New Training: on orchestration of CSIRT Tools

Back to News

The EU agency for Cybersecurity introduces new training materials to support Member States’ CSIRTs.

ENISA puts great effort into supporting the development of EU Member States’ national incident response preparedness. To that purpose, ENISA updated its CSIRT training material aimed at improving the skills of CSIRT teams. The scope of this new training is to adapt to new technologies and best practices in a fast changing domain.

The updated material will help to reinforce Member States CSIRTs’ operational skills and capacities. It will specifically allow them to manage the constant stream of cyber security events in an efficient way by showing them how to introduce smartly interconnected popular tools in their incident handling processes: the first step of so-called “orchestration” of tools.


 Access the ENISA Orchestration of CSIRT Tools Training Course


The purpose of the training is to educate  Member States by:

  • teaching how some popular tools can be interconnected, leading to a more efficient and better incident response,
  • automatically enriching the information on incidents and events they receive and increasing the amount of data they can share back much faster to their peers.

The new training materials consist of independent modules, each covering a particular combination of tools. The modules not only cover the configuration aspects of interconnecting the tools but also show how security analysts can use these orchestrated tools in their daily duties.

The underlying technical framework developed for this training allows modifying and extending the training courses to adapt to the fast evolving landscape of CSIRT tools and techniques. The training materials are therefore custom made  reusable and future-proof. This is a major novel change in approach to the technical trainings offered by ENISA.

Scope of the training

The training is divided in two parts, each with a different target audience.

The first -part is dedicated to the technical aspects of setting up the orchestration. It allows participants to practice with a selection of commonly used and very powerful open-source tools, such as:

  • MISP; a Threat Intelligence Platform for receiving and sharing information with other security actors;
  • TheHive and Cortex: a case management and team collaboration tool;
  • Elasticsearch and Kibana: for convenient and scalable storage of security data, query and visualisation purposes.

The second part deals with analytical workflows, focusing on leading simple investigations designed as training scenarios. Each of the scenarios demonstrates how the selection of tools can facilitate a typical CSIRT workflow. The emphasis is laid on the benefits that result from smartly interconnecting multiple CSIRT tools

  • Supporting the CSIRT analysts;
  • Improving the team’s situational awareness;
  • Reducing response times.
  • Easy sharing of own findings with the other security communities of choice.

Another interesting feature is that the approach is modular: the trainer can instantly deploy different sections of the training independently.  The trainer can start with a module that teaches how to connect some tools, followed by an analysis scenario that demonstrates the added value of interconnecting. Every module can be instantly deployed with all tools correctly configured and all the data needed for the scenario in place.

Architecture of the Platform

The infrastructure of the training is based on state of the art open-source containerization and orchestration technologies such as Kubernetes and Helm. This approach allows simplifying future continuous developments by adding new tools, rearranging existing ones and adding more analyst scenarios.

Moreover, the solution can be adapted to work natively in a cloud hosted infrastructure; removing the need for local setup of the environment and streamlining the complete training process.

It was also conceived to be modular by design, allowing thorough customisation of training delivery.

Further information

ENISA Orchestration of CSIRT Tools Training Course

For more information please contact csirt-relations@enisa.europa.eu