www.cisa.gov
Open in
urlscan Pro
2a02:26f0:480:4a5::447a
Public Scan
URL:
https://www.cisa.gov/resources-tools/programs/Incident-Response-Training
Submission: On December 01 via manual from US — Scanned from DE
Submission: On December 01 via manual from US — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
LocallyFaith-Based CommunityExecutives
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
Contact Us
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
1. Home
2. Resources & Tools
3. Programs
Share:
RESOURCES & TOOLS
* All Resources & Tools
* Services
* Programs
* Resources
* Training
* Groups
INCIDENT RESPONSE TRAINING
Related topics:
Cybersecurity Best Practices, Identity Theft and Personal Cyber Threats,
Multifactor Authentication
The best offense is a good defense. To help organizations across the nation
protect their IT enterprises and build their cyber talent, CISA offers Incident
Response (IR) training courses free to government employees and contractors
across federal, state, local, tribal and territorial government, educational and
critical infrastructure partners, and the general public. This training
addresses both an offensive and defensive view, providing not only the knowledge
and tools needed to prepare an effective response if a cyber incident occurs,
but also strategies to prevent incidents from happening in the first place.
The IR curriculum offers a range of trainings for beginner and intermediate
cyber professionals encompassing basic cybersecurity awareness and best
practices for organizations.
Sign up for trainings via the Upcoming Events sections below. To learn more
about how CISA may assist potentially impacted entities after a cyber incident,
visit the Cyber Incident Response page.
INCIDENT RESPONSE TRAINING PRIVACY ACT STATEMENT
View Statement
Authority: 5 U.S.C. § 301 and 44 U.S.C. § 3101 authorize the collection of this
information.
Purpose: The purpose of this collection is to provide individuals access to
Cybersecurity and Infrastructure Security Agency (CISA) Incident Response
Training and information using CISA Webex.
Routine Uses: This information may be disclosed as generally permitted under 5
U.S.C. § 552a(b) of the Privacy Act of 1974, as amended. This includes using the
information, as necessary and authorized by the routine uses published in
DHS/ALL-002 - Department of Homeland Security (DHS) Mailing and Other Lists
System November 25, 2008, 73 FR 71659.
Disclosure: Providing this information is voluntary; however, failure to provide
this information may prevent DHS from contacting you in the event there are
queries about your request or registration.
AWARENESS WEBINARS
Awareness webinars, also referred to as 100-level courses, are one-hour,
entry-level virtual and instructor-led classes with cybersecurity topic
overviews for a general audience, including managers and business leaders. These
trainings provide core guidance and best practices to prevent incidents and
prepare an effective response if an incident does occur. Previously recorded
webinars are available on the CISA YouTube Channel Protect Your Network:
Strengthen Your Cybersecurity with Our Incident Response Training(link is
external) and on the Federal Virtual Training Environment (FedVTE). These
webinars are intended for a non-technical audience and beginning incident
responders.
Training Topics:
Defending Internet Accessible Systems (IR104)
Internet-accessible systems have become the backbone of modern business and
communication infrastructure, from smartphones to web applications and the
explosive growth of the “Internet of Things” (IoT). Each of these systems and
devices, however, can be targeted by threat actors and used to conduct malicious
activity if they are unsecured. Worse, these systems can leave vulnerabilities
and sensitive information freely available for exploitation if they are not
properly configured and maintained.
This webinar includes the following information and more:
* Common attacks and vulnerabilities: Understand common vulnerabilities of
internet-accessible systems, how they are exploited by threat actors, and how
to mitigate them to prevent attacks from succeeding.
* CISA guidance: Learn key guidance, resources, and best practices to address
vulnerabilities and prepare effective incident response and recovery.
* Case studies: Examine the methods and impacts of real-life cyberattacks and
learn how the targets responded and recovered.
* Knowledge check: The course concludes with a brief knowledge check section to
reinforce key concepts and takeaways.
Preventing Web and Email Server Attacks (IR105)
Web and email servers are the workhorses of the Internet — we couldn't run
government, businesses, or our personal lives without them! However, the
information exchanged through web and email servers can offer a tempting target
for cyber attackers.
This webinar includes the following information and more:
* Common attack methods: Hackers can target and decode victims' web and email
traffic, compromise email security to make phishing attempts more likely to
succeed or can even use botnets to shut down access to websites and conduct
large-scale campaigns of malicious activity.
