familiarize participants with the incident management process in detail; how to improve incident handling techniques, best practices for publishing communications about incidents, working with the media, and testing and verifying incident management processes.
equip participants with skills to work with information sources to gather critical information, including open-source intelligence and proprietary intelligence as well as examining processes for information exchange.
expose participants to methods for incident coordination with a focus on how to handle major security events and coordinate incident responses with external entities such as vendors, law enforcement, and various types of organizations.
help participants establish methods to measure and improve the effectiveness of a CSIRT by using performance analysis and maturity models.
Target Audience: The training is intended for new security teams and NRENs that wish to start a CSIRT.
All participants will have to secure funds for their travel, including visa fees where applicable.
International participants will be provided with free accommodation from 26 March to 1 April 2017 in order to enable them to take part in the final conference of the TANDEM project on the afternoon of 29 March 2017 and at the WACREN 2017 conference held on 30-31 March 2017.
Lunches and coffee breaks will be provided for all participants for the duration of the workshop.
Applications from the ASREN and UbuntuNet Alliance regions are welcome and encouraged.
• Describe the incident management process
• Step through relevant tools, references, and technologies
• Identify causes of incidents
• Clarify how to respond to attacks
• Define best practices for publishing security bulletins and other communications
• Describe how to handle media issues
• Demonstrate how to test, verify, and improve incident management processes
• Practice responding to an incident
CSIRT Operation II
CSIRT Operation Labs
Working with Information Sources
• Categorize levels of information sources
• Identify methods for gathering and handling critical information
• Establish how to work with open-source and proprietary intelligence
• Define processes that allow information sharing and exchange
• Practice gathering information from various sources
• Identify methods for handling major security events
• Describe how to coordinate responses with other CSIRTs
• Define an incident coordination process
• Explain processes for working with vendors
• Clarify how to work with law enforcement
• Identify methods for working with organizations at various levels of influence
• Practice incident coordination steps
CSIRT Performance Measurement
• Define ways to measure and improve a CSIRT's effectiveness
• Clarify how to use performance analysis
• Use incident management issues and indicators to measure performance
• Describe a maturity model
• Identify evaluation models
• Practice measuring the performance of a CSIRT