Incident Response Package

Provided by

Enquire about this course


You;ve been hacked, or even only suspect you;ve been hacked. Now what? The CYRIN exercise labs in this package guide you through approaches to addressing and managing the aftermath of an attack or security breach. You;ll get to experience actual attacks, within a controlled environment, so that the first time you see ransomware isn;t on your critical systems.

This package includes all labs in the Incident Response category, as well as all new labs in the category released during your subscription period. The MITRE ATT&CK Matrix is a taxonomy of adversary tactics and techniques, including detection and mitigation techniques for each. These techniques are aligned as appropriate to CYRIN exercise lab packages.


Specific prerequisites vary by lab, but generally include basic knowledge of TCP/IP networking and network setup principles, and familiarity with the Unix/Linux command line.


All CYRIN labs, exercises and attacks happen within a virtual environment. Each trainee or student gets their own virtual instance of a lab, exercise or attack, allowing training to be self-paced and available anywhere at any time. In order to meet specific training objectives, CYRIN subscriptions are sold on a packaged basis. That is, groups of CYRIN labs, exercises and/or attacks are recommended and bundled to meet the individual needs of the student.

CYRIN Incident Response Scenario:


8 hours, self-paced. Pause and continue at any time.
8 CPEs awarded on successful completion.
6 months of access.


1. DoS Attacks and Defences

This scenario-based lab teaches three different Denial of Service attacks and techniques to mitigate them:
  • A TCP SYN Flood attack that exploits a weakness in the design of the TCP transport protocol,
  • A slow HTTP attack called Slowloris that takes advantage of how HTTP servers work,
  • A DNS amplification attack that exploits misconfigured DNS servers, of which there are plenty on the Internet.
2. Protocol Analysis I: Wireshark Basics

Where do you begin in network traffic analysis? Learn the process for examining a live or pre-recorded packet capture file using graphical tools such as Wireshark. Is there malicious activity? Learn to think like an attacker, going through the same methods the attacker would, to assess whether what you're seeing is 'normal' or signs of an attack. At the same time, students will run basic network scans using nmap, while seeing how they appear in Wireshark. Finally, students will analyse packet traces indicative of HTTP-based attacks.

3. Protocol Analysis II: Extracting Data from Network Traffic

Build on what you learned in Protocol Analysis I, this time using command line tools and techniques. You will use the ubiquitous tcpdump program, starting with simple capture tasks and then building up to complex filtering and display options. In the process, you will dig deeply into TCP and IP header fields, learning how these can be used to find the traffic you're interested in. You will examine ICMP, SSH, and HTTP traffic, including that from web shells commonly used in attacks. With the techniques learned in this exercise, you will be able to gather and filter packet capture data from server systems, then later process it on graphical security operations workstations.

4. Handling Potential Malware

Students will learn to use the Cuckoo sandbox to determine if an executable or document is potential malware. If the executable is packed (compressed), they will learn to use a debugger to unpack it.


All of the CYRIN exercise labs are mapped to the NIST NICE Framework - Specialty Areas:

DoS Attacks and Defences
Protocol Analysis I: Wireshark Basics
Protocol Analysis II: Extracting Data from Network Traffic
Handling Potential Malware

CYRIN training is sold on a subscription basis. All CYRIN subscriptions come with two free labs: "Getting Started with CYRIN" and "Web application Security Analysis using OWASP-ZAP". All new CYRIN courses that are added to the training platform during a subscription period will be made available to subscribers at no additional cost.


Start date Location / delivery
No fixed date United Kingdom Book now
01132207150 01132207150

Related article

The Cyber Pulse is QA's new portal to free Cyber content, including on-demand webinars, articles written by leading experts,