* Key guidance for organizations: CISA provides resources and best practices to
help individuals and organizations secure their web and email infrastructure.
* Case studies: Explore the methods and impacts of real-life cyberattacks, and
how the victims responded and recovered.
* Knowledge check: The course concludes with a brief knowledge check section to
reinforce key concepts and takeaways.
Preventing DNS Infrastructure Tampering (IR106)
The Domain Name System, commonly known as DNS, is often referred to as the
“phone book” of the internet. Every time we access the internet to visit our
favorite websites, we depend on DNS infrastructure to securely route us to our
intended destinations. While this shared infrastructure is incredibly useful, it
also presents a rich attack surface. Threat actors have the ability to shut down
websites and online services, replace legitimate website content with threats or
extortion attempts, and even route traffic to a carbon copy of a legitimate
website to steal information entered by users.
This webinar includes the following information and more:
* Common attacks and vulnerabilities: Learn how to identify a potential attack
on DNS infrastructure.
* CISA guidance: CISA provides information on best practices to reduce the
likelihood and impact of a successful DNS attack.
* Case studies: Examine the methods and impacts of real-life cyberattacks and
learn how the targets responded and recovered.
* Knowledge checks: The course provides knowledge checks throughout the
presentation to reinforce key concepts and takeaways.
Introduction to Network Diagramming (IR107)
To protect the confidentiality, integrity, and availability of an agency’s
network and the data contained therein, cybersecurity professionals must be able
to identify their network enterprise accurately and completely. Network diagrams
are essential and serve to help visualize what is on the network, how the
overall network is structured, and how all the devices on the network are
connected. Every organization should build and maintain current and accurate
network diagrams to help manage their network architecture and ultimately
determine how to best mitigate potential or realized risks and vulnerabilities.
This webinar includes the following information and more:
* Importance of Network Diagrams: Students will learn the importance of
creating and maintaining network topology diagrams. Students will also
understand the importance of identifying data flows and storage, identifying
remote access points and external connections, and using network segmentation
for security.
* Key Guidance for Organizations: CISA provides guidance on what to include in
network diagrams.
* Knowledge check: The course concludes with a brief knowledge check section to
reinforce key concepts and takeaways.
Understanding Indicators of Compromise (IR108)
Indicators of compromise (IOCs) are the digital and informational “clues” that
incident responders use to detect, diagnose, halt, and remediate malicious
activity in their networks. This webinar provides an overview of IOCs for
incident responders and those who work with them, introduces example scenarios
and how IOCs can be used to trace activity and piece together a timeline of the
threat, and discusses tools and frameworks to help incident responders use IOCs
to detect, analyze, respond to, and report cyber threat activity.
This webinar includes the following information and more:
* Importance of IOCs: Defines IOCs and demonstrates why tracking,
investigating, and reporting IOCs are crucial to enterprise cybersecurity.
Students will understand how IOCs are used for threat hunting and incident
response, study different types of indicators, and learn how to collect
different categories of IOCs.
* Frameworks: Students will learn about the Cyber Kill Chain® and MITRE ATT&CK®
Framework and how they support the analysis of IOCs.
* Knowledge checks: The course provides knowledge checks throughout the
presentation to reinforce key concepts and takeaways.
Defend Against Ransomware Attacks (IR109)
Ransomware attacks hit a new target every 14 seconds—shutting down digital
operations, stealing information, and exploiting businesses, essential services,
and individuals alike. This one-hour webinar provides essential knowledge and
reviews real-life examples of these attacks to help you and your organization
mitigate and respond to the ever-evolving threat of ransomware.
This webinar includes the following information and more:
* Common attack methods: Learn the definition of ransomware, a summary of its
large-scale impacts, and how these attacks have developed over time. The
webinar will discuss common signs of a ransomware attack and how to respond
if an attack is suspected.
* Key Guidance for Organizations: CISA provides guidance for how to mitigate
the impact of ransomware attacks and recover in the event of an attack.
* Case studies: Explore the methods and impacts of real-life cyberattacks and
learn how the victims responded and recovered.
* Knowledge check: The course concludes with a brief knowledge check section to
reinforce key concepts and takeaways.
Introduction to Log Management (IR110)
Log files provide the data that are the bread and butter of incident response,
enabling network analysts and incident responders to investigate and diagnose
issues and suspicious activity from network perimeter to epicenter. CISA is
proud to present this one-hour webinar introducing the fundamentals of
investigating logs for incidents.
