LDR553: SANS London July 2024

Provided by

What You Will Learn
Open in Case of Emergency

While you can't predict when a major cyber incident will hit your organization, you can control how ready you are to face it. In the aftermath, when incident response teams are engrossed in unraveling the attacker's moves within your networks, they often find themselves overwhelmed. This is where your incident management team steps in, taking charge of managing findings, communications, regulatory notifications, and remediation. With a multitude of tasks and challenges on their plate, many are unseasoned and unprepared for the magnitude of responsibilities.

This course equips you to not just be a member of the incident management team but a leader or incident commander. It ensures a comprehensive understanding of the immediate, short, and medium-term issues an organization might encounter. Beyond familiarizing yourself with the terminology, you'll grasp preparatory actions at different stages to stay ahead of the situation. LDR553 is designed for efficient management of diverse incidents, with a primary focus on cyber, yet its methodology, concepts, and guidance are applicable to various regular major and critical incidents.

"Great insights, examples and relevant tools. I applied the 3rd party incident tool within minutes to an ongoing 3rd party incident. So I can't dream of a more relevant and useful course than this." - Jonas Roos Christense, Copenhagen Airports
What Is Cyber Incident Management

Cyber Incident Management (IM) sits above Incident Response (IR) and is tasked to manage incidents that get too big for the Security Operations Center (SOC) and IR. These tend to be the more impactful or larger incidents that IR is not scaled to handle as it requires significant liaison with internal and external partners to coordinate the investigation, forensics, planning, recovery, remediation, and to brief the corporate comms, C-level staff and board as needed. Less technical and more business focused, the IM team will take the output from IR and relay it to the necessary teams as they coordinate wider investigations and hardening, hygiene and impact assessment as they plan towards recovery. A strong IR lead may fulfill the IM role, but during critical incidents IRs are often shoulder deep in malware, systems, logs and images to process to the point where all technically capable IR staff are kept focused on technical tasks. IMs are more business focused and IR is more technically focused.
Business Takeaways

This course will help your organization:
  • Cultivate a workforce adept at leading or contributing to cyber incident management teams.
  • Streamline incident management processes for quicker resolutions.
  • Identify and bridge gaps in security incident plans and response strategies.
  • Elevate the performance of security incident teams to meet evolving challenges.
  • Strategically plan and navigate through high-stakes attacks, including email compromise and ransomware, fostering a resilient response frameworks
  • Promote seamless collaboration between technical and non-technical teams during incident response for a more integrated approach.
  • Instill a culture of continuous improvement, leveraging lessons learned from incidents to refine future response strategies.
  • Proactively integrate threat intelligence to anticipate and mitigate potential threats before escalation.
  • Provide guidance on regulatory compliance and have an awareness of legal considerations, ensuring incident responses align with relevant laws and standards.
Skills Learned
  • Categorize and scope incidents correctly and the resulting incident management team's objectives
  • Design, draft, proof, release and control all communications when managing a serious incident
  • Manage a team under extreme pressure and to recognize the natural human responses that will emerge and what they mean
  • Lead the team, win the confidence of the execs and exceed the expectations of everyone involved
  • Calculate, coordinate, and execute both system and data counter compromise activities
  • Strategize and respond to ransomware incidents including how to develop exercises and training around these devastating attacks
  • Structure, manage, and deliver briefings to the team, execs and senior leadership or the board
  • Organize the transition from active incident to business as usual and how to execute that plan
  • Prepare, setup and run cyber incident management exercises
Hands-On Cyber Incident Management Training

LDR553 uses case scenarios, group discussions, team-based exercises, and in-class games, to help students absorb both technical and management topics. We follow along as a fictious company deals with a network breach from start to finish.

Section 1: Reviewing the initial incident briefing, capture initial information and generate initial tasks, Setting the objectives for the IM team, Crisis communications -- briefing the executives

Section 2: Dealing with the attackers, drafting public statements, Crisis communications -- briefing the wider team, Prioritizing data, and system remediation planning and conducting root cause analysis.

Section 3: Reviewing organizational exercise requirements, planning a Hot Seat exercise and running a tabletop one. Incorporating Cyber Threat Intelligence into the team, dealing with 3rd party incidents or a compromised supply chain. The benefits, needs and risks associated of a Bug Bounty program.

Section 4: How to present timelines to an audience, remediation plans and strategies. Cloud Attacks, Business Email Compromise (BEC) and how to investigate it. Host and Management plane cloud compromise incidents.

Section 5: Bringing more bad news to the public. AI for IM, Leveraging LLM (ChatGPT) for IR support, understanding the ransomware lifecycle and how to manage the impacts, DR planning, review of course ahead of the capstone exercise.

"It was awesome to have the opportunity to apply existing and newly-learned skills to the labs. It was obvious that a significant amount of time had been invested in these." - Andrew Kempster, DXC Technologies

The hands-on experiences and assignments have been exceptional and have significantly contributed to my learning experience." - Ben Radford, Law and Order

"The labs were perfect. Today's capstone exercise brilliantly brought together the elements we had learned, adopting tools to help deliver the products required. And whilst its goal was to deliver the final exercise of the course it really has sparked the imagination of everything we can do with what we have learned. Excellent work." - Lee T., Law Enforcement
Syllabus Summary
  • Section 1 - Scoping, defining, and communicating about the incident.
  • Section 2 - Damage control, reporting the incident, analysis of and closure of the incident.
  • Section 3 - Developing & running exercises, supply chain incidents, Cyber Threat Intel and bug bounties.
  • Section 4 - Credential Theft, Managing cloud-based incidents, Business Email Compromise.
  • Section 5 - AI in IM, Ransomware, Summary and Capstone exercise.
Additional Resources
  • CIMTK: Third-Party/Supply Chain Incident Management Plan, poster
  • You came with that plan? You’re braver than I thought!, webcast
  • SANS Cyber Compliance Countdown, webcast
What You Will Receive:
  • Printed course books
  • Online Electronic workbook for all the lab exercises
  • The Cyber Incident Management Tool Kit
  • MP3 audio files of the complete course lecture
  • Detailed video walkthroughs of the lab exercises
  • Access to a new Discord server to chat about the course
  • Immediate actions for dealing with Ransomware
  • Training plans, report templates, incident frameworks and other cheat sheets
WHAT COMES NEXT:
  • LDR512: Security Leadership Essentials for Managers
  • LDR514: Security Strategic Planning, Policy, and Leadership
NOTE: While this course may sound like the 'SEC504, Hacker Tools, Techniques, and Incident Handling' course they are very different. SANS recommends SEC504 for those interested in technical course of study, and LDR553 for those focused in a leadership-oriented course. The SEC504 covers Incident Response (IR) and how to detect, find and understand what attackers have done on the systems. LDR553 covers what to do with that information and how to remediate the problem and manage the situation. LDR553 uses no virtual machines.

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...