The goal of this program is to provide IR team members, security analysts, and managers with the practical, procedural, and technical skills necessary to manage and execute an effective incident response and digital forensics process:

• Incident Response Team Members and Leads.
• SOC Analysts (Tier 2/3).
• Digital Forensic Investigators.
• Legal and Compliance Staff involved in breach management.
• CISO and Security Directors.
• IT and Network Operations Teams.
• Cyber Insurance and Crisis Management Professionals.

• Mandatory tabletop exercise simulating a major ransomware attack.
• Hands-on labs collecting volatile memory and disk forensic images.
• Group activities developing a breach notification communication plan.
• Case studies on major public breaches and their IR failures/successes.
• Technical discussions on EDR/NDR tools for faster analysis.

Unit 1: Incident Response Preparation and Planning

• Review of the NIST, SANS, and ISO 27035 IR lifecycles (Preparation, Detection, Analysis, Containment, Eradication, Recovery, Post-Incident).
• Establishing the IR Team Structure (Core team, Extended team, Stakeholders).
• Developing and maintaining comprehensive Incident Response Playbooks.
• Integrating IR with Business Continuity (BC) and Disaster Recovery (DR) plans.

• Ensuring forensic readiness: secure logging, system hardening, and baseline images.
• Critical communication plans for internal, legal, and external parties.
• Defining clear incident severity levels and escalation procedures.
• Conducting periodic tabletop exercises and 'live fire' simulations.

Unit 2: Detection and Analysis (The Technical Deep Dive)

• Triage of security alerts from SIEM, EDR, and threat intelligence.
• Techniques for confirming an incident and initial scoping.
• Leveraging the MITRE ATT&CK Framework for analysis and hypothesis generation.
• Collecting volatile data (memory, process lists) before it is lost.

• Introduction to static and dynamic malware analysis techniques.
• Reverse engineering basics and sandbox environments.
• Identifying Indicators of Compromise (IOCs) from malware and network traffic.
• Analyzing phishing emails and social engineering tactics.

Unit 3: Containment, Eradication, and Recovery

• Short-term vs. long-term containment options (network segmentation, isolation).
• Strategies for containing sophisticated threats (e.g., ransomware, nation-state actors).
• Decision-making frameworks for taking systems offline.
• Working with law enforcement and external experts during containment.

• Ensuring complete removal of the threat, including backdoors and persistence.
• Hardening and patching systems before re-introduction to the network.
• Data restoration strategies and ensuring data integrity.
• Verifying the success of the eradication phase.

Unit 4: Digital Forensics and Legal Considerations

• The four pillars of digital forensics: collection, examination, analysis, reporting.
• Maintaining the chain of custody for digital evidence.
• Acquiring forensic images of disks and memory (dead box vs. live acquisition).
• File system and operating system artifacts analysis.

• Regulatory breach notification requirements (GDPR, HIPAA, state laws).
• Working with Legal Counsel and protecting attorney-client privilege.
• Testifying in legal proceedings and presenting forensic findings.
• Crisis communication and public relations during a major incident.

Unit 5: Post-Incident Activities and Future Readiness

• Conducting a structured, non-punitive lessons-learned meeting.
• Identifying root causes and control failures that led to the incident.
• Developing a formal Plan of Action and Milestones (POAM) for remediation.
• Measuring the success and cost of the incident response.

• Incident response for cloud, containerized, and serverless environments.
• Responding to advanced threats like Business Email Compromise (BEC).
• Automation of IR tasks using SOAR playbooks.
• Building a cyber resilience strategy.