This webinar includes the following information and more:
* Common attack methods: Understand log analysis and its importance as a
crucial component of incident response and network security.
* Key guidance for organizations: Introduce resources and tools that enable
organizations and individuals to use log analysis to query for threat
activity, including security information and event management (SIEM) and full
packet capture (FPCAP) analysis, and using PowerShell and Active Directory to
run scripts.
* Case studies: Explore the methods and impacts of real-life cyberattacks and
learn how the victims responded and recovered.
* Knowledge check: The course concludes with a brief knowledge check section to
reinforce key concepts and takeaways.
Using the CISA Incident Response Playbook at Your Organization (IR111)
Produced in accordance with Executive Order 14028, “Improving the Nation’s
Cybersecurity,” CISA released the Federal Government Cybersecurity Incident and
Vulnerability Response Playbooks that provide federal civilian agencies with a
standard set of procedures to respond to vulnerabilities and incidents impacting
Federal Civilian Executive Branch (FCEB) networks. This course introduces
students to the Incident Response Playbook that describes the process FCEB
agencies should follow for confirmed malicious cyber activity for which a major
incident has been declared or not yet been reasonably ruled out. While the
playbooks are intended for federal agencies, CISA encourages public and private
sector partners to review them to help inform their own incident response
practices.
This webinar includes the following information and more:
* Key guidance for organizations: Introduce the CISA Incident Response (IR)
Playbook with an overview of the IR phases, key resources, standardizing
shared practices, and the Incident Response Checklist. Learn about roles,
responsibilities, and the importance of communication during an incident
response.
* Lessons learned: This course also highlights lessons learned and common
missteps when implementing an IR playbook.
* Knowledge check: The course concludes with a brief knowledge check section to
reinforce key concepts and takeaways.
UPCOMING AWARENESS WEBINAR EVENTS
Jan 11, 2024
Training | Virtual/Online
INTRODUCTION TO LOG MANAGEMENT (IR110)
CYBER RANGE TRAINING
Cyber Range Trainings, also referred to as 200-level courses, are four-hour,
interactive, virtual, and instructor-led classes with step-action labs in a
realistic technical environment. These offerings are available for government
employees and contractors across federal, state, local, tribal, and territorial
government, educational partners, and critical infrastructure partners.
Cyber Range Training courses provide guided step-action labs for cybersecurity
analysts to learn and practice investigation, remediation, and incident response
skills. Students participate in short lectures followed by lab activities to
identify incidents and harden systems in the cyber range environment. These are
ideal for beginner and intermediate cybersecurity analysts who wish to learn
technical incident response skills.
Training Topics:
Defending Internet Accessible Systems (IR204)
Participants will be introduced to tactics and strategies that enable them to
protect their organizations from attacks against internet-accessible system(s)
(i.e., internet-accessible system attacks or IAS) through awareness of
individual and organizational points of vulnerability.
Experience these benefits and more:
* Practice in a realistic environment: Define IAS vulnerabilities and their
indicators.
* Learn how to implement CISA guidance: Course exercises include implementation
of the recommendations in BOD 19-02.
* Identify and mitigate vulnerabilities in real time: Students will identify
common methods of scanning for vulnerabilities, analyzing event logs, and
modifying firewall rules.
* Expert facilitation and peer discussion: Throughout the course, expert
cybersecurity engineers will moderate discussion and conduct a recovery
debrief for the exercises. Participants are also encouraged to help one
another and offer relevant input to address peers’ questions.
Preventing Web and Email Server Attacks (IR205)
Participants will be introduced to common web and email vulnerabilities, as well
as the technologies of encryption and authentication to enhance web and email
security. This course uses an active participation approach to facilitate
realistic technical training and interaction opportunities for learners.
Experience these benefits and more:
* Practice in a realistic environment: Analyze network and host-based artifacts
and implement remediation changes for the identified vulnerabilities.
* Learn how to implement CISA guidance: Course exercises include implementation
of the recommendations in BOD 18-01.
* Identify and mitigate vulnerabilities in real time: Students identify common
web and email vulnerabilities and mitigate them by reconfiguring the web
server and Domain Name System (DNS) settings.
* Expert facilitation and peer discussion: Throughout the course, expert
cybersecurity engineers moderate discussion and conduct a recovery debrief
for the exercises. Participants are encouraged to help one another and
address peer questions.
