New

LDR553: Cyber Incident Management

  • In Person (5 days)
  • Online
30 CPEs

If you are worried about leading or supporting a major cyber incident, then this is the course for you. You cannot predict or pick when your organization will face a major cyber incident, but you can choose how prepared you are when it happens. While there are broad technical aspects to cyber incidents there is also a myriad of other activities that generally fall to executives, managers, legal, press, and human relations staff. These include communicating both internally and externally, considering the battle rhythm, and a look at methodologies for tracking information gathered and released to the public. This cyber incident management training course focuses on the challenges facing leaders and incident commanders as they work to bring enterprise networks back online and get business moving again.

What You Will Learn

Open in Case of Emergency

LDR553 looks at all the common and major cyber incident types, explains what the key issues are, and how plan a recovery. Whilst you may have a full team of technical staff standing by to find, understand, and remove the attackers, they need information, tasking, managing, supporting, and listening to maximize their utilization and effectiveness. We focus on building a team to remediate the incident, on managing that team, on distilling the critical data for briefing, and how to run that briefing. We look at communication at all levels from the hands-on team to the executives and Board, investigative journalists, and even the attackers.

This course empowers you to become an effective incident management team member or leader; ensuring you fully understand the different issues facing incident commanders in the immediate, short and medium term. As well as becoming comfortable with terminology, you will understand what preparatory work you can undertake at different stages to help you get ahead of the situation. LDR553 was developed to ensure efficient management of a diverse range of incidents with a focus on cyber; however, the methodology, concepts and guidance will apply to many regular major and critical incidents.

"Great insights, examples and relevant tools. I applied the 3rd party incident tool within minutes to an ongoing 3rd party incident. So I can't dream of a more relevant and useful course than this." - Jonas Roos Christense, Copenhagen Airports

WHAT IS CYBER INCIDENT MANAGEMENT?

Cyber Incident Management (IM) sits above Incident Response (IR) and is tasked to manage incidents that get too big for the Security Operations Center (SOC) and IR. These tend to be the more impactful or larger incidents that IR is not scaled to handle as it requires significant liaison with internal and external partners to coordinate the investigation, forensics, planning, recovery, remediation, and to brief the corporate comms, C-level staff and board as needed. Less technical and more business focused, the IM team will take the output from IR and relay it to the necessary teams as they coordinate wider investigations and hardening, hygiene and impact assessment as they plan towards recovery. A strong IR lead may fulfill the IM role, but during critical incidents IRs are often shoulder deep in malware, systems, logs and images to process to the point where all technically capable IR staff are kept focused on technical tasks. IMs are more business focused and IR is more technically focused.

BUSINESS TAKEAWAYS

  • This course will help your organization:
  • Develop staff that know how to lead or contribute to a cyber incident management team
  • Manage your incidents more effectively
  • Resolve incidents quicker
  • Understand the gaps in your security incident plans and response strategies
  • Create higher performing security incident teams
  • Plan ahead to handle some of the most devastating potential attacks

SKILLS LEARNED

  • Implement various incident response frameworks
  • Scoping incidents correctly
  • Define the incident management team’s objectives
  • Effectively managing a team under extreme pressure
  • Awareness of human responses to facing catastrophically impactful urgent changes
  • Structure, manage, and deliver briefings to upper management and the Board
  • Planning and controlling communications when managing a serious incident
  • Communicating with attackers and the pros and cons thereof
  • Where and how track the incident
  • Planning, coordinating, and executing counter compromise activities
  • Mastery of incident reports both during and post closure
  • Steps to close the incident and return to business as usual
  • Understand the constraints of 3rd party or supply chain incidents
  • Plan for and deal with a compromised supply chain organization
  • Fostering better cyber incident management support in other departments through combined training and exercises
  • How to plan, setup and run cyber incident management training exercises
  • Integrating Cyber Threat Intelligence to the IM team and capabilities
  • How Bug bounties can be supported and how they can cause major incidents
  • Develop the team to be able to investigate cloud attacks
  • Support the Legal team in Business Email Compromise attacks and the nuances of types
  • Track and improve the IM team’s capability with playbooks and runbooks
  • Comprehend the value and risks that AI could bring to the overall IR and IM process
  • Improve readiness for ransomware attacks via simulate exercises

HANDS-ON CYBER INCIDENT MANAGEMENT TRAINING

LDR553 uses case scenarios, group discussions, team-based exercises, and in-class games, to help students absorb both technical and management topics. We follow along as a fictious company deals with a network breach from start to finish.

