with law enforcement agencies.

ENISA has online training material available, as well, encompassing:

  • Artifact analysis for mobile threats and incident handling;
  • Identification and handling of electronic evidence;
  • Triage and basic incident handling; and
  • Incident handling procedure testing.

You can request the live training of ENISA via your national or governmental CERT.

Conclusion

Training for incident handling and incident response can sometimes be expensive, but most of the time the sessions give you good value for the money. Do not forget that a lot of the training material is sometimes available online. This allows you to get a preview of the content and judge if it fits your needs.

The community-driven events have an additional benefit: You get to know your peers in real life. It is a good occasion for talking to people working in the field and learning from their experiences. Because of the community focus, it might also help you to introduce your peers to a topic on which you are very knowledgeable.

More from Incident Response

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today