Preventing DNS Infrastructure Tampering (IR206)
DNS is one of the core foundations of the internet. However, it continues to be
one of the mechanisms attackers use to perform malicious activities across the
globe. In this course participants will learn about various concepts associated
with DNS, become familiar with DNS tools and mapping information, be introduced
to common DNS tampering techniques, and gain an understanding of DNS mitigation
strategies to enhance security.
Experience these benefits and more:
* Practice in a realistic environment: Analyze network and host-based artifacts
and implement remediation changes for the identified vulnerabilities.
* Learn how to implement remediations: Course exercises include remediating
vulnerabilities.
* Identify and mitigate vulnerabilities in real time: Students identify DNS
infrastructure tampering techniques and mitigate them.
* Expert facilitation and peer discussion: Throughout the course, expert
cybersecurity engineers moderate discussion and conduct a recovery debrief
for the exercises. Participants are encouraged to help one another and offer
relevant input to address peers' questions.
Understanding Indicators of Compromise (IR208)
Cyberattacks have made headlines for years, and the pace of threat activity
faced by government and private sector organizations is accelerating. Indicators
of compromise (IOCs) are the digital and informational “clues” that incident
responders use to detect, diagnose, halt, and remediate malicious activity in
their networks. In this training, participants will be introduced to common IOCs
and common protocols used to find them in their own systems.
Experience these benefits and more:
* Importance of IOCs: Define IOCs and why tracking, investigating, and
reporting IOCs are crucial to enterprise cybersecurity. Students will
understand how IOCs are used for threat hunting and incident response,
different types of indicators, and how to collect different categories of
IOCs.
* Practice in a realistic environment: Learn about the MITRE ATT&CK® Framework
and how it supports the analysis of IOCs, potential threat actors related to
the activity, and their associated tactics, techniques, and procedures
(TTPs). Perform lab activities to detect IOCs using the MITRE
ATT&CKFramework.
* Expert facilitation and peer discussion: Throughout the course, expert
cybersecurity engineers moderate discussion and conduct a recovery debrief
for the exercises. Participants are encouraged to help one another and offer
relevant input to address peers' questions.
Defend Against Ransomware Attacks (IR209)
Ransomware is the fastest growing malware threat targeting home, business, and
government networks. Anyone with a computer connected to the internet is a
target. Ransomware infection is one computer, one person, one click away from
penetrating a network’s defense. If just one computer becomes infected with
ransomware, infection could quickly spread all over the network, which is why
ransomware protection is critical. Ransomware incidents have become increasingly
prevalent and pose an enormous risk to you and your organization’s critical
infrastructure. In this training, participants will be introduced to common
applications and process that harden network defenses, as well as key concepts
used in the prevention of ransomware attacks.
Experience these benefits and more:
* Common attack methods: Define ransomware and identify best practices and
preventive measures to mitigate the impact of ransomware attacks.
* Practice in a realistic environment: Learn how to apply specific tools to
configure and back up Active Directory policies, reset Kerberos Ticket
Granting Ticket (KRBTGT) account passwords, and create application
allow-listing policies.
* Identify and mitigate vulnerabilities in real time: Students identify
malicious domains and mitigate them by establishing a sinkhole and by
blocking the malicious domain.
* Expert facilitation and peer discussion: Throughout the course, expert
cybersecurity engineers moderate discussions and conduct a recovery debrief
for the exercises. Participants are encouraged to help one another and offer
relevant input to address peers' questions.
Introduction to Log Management (IR210)
Log files provide the data that are the bread and butter of incident response,
enabling network analysts and incident responders to investigate and diagnose
issues and suspicious activity from network perimeter to epicenter. Participants
will be introduced to basic principles of log management and configuration.
Federal compliance regulations of log configuration and management, including
OMB Memorandum 21-31, will also be introduced.
Experience these benefits and more:
* Common attack methods: Understand the importance of the configuration,
management, and analysis of logs for incident response and identify key
processes of log management.
* Practice in a realistic environment: Investigate and analyze log data for
suspicious activity. Detect and correlate possible IOCs or malicious activity
with threat intel. Exercises include configuring a DNS server, network device
firewall, an operating system and more for proper logging.
* Expert facilitation and peer discussion: Throughout the course, expert
cybersecurity engineers moderate discussions and conduct a recovery debrief
for the exercises. Participants are encouraged to help one another and offer
relevant input to address peers’ questions.