Section 1:

  • Reviewing the initial incident briefing, capture initial information and generate initial tasks, Setting the objectives for the IM team, Crisis communications – briefing the executives

Section 2:

  • Dealing with the attackers, drafting public statements, Crisis communications – briefing the wider team, Prioritizing data, and system remediation planning and conducting root cause analysis

Section 3:

  • Reviewing organizational exercise requirements, running a tabletop exercise, Running a Hot Seat exercise, Incorporating Cyber Threat Intelligence into the team, dealing with 3rd party incidents and a compromised supply chain, Bug Bounty program and remediation strategies

Section 4:

  • How to present timelines to an audience, remediation plans and strategies; Cloud Attacks, Business Email Compromise (BEC) and how to investigate it; Host and Management plane compromise incidents, bringing more bad news to the public

Section 5:

  • AI for IM, Leveraging LLM (ChatGPT/Bard) for IR support, Ransomware history and how to manage the worst, DR planning, review of course before capstone exercise

"The labs are creative and portrays how a typical major incident unfolds in a modern organisation. I feel that the scenario is quite realistic." - Armando Tusha, Bridewell

"The labs and exercises were grounded in reality and mirrored what would be expected of a working practitioner." - Carl Urban, e2e-assure Ltd

"Labs are great, the flowing narrative really helps." - Lee Taylor, Leicestershire Police

SYLLABUS SUMMARY:

  • Section 1 – Scoping, defining, and communicating about the incident
  • Section 2 – Damage control, reporting, closing the incident
  • Section 3 – Developing & running exercises, supply chain incidents, CTI, bug bounties & remediation strategies
  • Section 4 – Managing cloud based incidents, Business Email Compromise and press statements
  • Section 5 – AI in IM, Ransomware, Summary and Capstone exercise

ADDITIONAL RESOURCES

WHAT YOU WILL RECEIVE:

  • Electronic courseware containing the entire course content
  • Printed course books
  • Access to the Cyber Incident Management Tool Kit
  • MP3 audio files of the complete course lecture
  • Access to a new Discord server to chat about the course
  • Immediate actions for dealing with Ransomware
  • Training plans, report templates, incident frameworks and other cheat sheets

WHAT COMES NEXT:

NOTE: Some course material for SEC504 and LDR553 may overlap. SANS recommends SEC504 for those interested in a more technical course of study, and LDR553 for those primarily interested in a leadership-oriented but less technical learning experience.

Syllabus (30 CPEs)

  • Overview

    In Section 1 we will focus on understanding the incident, gathering information from different groups and standardizing the language. To assist in this, we will remind ourselves of some of the common terms to optimize communications. From there we will define what the Incident Management (IM) group will seek to achieve, so we can state and focus on our objectives. This is important as retaining focus can be hard when it gets super busy.

    With the objectives defined we then turn to initial tasks and delegating those to the team; this is to give us some breathing space to plan the next steps. Our initial tasking output will be based on one of the core tools in the Cyber Incident Response Tool Kit (CIMTK) the "IM Starting Grid". This detailed list of Yes/No questions outputs a list of core IM tasks that aide rapid response. By identifying these tasks early, concurrent activity can be initiated for both support teams (Incident Response (IR), Information Technology (IT), Human Resources (HR), Legal etc.) and the IM team. As IM is totally dependent upon a good team, we will assess team composition and what different groups need to contribute to the mission. Finally, we dig into communication and how to interact with different stakeholders. Tracking activity, tasks, and communications is a big theme throughout this course.

