Open in Case of Emergency
You can't predict or pick when your organization will face a major cyber incident, but you can choose how prepared you are you when you face it. While there are broad technical aspects to cyber incidents there is also a myriad of other activities that generally falls to executives, managers, legal, press, and human relations staff. These include communicating both internally and externally, considering the battle rhythm and a look at methodologies for tracking information gathered and released to the public.
This course empowers you to become an effective incident management team member or leader; ensuring you fully understand the different issues facing incident commanders in the immediate, short and medium term. As well as becoming comfortable with terminology, you will understand what preparatory work you can undertake at different stages to help you get ahead of the situation. MGT553 was developed to ensure efficient management of a diverse range of incidents with a focus on cyber; however, the methodology, concepts and guidance will apply to many regular major and critical incidents.
"Probably the most important part to an organization - how to get their operation functioning again and sorted out with the structure and governance to cover the areas." - Peter Leonhardt
This course will help your organization:
- Develop staff that know how to lead or contribute to a cyber incident management team
- Manage your incidents more effectively and thus resolve them quicker
- Understand the gaps in your security incident plans and response strategies
- Create higher performing security teams
- How to make sense of different incident response frameworks
- Understanding the importance of scoping incidents correctly
- The ability to define the incident management teams objectives
- Recognition of the importance of managing a team under extreme pressure
- Awareness of human responses to facing catastrophically impactful urgent changes
- How to structure, manage, and deliver briefings to upper management and the board
- Planning and controling communications when managing a serious incident
- Communicating with attackers and the pros and cons thereof
- Where and how to track the incident
- Planning, coordinating, and executing counter compromise activities
- Understanidng types and contents of incident resports both during and post closure
- Steps on how to close the incident and return to business as usual
MGT553 uses case scenarios, group discussions, team-based exercises, and in-class games, to help students absorb both technical and management topics. We follow along as a fictious company deals with a network breach from start to finish.
Section 1: Reviewing the initial incident briefing, Capture initial information and generate intial tasks, Setting the objectives for the IM team, Crisis communications briefing the executives
Section 2: Dealing with the attackers, Drafting public statements, Crisis communications briefing the wider team, Prioritizing the data and system remediation planning, Running an example tabletop exercise
"All the labs are fantastic and really grounded in reality. Really useful thought experiments and training." - Luigi Ritacca
Section 1: Scoping, defining, and communicating about the incident.
Section 2: Damage control, reporting, closing the incident and training the wider team.
WHAT YOU WILL RECEIVE:
- Electronic courseware containing the entire course content
- Printed course books
- Access to the Cyber Incident Management Tool Kit
- MP3 audio files of the complete course lecture
- Access to a new Discord server to chat about the course
- Immediate actions for dealing with ransomware
- Training plans, report templates, incident frameworks and other cheat sheets
WHAT COMES NEXT:
NOTE: Some course material for SEC504 and MGT553 may overlap. SANS recommends SEC504 for those interested in a more technical course of study, and MGT553 for those primarily interested in a leadership-oriented but less technical learning experience.
"Of my 28 years in cyber security, Ive spent over 11 of them in incident response and later incident management. During that time, Ive seen a wide range of approaches to handling cyber incidents, some good and others less so. One common issue was that most people on the Incident team had never been part of a major incident and thus they lacked confidence, forward planning, and were easily stunned when the incident took a turn they had not predicted.
This course is designed to demystify incident management, to provide attendees with a framework to not only deal with the matters at hand, but also to plan for the subsequent phases, so they are technically ready and mentally prepared. Cyber incidents, such as ransomware, can be devastating, not only to the networks, but also the team charged with investigating, mitigating, reporting and remediating the damage. In addition to the core incident management aspects, we cover the mental health of the team, the operational tempo and how to spot people suffering under pressure. I believe that this course, enriched with the anecdotes of the SANS incident response instructors own toe-curling incidents will prepare your team for anything attackers and bots throw at them. When you are prepared and ready, you can respond better, faster and get control of the situation quicker facilitating a rapid return to business as usual."
- Steve Armstrong
"Excellent. Very skilled, and fun to listen to." - Jan Olav Walldal, TV 2 Norway
"Excellent content with relevant real world examples. A wealth of knowledge from the instructor who is clearly passionate about the subject. Covered areas that I had not even considered (but were very important)." - Gary Smith