UPCOMING CYBER RANGE TRAINING EVENTS
Dec 07, 2023
Training | Virtual/Online
DEFEND AGAINST RANSOMWARE ATTACKS CYBER RANGE TRAINING (IR209)
ON-DEMAND TRAINING
On-demand trainings are self-paced and available 24/7. They are presented as two
types of offerings: Step-by-Step Action Courses and Online Training Recordings.
Step-by-Step Action Courses: These courses are a mix of the 100- and 200-level
trainings without the use of the Cyber Training Range. They consist of lectures,
short videos, and the use of an alternate artificial environment where
participants practice exercises to test their incident response (IR) skills.
Training Topics:
Ransomware Overview
These courses provide an overview on ransomware and six preventative controls to
avoid becoming its victim. Each training provides a closed environment where
participants can safely practice their new skills. The courses cover the
following topics:
* How to Block Malicious IPs. This module presents an overview of the
importance of blocking malicious IPs and demonstrates how to block them.
* How to Sinkhole a Malicious Domain. This module presents an overview of the
sinkholing process and demonstrates how to properly implement a DNS sinkhole.
* How to Disable Server Message Block (SMB). This module presents an overview
of Server Message Block, including the importance of disabling SMBv1, and
presents how to properly disable SMBv1 on your network.
* How to Create Application Allow-listing Policies. This module presents an
overview of the importance of creating Windows Defender Application Control
(WDAC) allow-listing policies with PowerShell and a demonstration on how to
set up these policies.
* How to Back Up and Restore Active Directories. This module presents a review
of the importance of backing up and restoring your network’s Active Directory
after a network compromise, as well as a review of how to properly backup and
restore a network’s Active Directory.
* How to Reset a Kerberos Ticket Granting Ticket (KRBTGT) Account Password.
This module presents the importance of resetting your network’s KRBTGT
account password and how to properly execute this type of reset.
Federal Virtual Training Environment (FedVTE)
Online Training Recordings
These self-paced training recordings are available on the CISA YouTube channel
and include topics such as a ransomware. These videos are free and available to
the general public. Recordings can also be found on the Federal Virtual Training
Environment (FedVTE), which is available to federal, state, local, tribal, and
territorial government employees, federal contractors, and U.S. military
veterans.
Don’t Let Cyber Criminals Steal Your Connections: Securing Internet-Accessible
Systems(link is external)
prevnext
slide 1 to 3 of 5
STRENGTHEN YOUR RESOLVE – UNDERSTANDING DNS ATTACKS (LINK IS EXTERNAL)
DON'T GET CAUGHT IN THE WEB - UNDERSTANDING WEB AND EMAIL SERVER SECURITY (LINK
IS EXTERNAL)
DON’T LET CYBER CRIMINALS CASH IN – PREVENTING BUSINESS EMAIL COMPROMISE (LINK
IS EXTERNAL)
DON’T LET CYBER CRIMINALS CASH IN – PREVENTING BUSINESS EMAIL COMPROMISE (LINK
IS EXTERNAL)
DON'T GET CAUGHT IN THE STORM – SECURING CLOUD INFRASTRUCTURE (LINK IS EXTERNAL)
CONTACT INFORMATION
To ask a question or provide other feedback on IR training, contact us
at CyberInsights@cisa.dhs.gov(link sends email)
CyberInsights@cisa.dhs.gov
FREQUENTLY ASKED QUESTIONS
What is “incident response” training? Where can I learn more about it?
* Based on the definition provided in NIST Special Publication 800-61, Computer
Security Incident Handling Guide, cybersecurity incident response is a
complex capability encompassing detecting incidents, minimizing loss and
destruction, mitigating the weaknesses that were exploited, and restoring IT
services.
* The NICE Cybersecurity Workforce Framework outlines work roles for incident
response analysts and tasks, skills, knowledge, and abilities required to be
competent in an incident response role. Specifically, incident response is
classified as a specialty area under the “Protect and Defend” category;
however, the core skills taught apply beyond the scope of incident response
activity.
* When cyber incidents occur, the Department of Homeland Security (DHS)
provides assistance to potentially impacted entities, analyzes the potential
impact across critical infrastructure, investigates those responsible in
conjunction with law enforcement partners, and coordinates the national
response to significant cyber incidents. The Department works in close
coordination with other agencies with complementary cyber missions, as well
as private sector and other non-federal owners and operators of critical
infrastructure, to ensure greater unity of effort and a whole-of-nation
response to cyber incidents. To learn more, visit the Cyber Incident
Response page.