    Exercises
    • Reviewing the initial incident briefing
    • The incident management starting grid
    • Setting the objectives for the IM team
    • Crisis communications: briefing the executives

    Topics

    Initial Information Gathering

    • Using common language
    • Understanding the attack
    • IR Frameworks, OODA loops and non-Zero-sum games
    • Scoping your initial tasks

    Defining your Objectives

    • What are typical objectives in IR/IM?
    • Mapping attacks to business impacts

    Who's on our Team

    • Understanding the skills needed
    • Where should the team be located
    • How big does the team need to be?
    • Managing people to create productive teams

    Building our Communications Plan

    • Communications planning
    • Communicating with Execs, teams, and 3rd parties
  • Overview

    After reviewing Section 1, we conclude the communications topic by looking at communications with the attackers. While you may have no plans to pay any ransom, by entering into dialogue with attackers, you can gain time to fix issues the attackers have uncovered, discovered, or could leak. While controversial and possibly contrary to your own beliefs, it is important to understand options are available to the organization. We will cover how attacker dialogue may occur and what factors will influence the response options and process.

    We will look at what incident information should be tracked and options or ways to achieve that. We review both commonly available products as well as bespoke options (including those for on prem and cloud hosted solutions).

    Getting into the remediation of the network and data damage, we have a large section on categorizing the damage the attackers have inflicted and then mapping to the necessitated remediation work that will need to be prioritized and tracked to ensure that all possible vulnerabilities have been removed. A much-overlooked aspect, we discuss secrets that are included in stolen data and systems and consider how this might affect our future operations.

    In the reporting and documenting of the case, we review some of the outputs from the IM process. While a solid IR report is always useful, we will cover what aspects could be added to expand it to cover IM. This is important as the direction of the Incident Response is often mandated by Incident Management, so linking the two into one report makes for a more structured reading while outsourcing some aspects to others.

    In planning the closure of the incident, we discover what remediation and vulnerability closure tasks should be moved to non-incident mainstream projects and what reflection meetings should be held to ensure Root Causes Analysis outputs (RCA) are captured and lessons are identified and tracked. We will look at the 5-why method for undertaking an RCA and some different (good and bad) examples.

    Exercises
    • Dealing with the attackers
    • Drafting a public statement
    • Crisis communications - briefing the team
    • Prioritizing the data and system remediation planning
    • What's a good Root Cause Analysis (RCA)
    Topics

    Talking to or working with, the attackers

    • Understanding what results the attackers are trying to achieve
    • Choosing a communications medium
    • Attacker media and comms methods
    • Proxies, trusted 3rd parties and attacker reputation
    • Trying to control the narrative
    • Understanding what the attackers have
    • Options and impacts
    • The cost of doing nothing
    • Is paying the attackers really an option?

    Tracking the Incident, tasks, people and progress

    • Review of the functions we might want to include in our IM solution
    • Incident Trackers and what they can look like
    • Evidence management
    • Task and work tracking
    • Building the right solution for the organisation
    • Using Google Docs as an emergency IM Platform

    Remediation of network and data damage

    • Types of Remediation system & data
    • Tracking the remediation
    • CIMTK: CC Systems and users impacted
    • Categorizing exposed assets
    • Identifying who owns the data
    • Documenting and notifying impacted parties - Counter Compromise Activities
    • Root Cause Analysis methods and outcomes

    Reporting and documenting the case

    • When do you start the report?
    • Types of reports
    • What goes in the report?
    • Graphics are great!
    • Getting input, support and consensus
    • Control and access to the reports

    Planning the closure of the Incident

    • Reviewing the task and key objectives
    • Understanding Business As Usual (BAU) for the impacted teams
    • Running a FRCA
    • Handing the ongoing initiatives to project managers
    • Breaking up the IM team

    Developing the wider team

    • Why train others?
    • Training the wider organization
    • Planning enterprise-wide training
    • Developing and running Cyber Incident Exercises

    Planning the closure of the Incident

    • Reviewing the task and key objectives
    • Understanding Business As Usual (BAU) for the impacted teams?
    • Running a FRCA
    • Handing the ongoing initiatives to project managers
    • Breaking up the IM team

  • Overview

    In this session we are deep diving on training of IR/IM and the wider organization. We will examine the need for training and depending upon maturity, the type of training. We will have several labs to support this including a example of an exercise to onboard non-IR types to cyber incidents.

    As we look to our own team training, we look at the types of exercises that historically are used and how they fail to help people grow and develop. We look at both long term training strategies and tactical fun exercises to get people talking and working together. We will focus on the gaps and the places people need practice rather than exercises for simple frequency compliance.

