Talk With an Expert

LDR553: Cyber Incident Management

LDR553Cybersecurity Leadership
  • 5 Days (Instructor-Led)
  • 30 Hours (Self-Paced)
Course authored by:
Steve Armstrong-Godwin
Steve Armstrong-Godwin
LDR553: Cyber Incident Management
Course authored by:
Steve Armstrong-Godwin
Steve Armstrong-Godwin
  • GIAC Cyber Incident Leader (GCIL)
  • 30 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 28 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Develop essential leadership skills to effectively manage major cyber incidents from discovery to resolution, providing clear direction when your organization needs it most.

Course Overview

While technical teams work to identify and remove attackers, they require strategic direction, management, and support to maximize their effectiveness. Cyber Incident Management focuses on the critical non-technical challenges facing leaders during high-pressure security incidents. This course equips you to lead incident management teams by providing a comprehensive understanding of immediate, short, and medium-term challenges organizations face during security breaches.

You will learn to build and manage teams, distill critical data for briefings, and communicate effectively with executives, board members, and other stakeholders. Through nine detailed case studies, you will gain hands-on experience in incident management methodology and practices applicable to various cybersecurity scenarios.

What You'll Learn

  • Run briefings under pressure with minimal prep and deliver real impact
  • Lead meetings when the team is stressed, the facts are incomplete, and execs are impatient
  • Build and test your own GenAI tools to draft briefs, simulate reactions, and organize chaos
  • Survive a supply chain breach with minimal 3rd party support
  • Distinguish between technical facts, assumptions, and noise during incident response
  • Use the CIMTK framework to prioritize tasks and drive progress
  • Track attacker behavior, infrastructure risk, and team readiness in real time

Business Takeaways

  • Develop expert cyber incident management capabilities
  • Accelerate incident resolution with streamlined processes
  • Foster better vendor and legal coordination during third-party breach escalation
  • Improve team performance during critical incidents
  • Reduce workload without increasing risk with the integration of GenAI
  • Build stronger bridge between technical and non-technical functions during cyber events
  • Integrate threat intelligence to anticipate threats

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in LDR553: Cyber Incident Management.

Section 1Understanding the Incident, Building the Team With GenAI, Scoping & Tracking the Impact

Section 1 focuses on understanding incidents, standardizing language, and defining objectives. You will gather information, set goals for the Incident Management team, and assign responsibilities. The section introduces the Cyber Incident Management Tool Kit (CIMTK), team composition, task tracking, and GenAI support.

Topics covered

  • Initial Information Gathering
  • Using Common Language
  • Defining Your Objectives
  • Who's On Our Team?
  • Building Our Communications Plan

Labs

  • Initial Setup at the Start of the Course
  • Initial Incident Briefing
  • CIMKT: The Grid and AIM-RADAR
  • Setting Objectives and Developing the Commander’s Intent
  • Making GPTs in OpenAI

Section 2Communications, Planning and Executing Remediations

Section 2 explores communications in great depth as we look at interactions with executives, attackers, our staff and the public/customers. You will learn approaches that can buy time to address issues and prevent data leaks. You will categorize network and data damage, prioritize remediation tasks, and eliminate vulnerabilities.

Topics covered

  • Engaging with attackers
  • Tracking incidents and progress
  • Remediating damage and evaluating attacker removal options
  • Utilizing Root Cause Analysis (RAC) methods
  • Reporting and documenting cases

Labs

  • Crisis Comms: Briefing Executives and the Wider Organization
  • Crisis Comms: Dealing with Attackers
  • Crisis Comms: Drafting a Public Statement
  • Planning Data and System Remediation
  • Conducting Root Cause Analysis (RAC)

Section 3Training, Leveraging Cyber Threat Intelligence, Bug Bounties

Section 3 explores training IR teams and the broader organization. You will learn to develop effective training programs based on organizational maturity and specific needs. We examine integrating Cyber Threat Intelligence (CTI) into IR efforts and deep dive into developing strategies for managing supply chain and third-party compromises.

Topics covered

  • Developing the wider team
  • Analyzing training needs
  • Developing the SOC/IR/IM team
  • Leveraging Cyber Threat Intelligence
  • Third-Party Supply Chain Compromise

Labs

  • Choosing Cyber Training Exercises
  • Planning a Hotseat exercise
  • Submitting a Request For Intelligence (RFI)
  • Complete Third-Party Supply Chain Exercises

Section 4Cloud Incidents, Business Email Compromise, Credential Theft Attacks and Incident Metrics

In section 4 you will gain a comprehensive view, visualize incident timelines and address complex attack scenarios. You will learn to create timelines tailored to different audiences, understand credential theft attacks and the MITRE framework, and explore Business Email Compromise (BEC), as well as cloud-based attacks and management console breaches.

Topics covered

  • Timelines for Visualization
  • Defining Cloud Attacks
  • Credential Theft Attacks
  • Business Email Compromise (BEC)
  • Cloud Assets and Management Console Attacks

Labs

  • Reviewing Incident Timelines
  • Credential Loss Impact Assessment
  • BEC attack response
  • Cloud Management attack response

Section 5AI for Incidents, Attacker Extortion, Ransomware, and Capstone Exercise

Section 5 examines AI applications, including Large Language Models and Generative AI. You will gain in-depth knowledge of ransomware incidents from examining historic cases and considering how to prepare and train to deal with encryption events.

Topics covered

  • Leveraging AI for IM
  • Ransomware
  • Summary and review
  • Capstone Exercise

Labs

  • Updating the public statement
  • Leveraging AI and LLM in IM
  • Reviewing Ransomware cases
  • Capstone exercise

Things You Need To Know

Relevant Job Roles

Cyber Incident Responder

European Cybersecurity Skills Framework

Monitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.

Explore learning path

Systems Security Management (OPM 722)

NICE: Oversight and Governance

Responsible for managing the cybersecurity of a program, organization, system, or enclave.

Explore learning path

Senior Security Leader

Cybersecurity Leadership

Daily focus is on the leadership of technical teams. Includes titles such as Technical Director, Manager, and Team Lead.

Explore learning path

Cybersecurity Instruction (OPM 712)

NICE: Oversight and Governance

Responsible for developing and conducting cybersecurity awareness, training, or education.

Explore learning path

Incident Response

SCyWF: Protection And Defense

This role investigates, analyzes and responds to cyber incidents. Find the SANS courses that map to the Incident Response SCyWF Work Role.

Explore learning path

Executive Cybersecurity Leadership (OPM 901)

NICE: Oversight and Governance

Responsible for establishing vision and direction for an organization's cybersecurity operations and resources and their impact on digital and physical spaces. Possesses authority to make and execute decisions that impact an organization broadly, including policy approval and stakeholder engagement.

Explore learning path

Cybersecurity Policy and Planning (OPM 752)

NICE: Oversight and Governance

Responsible for developing and maintaining cybersecurity plans, strategy, and policy to support and align with organizational cybersecurity initiatives and regulatory compliance.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us
Filter by:
Showing 8 of 17

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources