Technical
- Building artifact handling and analysis environment
- Processing and storing artifacts
- Artefact analysis fundamentals
- Advanced artefact handling
- Introduction to advanced artefact analysis
- Dynamic analysis of artefacts
- Static analysis of artefacts
- Forensic analysis: Local incident response
- Forensic analysis: Network incident response
- Forensic analysis: Webserver analysis
- Developing Countermeasures
- Common framework for artefact analysis
- Using indicators to enhance defence capabilities
- Identification and handling of electronic evidence
- Digital forensics
- Mobile threats incident handling
- Mobile threats incident handling (Part II)
- Proactive incident detection
- Automation in incident handling
- Orchestration of CSIRT Tools (2019-2021)
- Introduction to network forensics
- Honeypots
- Vulnerability handling
- Presenting, correlating and filtering various feeds
Building artefact handling and analysis environment
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Technical CERT staff. |
7 hours |
||
|
The main objective is to create safe and useful artifact analysis environment, based on current best practices. |
|||
Processing and storing artefacts
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Technical CERT staff. |
5 hours |
||
|
Present the trainees various methods of malicious artifacts acquisition with emphasis on artifacts collected through spam e-mails monitoring. Teach how to correctly set up spam collecting environment and simple artifacts repository. Exercise also provides knowledge how to modify and patch created system to better suit lab environment needs. |
|||
Artefact analysis fundamentals
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Technical CERT staff. |
8 hours |
||
|
Present the trainees malicious artifact analysis fundamentals and various types of analyses. Present how to safely execute suspicious code in the controlled environment along with most important security precautions. |
|||
Advanced artefact handling
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Technical CERT staff. |
8 hours |
||
|
Teach students how to obtain memory images from different sources and to analyse them. Both Windows and Linux systems will be covered. |
|||
Forensic analysis: Local Incident Response
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Incident handler and investigator |
3 days |
|
|
|
This three-day training module will follow the tracks of an incident handler and investigator, teaching best practices and covering both sides of the breach. It is technical in nature and has the aim to provide a guided training for both incident handlers and investigators while providing lifelike conditions. Training material mainly uses open source and free tools. |
|||
Forensic analysis: Network Incident Response
|
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Incident handler and investigator |
|
||
|
The main goal of this training is to teach trainees network forensic techniques and extend trainees operating system forensic capabilities beyond Microsoft Windows systems to include Linux. Trainees will follow traces in the workstation and discover that analysed network captures together with logs, lead to another machine on the network. |
|||
Forensic analysis: Webserver Analysis
|
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Incident handler and investigator |
|
||
|
This training requires the students to perform a forensic analysis of three (web) servers, identified during the first two exercises as taking part in a malicious campaign. |
|||
Developing countermeasures
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Technical CERT staff. |
8 hours |
||
|
Learn how to leverage information gathered during analysis into actionable signatures. Both network and system oriented signatures will be discussed. |
|||
Common framework for artefact analysis activities
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Technical CERT staff. |
8 hours |
||
|
Learn how to collect, store and correlate different types of information about samples and how to make use of this information with the assumption that having a structured and organised database is a good way to reaching synergy in the area of artifact analysis and incident investigation. |
|||
Introduction to advanced artefact analysis
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
CSIRT staff and incident handlers involved in the technical analysis of incidents. |
4 hours |
||
|
This training presents the introduction to the advanced artefact analysis. It is the first part of a three-day course introducing assembly language and tools commonly used for the advanced artefact analysis. |
|||
Dynamic analysis of artefacts
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
CSIRT staff and incident handlers involved in the technical analysis of incidents. |
9 hours |
||
|
This training presents methods and techniques of dynamic artefact analysis with the use of OllyDbg debugger package. |
|||
Static analysis of artefacts
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
CSIRT staff and incident handlers involved in the technical analysis of incidents. |
10 hours |
||
|
The goal of this training is to introduce the participants to all aspects of static artefact analysis. |
|||
Processing and storing artefacts
|
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Technical CERT staff. |
5 hours |
||
|