    Cyber Threat Intelligence (CTI) features heavily in the press and many organizations have it but don't know how to connect it into IR/IM for the best effect. Additionally, many do not work to improve the availability of CTI when in an incident -- we will give you this knowledge and prep-list so you too could benefit from high quality polished CTI in the middle of your Ransomware incident to support IR/IM and even Execs. Finally, as we dig into CTIs various outputs we will explain and understand how we can provide input to the CTI team to best leverage their skills and focus them and their tools to support our local and strategic needs.

    Supply chain or 3rd party compromises are increasingly common and have a high chance of increasing as more activities are outsourced to outside the organization. In this longer section we will dig into the limitations we have with these incidents and how we can improve that position.

    We will look at the action plan of activities that need to be undertaken to successfully handle a 3rd party issue, and we will break this down in detail as deep dive on a case study for our Submarine Studios. We will show students how to understand the scope, impact, and immediate remediation options as well as investigation actions that fall to 'us', despite this appearing to be a 'them' problem. We will look at how to plan a call with the 3rd party, so our objectives are clear and what to do when we don't get the info we need. Finally, we will look at how and when to close down the 3rd party incident.

    Exercises
    • Choosing Cyber Training Exercises
    • Example table-top exercise for non-IM Specialists
    • Planning a HotSeat exercise
    • Submitting an Request For Intelligence (RFI)
    • 3rd Party Supply Chain: Reviewing the incident notification
    • 3rd Party Supply Chain: Assessing the impact and developing an RFI
    • 3rd Party Supply Chain: Planning the call with the 3rd party
    • 3rd Party Supply Chain: Updating the Execs
    Topics

    Developing the wider team

    • Why train others?
    • Training the wider organization
    • Planning enterprise-wide training
    • Developing and running Cyber Incident Exercises

    Developing the wider team

    • Types of training
    • Leaning needs analysis
    • Maturity of exercises

    Developing the SOC/IR/IM team

    • Working and developing people on the exercises
    • Who to include in the exercises
    • External groups to include in exercises
    • Planning and running hotseat exercises

    Leveraging Cyber Threat Intelligence

    • What is CTI
    • Strategic/Operational/Tactical products
    • What can CTI produce for IM?
    • Developing CTI requirements
    • Generating a PIR
    • Avoiding common mistakes
    • Intelligence feedback loops

    3rd Party Supply Chain Compromise

    • What is a supply chain and why is it attacked?
    • Notification routes
    • CIMTK: 3rd Party compromise IM Planning
    • Analysis of the exposure
    • Planning around the data void
    • Developing an Request for Information (RFI) from 3rd Party
    • Planning the 3rd party meeting
    • Closing 3rd party incidents.
  • Overview

    With the increase in incident complexity, we need to look at how to visualize the key facts. Timelines are a great way to do this, but we have to be careful. A badly thought out and poorly scoped timeline not developed for the target audience can be confusing and fail to convey the desired message. We will look at how to scope a timeline and the different styles that can be used. We will refer to some case study materials as examples of different lenses on the same incident.

    Before we deep dive into BEC and other Cloud focused attacks, we will clarify some aspects of responsibility and attack focuses referring to the common cloud and MITRE models.

    We hit Credential Attacks hard looking at what the attackers what to obtain and what they can use those credentials for (again linking to MITRE). We will consider the options of the attacker as they consider if they want do break in themselves and then harvest credentials or if they want to buy access. We will look at Initial Access Brokers and what they provide and how they get it as well as Underground Market places and log sources. Finally, we will cover user targeting aspects including MFA fatigue, Illicit Consent Attacks, Password manager attacks and even malicious browser extensions.

    With the stolen credentials we will take a deep look at Business Email Compromise (BEC) starting off with the stages of BEC. As an increasingly common attack, we will look at the IM support to others including how we support the legal arguments, how liability will be decided and where we need to direct IR to forensicate. This is a great follow on to the 3rd part compromise from the Session 3 as we often find ourselves discussing how a supplier got compromised but it was our client lost $100K and they don't want to share compromise logs or data.

    With the background set we will look at the 6+ types of BEC as we break down each attack, where the attacker is sitting and who will get impacted. We do this in detail as it makes investigating BEC so much easier when you have a template to compare it against. Naturally, we will have a real head scratcher of a lab where we bring one of the most underrated influences on an investigation -- doubt.

