FIRST Training: CSIRT Operation in NRENs

Centre de Ressources Numériques et Pédagogiques

Centre de Ressources Numériques et Pédagogiques

Université Félix Houphouët Boigny, Cocody, Abidjan
Melanie Rieback (Radically Open Security) , Omo Oaiya (WACREN)

This cybersecurity training is organised with the support of the global Forum for Incident Response and Security Teams (FIRST), the AfricaConnect2 project and Radically Open Security.






  • familiarize participants with the incident management process in detail; how to improve incident handling techniques, best practices for publishing communications about incidents, working with the media, and testing and verifying incident management processes.
  • equip participants with skills to work with information sources to gather critical information, including open-source intelligence and proprietary intelligence as well as examining processes for information exchange.
  • expose participants to methods for incident coordination with a focus on how to handle major security events and coordinate incident responses with external entities such as vendors, law enforcement, and various types of organizations.
  • help participants establish methods to measure and improve the effectiveness of a CSIRT by using performance analysis and maturity models. 

Prerequisites: None

Target Audience:  The training is intended for new security teams and NRENs that wish to start a CSIRT. 


  • All participants will have to secure funds for their travel, including visa fees where applicable.
  • International participants will be provided with free accommodation from 26 March to 1 April 2017 in order to enable them to take part in the final conference of the TANDEM project on the afternoon of 29 March 2017 and at the WACREN 2017 conference held on 30-31 March 2017.
  • Lunches and coffee breaks will be provided for all participants for the duration of the workshop.

Applications from the ASREN and UbuntuNet Alliance regions are welcome and encouraged.

  • Deadline for registration: 10 March
  • Notification of selection: 14 March
  • Deadline for acceptance: 17 March

Register here

    • 8:30 AM 10:30 AM
      CSIRT Operation

      Learning objectives:
      • Describe the incident management process
      • Step through relevant tools, references, and technologies
      • Identify causes of incidents
      • Clarify how to respond to attacks
      • Define best practices for publishing security bulletins and other communications
      • Describe how to handle media issues
      • Demonstrate how to test, verify, and improve incident management processes
      • Practice responding to an incident

    • 10:30 AM 11:00 AM
      Coffee Break 30m
    • 11:00 AM 12:30 PM
      CSIRT Operation II
    • 12:30 PM 1:30 PM
      Lunch 1h
    • 1:30 PM 3:00 PM
      CSIRT Operation Labs
    • 3:00 PM 3:30 PM
      Coffee Break 30m
    • 3:30 PM 5:30 PM
      Working with Information Sources

      Learning objectives:
      • Categorize levels of information sources
      • Identify methods for gathering and handling critical information
      • Establish how to work with open-source and proprietary intelligence
      • Define processes that allow information sharing and exchange
      • Practice gathering information from various sources

    • 8:30 AM 10:30 AM
      Labs: Working with Information Sources
    • 10:30 AM 11:00 AM
      Coffee Break 30m
    • 11:00 AM 12:30 PM
      Incident Coordination

      Learning objectives:
      • Identify methods for handling major security events
      • Describe how to coordinate responses with other CSIRTs
      • Define an incident coordination process
      • Explain processes for working with vendors
      • Clarify how to work with law enforcement
      • Identify methods for working with organizations at various levels of influence
      • Practice incident coordination steps

    • 12:30 PM 1:30 PM
      Lunch 1h
    • 1:30 PM 3:00 PM
      CSIRT Performance Measurement

      Learning objectives:
      • Define ways to measure and improve a CSIRT's effectiveness
      • Clarify how to use performance analysis
      • Use incident management issues and indicators to measure performance
      • Describe a maturity model
      • Identify evaluation models
      • Practice measuring the performance of a CSIRT

    • 3:00 PM 3:30 PM
      Coffee Break 30m
    • 3:30 PM 5:00 PM
      Labs: CSIRT Performance Measurement