3 days

Incident Responder

Learn how to stop cyberattacks, prioritize incidents, and mitigate the damage.

About the course

It’s not a question of whether you’ll experience a cyberattack — it’s a question of when. The warning may sound extreme, but it becomes more and more relevant with every passing day. This is because the cyber threat landscape is rapidly evolving. Criminals are constantly coming up with new tactics, techniques, and procedures (TTPs), which makes it difficult for information security experts and businesses to keep up. In fact, most companies around the world don’t have an adequate incident response strategy or team. And even if they do, few of the team members are aware of the latest attack trends and security techniques.

This three-day intensive course serves to fill these gaps and provide incident responders with the knowledge and tools they need to rapidly and effectively respond to all sorts of security incidents, from ransomware and DoS/DDoS attacks to fraudulent resources, botnets, and suspected breaches.

Course description:

The course is broken up into three days. The first day focuses on theory and serves as an introduction to incident response. The second day is centered on the practice of incident response, and you will have the chance to test your skills and apply the theory you’ve learned. The course is also designed for individuals who are interested in incident response and want to conduct quality incident analysis.

Day 1

On the first day, you will be familiarized with the current state of cybersecurity and its most recent trends.

You will then be walked through the incident response process. You will learn how to identify the main factors associated with an incident (scope, depth, etc.) and determine the incident’s severity by analyzing all the factors involved. This knowledge will help you prioritize incidents correctly. We will then discuss the process of working with IoCs and how to obtain them from public reports.

Day 2

The main practice sessions will take place on Day 2. First, you’ll learn about best practices when it comes to data collection, including live collection and triage image creation. You will also learn how to use the IoCs to create Yara rules for incident response needs and how to collect, assemble, analyze, and prioritize digital evidence in order to be able to perform investigations faster.

We’ll then discuss host-based artifacts, and specifically how to extract and process them. Artifacts include registry keys, file system artifacts, and event logs, all of which help respond to security incidents quicker and more effectively.

Within a day, you’ll receive hands-on training on how to collect and process artifacts and map the findings to the kill chain.

Day 3

Most of the day will be dedicated to practical demonstrations and individual tasks. You’ll start with independent exercises on triage image creation. You will work in virtual environments to analyze the images. The latter activity is divided into two parts:

  • You’ll create your own KAPE targets to extract additional files, which will give you a full picture of the incident. You’ll then map the incident to the MITRE ATT&CKⓇ matrix.
  • Understanding remediation and recovery actions. You’ll propose a plan of action for remediation and create Yara rules for incident response needs.

The day’s goal is to apply the knowledge learned and make you a confident incident responder.

To successfully pass the course you will need:
  • A basic understanding of the incident response process
  • Some experience in the field

After this course, you’ll be able to:

  • Choose relevant data sources for express analysis
  • Collect and process digital artifacts
  • Map findings to the kill chain
  • Understand host recovery activities
Who can benefit from this course?
Incident response enthusiasts
Technical specialists with experience in IS
Information security specialists
SOC/CERT employees

What you’ll receive

Lecture videos and practical materials used during training

A poster describing the basic artifacts and their processing tools

Personal certificate of completion

Valuable information that you can put into practice

Why Group-IB?

Experience in international investigations

Our training courses are based on 1300+ successful investigations worldwide.

Technical expertise

All courses are led by GCFA-, EnCE- and MCFE-certified experts.

Practicing experts

The course instructors are current Group-IB specialists, which translates to the most up-to-date and first-hand information for course participants.

Stimulating practical training

Practical exercises based on real-life cases make up 70% of the course.

Continuously updated program

Course materials are regularly updated with new cases from Group-IB’s experience, which ensures that the course program always reflects the latest trends.

Comprehensive development

Group-IB’s training courses provide a wide range of competencies for creating an effective information security department in any company.

Individual learning approach

Send us a request for an individual consultation on Group-IB technical training courses

Get new report
Ransomware Uncovered 2021/2022

The well-known complete guide to the latest tactics, techniques, and procedures of ransomware operators based on MITRE ATT&CK®


We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.