    As we move around the cloud model, we focus on IaaS host compromise next again looking at the vector, the impact, the investigation requirements and how clean needs to be managed for completeness.

    Finally, we look at cloud management console compromises and consider the impact of these, how they can be investigated and what clean-up work needs to be planned. For this we will look a little at the controls that could have prevented this attack and where the attacker got the credential from in the first place. This will help attendees understand that for some attackers (and luckily for the victim) the management console is not the end goal, but how it's totally dependent on the attacker motivation rather than anything defensive from the defending blue team.

    Exercises
    • Reviewing Incident Timelines
    • Credential Loss Impact Assessment
    • We paid the wrong account! (BEC)
    • The cloud bill is vast (Cloud Management attack)
    • Updating the public statement
    Topics

    Timelines for visualization

    • Scoping the timeline
    • Considering the audience
    • Levels of detail

    Defining Cloud Attacks

    • Shared responsibility models
    • MITRE for Cloud reference

    Credential Theft Attacks

    • What attackers are after and why
    • BYOD vectors
    • How do attackers get the access they want
    • Credential Harvesting
    • Underground Marketplaces
    • Initial Access Brokers
    • Malicious Browser Extension
    • Password Manager Attacks
    • MFA Fatigue
    • Illicit Consent Grant Attacks
    • CMITK: Credential Loss Immediate Actions (CLIA)

    Business Email Compromise (BEC)

    • Stages of BEC
    • MITRE Refence to O365
    • Where does liability fall?
    • Supporting Legal staff
    • Detailed step through the 6+ types of BEC
    • Points to understand to support BEC
    • Inbox investigations
    • Multi-site and Multi-vendor compromises
    • CIMTK: BEC Initial Actions (BECIA)

    Cloud Asset Attack

    • MITRE TTPs for Cloud Assets
    • Differences between Cloud and On-Prem
    • Finding the Pivot
    • Forensicating the Cloud Virtual Machines
    • Closing Policy Holes and Network Gaps

    Cloud Management Console Attacks

    • Defining the attack and the goals
    • Goals for the Attacker
    • Focusing the team
    • Policy Checks and leveraging Auditors
    • Considering the other vectors to 'touch' the console
    • Cloud Focused RCA
    • Reporting the Incident
  • Overview

    In this last session we will look at some of the bigger issues facing the organizations. We start by looking at how to improve the team by working with others, linking to other teams and groups. We will consider KPIs and internal metrics and what they can show you and what they can hide. As IM is largely focused on big impact incidents, we will look at the wider DR piece for the organization and how you can tap into those teams, processes and exercises for a smoother operation.

    ChatGPT is now a common word in press and is used by tech and non-tech people alike. With organizations seeming to rush to invest and claim they are using AI we will take some time to understand what we are talking about. We will look at the collective AI term and break it down types including (NLP, Neural Networks, Generative AI, Machine Learning and Robotics) before we focus on Large Language Model (LLM) and ChatGPT/Bard/Autopilot etc. Then with this understanding we can better understand what we can use where and how. We will examine the risks associated with AI and see how we can minimize those. Finally as part of our LLM exercise we will leverage LLMs to review some of the work we did with Submarine Studios various cases.

    Ransomware is headline news almost every day. It's the one thing that keeps more CISOs and Boards awake each night, so we will go deep to look at it's history and where it is now in terms of development. We will look at the stages of a ransomware compromise and what detections points were missed as the attackers moved from initial access to the final closing blow of encryption. We will talk about the tasking of the IR team to support the learning of the details of the attack and we will examine the IM function to coordinate and provide context to the executives as we press them for decisions.

    We will extensively refer back to previous sessions on team exercising, planning, cloud attacks, initial access and credential attacks we pull together the plan to minimize the impact so we might salvage the network and organization.

    We will consider the alerts that often trigger what most consider the start of the ransomware incident, but we will establish what those alerts mean in terms of the over ransomware stages and what has really happened. We will cross-map that with what instant checks can be done and how automating these could give you early warning of an adversary in the preliminary stages of an attack.

    We will talk about what the options are to organizations and what we need to get to execs to be able to get decisions from them. We will focus on no-regret options and consider the impacts of "going dark".

    Building on our talking with attackers in Session two, we will consider how negotiation could and should be conducted; again we will look at how this can be exercised and planned for.