Present the trainees various methods of malicious artifacts acquisition with emphasis on artifacts collected through spam e-mails monitoring. Teach how to correctly set up spam collecting environment and simple artifacts repository. Exercise also provides knowledge how to modify and patch created system to better suit lab environment needs. |
|||
Using indicators to enhance defence capabilities
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Technical CERT staff. |
7 hours |
||
|
Learn how to create and deploy indicators of compromise using Collaborative Research into Threats (CRITs) platform. Additionally, demonstrate how to leverage CRITs to visualize relationships among different elements of a campaign, how to extract indicators from incident data, develop mitigation actions, and track those actions. |
|||
Identification and handling of electronic evidence
|
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Technical CERT staff. |
4 hours |
||
|
Present the trainees with the principles of evidence gathering. Establish a common knowledge of the requirements regarding evidence admissibility in a court of law. This task also gives an overview of popular malware characteristics, methods of identification and tools that may be used at the scene. |
|||
Orchestration of CSIRT Tools
|
|
Target Audience |
Duration |
Download |
|---|---|---|---|
|
CSIRT technical staff involved in setting up tools and analysts for incident handling. |
Modular approach with 16 hours of total duration. Each module has an indication of its duration. |
||
|
The purpose of this training material is to help CSIRTs and Incident Response teams to manage the constant stream of cyber security events in an efficient way and share back their data to their peers. The course materials consist of independent modules, each covering a particular combination of popular CSIRT tools. The modules not only cover the configuration aspects of interconnecting the tools but also show how security analysts in their daily duties can use these orchestrated tools. |
|||
Digital forensics
|
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Technical CERT staff. |
6 hours |
||
|
Present the trainees with the principles of digital forensics and evidence gathering. |
|||
Proactive incident detection
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Technical and management CERT staff. |
4 hours |
||
|
Setting up and working with AbuseHelper. |
|||
Mobile threats incident handling
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Technical CERT staff. |
4 hours |
||
|
Make the students familiar with special requirements and tools to do incident handling and forensics with mobile/smartphone computing platforms. |
|||
Mobile threats Incident handling (Part II)
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
CSIRT staff and incident handlers involved in the technical analysis of incident. |
24 hours |
||
|
The goal of this training is to introduce the threats found in mobile environment, and to familiarise the participants with various tools and techniques used in Mobile Forensics and Incident Handling. |
|||
Automation in incident handling
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Incident handlers and technical staff. |
2 hours |
||
|
The purpose of this task is to develop students’ abilities to create custom scripts and filters dealing with large amounts of data such as IP addresses. After completing the exercise students should be able to extract useful information from bulk data, even in non-standard formats. |
|||
Introduction to network forensics
|
Target Audience |
Duration |
Download |
|---|---|---|---|
|
CSIRT staff and incident handlers involved in the technical analysis of incident. |
24 hours |
Toolset Ex1 |
|
|
The training materials are based on good practices, and include all needed methodologies, tools and procedures. The training includes the performance indicators and means, supporting those who use it to increase their operational competence. It is made available in a ready-to use version. The training consists of an extensive introduction (sections 1–4) and three exercises (section 5). The updated scenarios also include content that is in line with the current technologies and methodologies. |
|||
Honeypots
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Incident handlers and technical staff. |
3 hours |
||
|
Familiarise students with two kinds of honeypots: server-side honeypots and client-side honeypots. |
|||
Vulnerability handling
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
Managers and incident handlers. |
3 hours |
||
|
To provide a practical overview of the vulnerability handling process and how vulnerabilities reported to a CERT team should be handled. Also, to provide some hands-on experience with difficult situations that may arise through the role of coordinator. |
|||
Presenting, correlating and filtering various feeds
 |
Target Audience |
Duration |
Download |
|---|---|---|---|
|
CERT technical staff. |
6 hours |
||
|
Technical aspects of using visualisation to present, correlate and filter various feeds. The scenario will also cover the organisational aspects. In this scenario the students will be part of the CERT for a fictitious organisation which is analysing cybercrime activities. |
|||
-
2020 Report on CSIRT-LE Cooperation: study of roles and synergies among selected countriesThe purpose of this report is to further explore and support the cooperation between computer security incident response teams (CSIRTs), in...
-
Roadmap on the cooperation between CSIRTS and LEThe purpose of this roadmap is to further explore the cooperation across computer security incident response teams (CSIRTs) in particular with...