Which types of courses are relevant to me?
* The Incident Response Training series is designed to provide incident
response training and organizational guidance.
* Webinar courses provide an entry-level topic overview for those who know
little about incident response in general, or a specific cybersecurity
subject. They are recommended for anyone who works in or adjacent to network
security and incident response, or anyone interested in learning more about
personal or professional cybersecurity, organizational best practices for
incident response, or specific attack types such as ransomware or business
email compromise.
* Cyber Range Training courses have lab exercises designed to teach the basics
of network investigation and defense. They are accessible to new
cybersecurity workers who may lack real-world skill practice, but some
theoretical understanding of cybersecurity and incident response enhances the
value of the instruction.
Who can register for the courses?
* The Awareness Webinars are open to a general audience.
* The Cyber Range Training courses are available for government employees and
contractors across Federal, State, Local, Tribal, and Territorial government,
educational partners, and critical infrastructure partners. Please use your
corporate, government, military, or education email addresses when
registering as personal email addresses will not be approved for class
attendance.
How do I participate in a training event?
* To participate, visit the upcoming event sections on the webpage above
to sign up for open courses. Please note that courses may not open for
registration until approximately four weeks before the training date.
How can I be notified of upcoming courses?
* When a course does open, an invitation to register is distributed to
interested stakeholders. If you would like to be included on future IR
training announcements, please email CyberInsights@cisa.dhs.gov(link sends
email) and indicate which course type you would like to be notified about.
Can I stream courses online?
* Previous Awareness Webinars are made available for public viewing on-demand
through FedVTE. Stream webinars at your convenience and share them with your
friends and colleagues!
* Previously recorded webinars are also available on the CISA YouTube
Channel Protect Your Network: Strengthen Your Cybersecurity with Our Incident
Response Training Playlist(link is external).
* Cyber Range Trainings are not available on-demand, as they require
participation in a cyber range environment.
What course topics are available?
* Below is a list of confirmed IR course topics to be offered in Fiscal Year
2022. This list may be updated as we expand the IR curriculum:
* Ransomware
* Indicators of compromise
* Internet-accessible system vulnerabilities
* Web and email server attacks
* Domain Name System (DNS) infrastructure tampering
* Log management
* Network diagramming
Can I earn continuing education credits for these trainings?
* While acceptance may vary depending on your certification vendor, all IR
courses can be used to earn CPE credits.
* Webinar: 1 credit hour
* Cyber Range Training: 4 credit hours
What about the previous types of courses CISA offered in the IR Training series?
* In Fiscal Year 2021 CISA offered the following IR courses in addition to the
ones described previously.
* Course Types
* Observe the Attack: 2 credit hours. The “Observe the Attack” series
red/blue team demonstration events are ideal for those who supervise,
manage, support, or facilitate incident or crisis response. If you are
looking for a front-row seat to a real-time incident response scenario,
these events are for you!
* Cyber Range Challenge: 6 credit hours. Cyber Range Challenges are
incident response scenarios designed for experienced practitioners.
Students are asked to complete class profiles to summarize their skill
and experience, and teams are balanced so that newer incident responders
can learn from and work with more experienced professionals. These are
critical thinking and problem-solving challenges as much as they are a
test of investigation and network defense skills.
* Course topics that were discontinued after 2021:
* Cloud-based server attacks
* Cloud leak
* Business email compromise
CISA RESOURCES
CYBERSECURITY TRAINING & EXERCISES
CYBER HYGIENE SERVICES
CYBER INCIDENT RESPONSE
CISA CYBERSECURITY AWARENESS PROGRAM
FEDERAL GOVERNMENT CYBERSECURITY INCIDENT AND VULNERABILITY RESPONSE PLAYBOOKS
ALERTS
BULLETINS
TAGS
Audience
Federal Government, Individuals and Families, Industry, Small and Medium
Businesses, State, Local, Tribal, and Territorial Government
Topics
Cybersecurity Best Practices, Identity Theft and Personal Cyber Threats,
Multifactor Authentication, Organizations and Cyber Safety, Incident Detection,
Response, and Prevention, Malware, Phishing, and Ransomware
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Accessibility
* Budget and Performance
* DHS.gov
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback