Security Training for Incident Handling: What Else Is Out There?

Earlier this year, I published a post on the importance of security training for incident handlers. And while there were no major overhauls or a change of security training providers for incident handling, it’s still worthwhile to point out some alternatives that were left out in the original post.

Some listed trainings go beyond foundational incident handling and give you basic — and in some cases pretty advanced — knowledge of concepts such as Web application security, network security and penetration testing.

Community-Driven Trainings

FIRST

To start, excellent material from the newly held FIRST Technical Colloquia (TC) was made available on the topics of:

  • Multivariate passive DNS for investigators;
  • Security analytics with ElasticSearch; and
  • Threat intelligence.

This year, the annual FIRST conference takes place in Seoul and includes introductory courses for organizations that wish to start a computer security incident response team (CSIRT). If you’re a newly hired incident handler or you have just started a new CSIRT yourself, then you should not miss out on this opportunity!

Conferences

Security conference are a great way to learn from your peers. They’re a good opportunity to combine your conference attendance with a training participation. For example, Black Hat USA trainings offer a unique chance to learn about:

  • Metasploit;
  • Malware analysis;
  • OSINT techniques;
  • Penetration testing techniques;
  • Digital forensics and incident response; and
  • Incident response fundamentals.

Some courses have a profound focus on incident handling, while others provide excellent training on penetration testing and network security. These courses are highly technical, and you definitely need a basic to intermediary knowledge of computer and/or network security. The material is often only presented during conferences like Black Hat, and the teachers have a proven track record; sometimes they are the very same people who wrote the tool(s) that you use in your daily work. That type of insight is invaluable.

Next to Black Hat, you should also have a look at the trainings of HITBSecConf and BruCON. There aren’t as many options as the Black Hat conferences, but they are a viable alternative.

One special type of gathering is BSides, a community-driven framework for building events for and by information security community members. It’s an opportunity to practice your presentation skills and, most importantly, discuss, participate and learn from other participants.

BSides are organized across the world. If you can’t find one near you, then you can always attempt to organize an iteration yourself.

Online Providers

There are three online providers that are certainly worth checking out: OpenSecurityTraining.info, Cybrary and Coursera.

OpenSecurityTraining.info

The material from OpenSecurityTraining.info is licensed with an open license, allowing anyone to use the material as long as they share modified works back to the community.

This training material allows you to increase your personal knowledge, but you can also use it to train others. It can act as a structured guideline to walk your students through the information. The classes, from beginner to advanced levels, cover topics such as:

  • Android forensics and security testing;
  • Flow analysis and network hunting;
  • Pcap analysis and network hunting; and
  • Keylogging on Windows.

The presentation of the information is not as slick compared to other providers, but there’s a wealth of useful information hidden behind the different links.

Cybrary

Cybrary has free cybersecurity trainings from beginner to advanced levels. These cover topics including:

  • Computer and hacking forensics;
  • Cryptography;
  • Penetration testing; and
  • Ethical hacking.

One of the things that makes Cybrary stand out from other providers is that it provides potential students with advice on the best path of study. The course paths help you choose tracks to increase your knowledge and bolster your career path.

Coursera

If you’re eager to learn, Coursera should be no stranger to you. But did you know they also have courses on cybersecurity?

One of the major advantages of Coursera is that you can do the learning whenever it is most convenient for you. Lessons are free of charge except if you want to receive a grade, in which case you’ll have to pay a small fee. Some courses require you to submit assignments, but if you’re only interested in acquiring new knowledge, you can leave these aside.

The courses cover a very broad spectrum of topics. For example, you can learn about:

Coursera trainings probably aren’t going to immediately increase the technical side of your incident handling capabilities. However, they do provide security professionals extra expertise, knowledge and context.

General Training

Secure Coding Academy

Another provider of security training is Scademy. Its course portfolio is primarily aimed at secure coding. The philosophy is simple: By improving the quality of your code and implementing secure coding practices, you reduce the time needed for testing your software and potentially dealing with issues.

Although focused on software development, incident handlers will also benefit from the trainings that focus on broader topics like:

  • Web application security;
  • Advanced software security;
  • Network security; and
  • Secure communication.

The trainings are primarily given on-premises, generally over the course of two to five days. There’s lots of hands-on examples and real-life cases for students to exercise their skills.

NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)

The CCDCOE is a NATO-accredited research and training facility in Tallinn, Estonia, dealing with education, consultation, lessons learned and research and development in cybersecurity.

They offer a number of technical courses that are reasonably cheap or free for participants from certain nations. These lessons are tailored toward people with a solid background in information technology.

For example, the CDMCS Module 3: Large-Scale Packet Capture Analysis Course focuses on packet capture and analysis. It’s a four-day course that uses Moloch to demonstrate network security monitoring for different scales. Being able to get the maximum out of these tools is indispensable for incident handlers, both during the pre- and post-incident phase.

The training catalog also contains courses and workshops covering digital forensics, as well as systems attacks and defense, which has a goal of understanding the tools used by attackers. These workshops in particular are ideal for improving your hands-on skills in virtual lab environments.

Fox-IT

Fox-IT is a Dutch security company that also provides security training. Although the website listing the courses is only available in Dutch, all trainings are offered in English. Topics include forensic research and monitoring security analyst (for SOC operations) training.

The firm has specific courses for incident response handlers covering the triage and initial analysis stages. Additionally, there are incident response challenges you can use to find out where the weaknesses are in your response procedure.

Conclusion

Hopefully the training options listed in this post give you some good alternatives to those that were already listed. Don’t forget: Good security training is never out of reach. Community-driven efforts and online trainings provide a strong alternative to costly formal lessons.

Happy studying!

Share this Article:
Koen Van Impe

Security Analyst

Koen Van Impe is a security analyst who worked at the Belgian national CSIRT and is now an independent security researcher.He has a twitter feed (@cudeso) and a personal blog (www.vanimpe.eu).Koen is passionate about computer security, incident handling, network analysis, honeypots, Linux, log management and web technologies. He is responsible for the follow-up and coordination of computer security incidents and gives security advice to customers.