    Finally, we will look at the need to investigate the network compromise in parallel to the remediation so the organization can repel a further attack that may come depending upon their decisions to pay/no-pay. We will consider the rebuild options and what records might help such activities.

    We will cover the need for decisions to be recorded and careful tracking of impacts, systems and availability data. In the aftermath of an incident the 20-20 vision glasses will suddenly be being worn by everyone, so we discuss the need to log and document who knew what where and when.

    Exercises
    • Leveraging AI and LLM in IM
    • Reviewing Ransomware cases
    • Analysis and leadership in the middle of a Ransomware event
    • Capstone exercise phase 1
    • Capstone exercise phase 2
    • Capstone exercise phase 3
    Topics

    Improving IR/IM

    • Policies, playbooks and run books
    • People vs Tools
    • Metrics vs KPIs -- what's the difference
    • The message behind the metrics
    • Leveraging outside groups
    • Getting in on the DR party
    • Relationship management and approaches with different groups

    Leveraging AI for IM

    • What do we mean by AI
    • What AI can we use where?
    • What is an Large Language Model (LLM) and are they all the same
    • Risks associated with leveraging LLMs
    • Is there such a thing as a bad LLM? Are they evil?
    • ChatGPT syntax and prompt considerations

    Ransomware

    • The history of Ransomware
    • The stages of a ransomware compromise from start to end
    • How the dirty get dirtier
    • Does size matter
    • Planning to meet the threat
    • Exercising to meet the threat
    • What are the DR options
    • What are the key questions to answer
    • What to execs really want
    • Remember to breathe
    • Documenting the impacts/reports and decisions

    Summary and review of the sessions

    • How to use the understanding from the course
    • What to do on Monday/Day 1
    • How to move the super tanker
    • What does success look like
    • How to continue to grow and improve

    Capstone Exercise

    • This is a multi stage time sensitive incident
    • Analysis of reports will need to be undertaken
    • Policies and procedures will need to be read and plans made
    • Plans will need to be briefed to Leadership and Executives
    • An initial end of day summary will need to be developed

Prerequisites

This course covers the core areas of cyber incident management and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, the recommended starting point is the SEC301: Introduction to Cyber Security course. While SEC301 is not a prerequisite, it will provide the introductory knowledge to maximize the experience with LDR553.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY LDR553 SYSTEM HARDWARE REQUIREMENTS
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
MANDATORY LDR553 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org

Author Statement

"Of my 28 years in cyber security, I've spent over 11 of them in incident response and later incident management. During that time, I've seen a wide range of approaches to handling cyber incidents, some good and others less so. One common issue was that most people on the Incident team had never been part of a major incident and thus they lacked confidence, forward planning, and were easily stunned when the incident took a turn they had not predicted.

This course is designed to demystify incident management, to provide attendees with a framework to not only deal with the matters at hand, but also to plan for the subsequent phases, so they are technically ready and mentally prepared. Cyber incidents, such as ransomware, can be devastating, not only to the networks, but also the team charged with investigating, mitigating, reporting and remediating the damage. In addition to the core incident management aspects, we cover the mental health of the team, the operational tempo and how to spot people suffering under pressure. I believe that this course, enriched with the anecdotes of the SANS incident response instructors' own toe-curling incidents will prepare your team for anything attackers and bots throw at them. When you are prepared and ready, you can respond better, faster and get control of the situation quicker facilitating a rapid return to business as usual."

- Steve Armstrong

"Steve is absolutely fantastic, enthusiastic and shares real knowledge and experience. I could listen to him talk all day!!" - Georgie Rice, MOD

"Steve has done an excellent job at creating the course content. Steve's vast amount of real world experience and creativity has made the course content interesting and engaging." - Armando Tusha, Bridewell

Reviews

Brilliant insight. Excellent content. An absolute must course for anyone dealing with incident management.
Gary Smith
Highly relevant content and immediately useful tools delivered by a knowledgeable subject matter expert actively working in the field they are teaching.
Carl Urban
e2e-assure Ltd
It's a perfect course for those leading cyber incidents. I've found nothing else that comes close.
Lee Taylor
Leicestershire Police

    Register for LDR553

    Loading...

    All pricing excludes applicable taxes