CREST Certified Incident Manager (CCIM)
What is the CREST Certified Incident Manager course?
This 3-day CREST-aligned Incident Management Specialist course provides expert level knowledge and skills required for highly experienced cyber security professionals who have spent significant practitioner time working on incident response engagements.
This course is aligned to support individuals seeking to undertake the CCIM exam.
By the end of this training, you will have expanded and consolidated your technical understanding and practical experience of working on cyber security incidents to manage incidents and relevant stakeholders successfully in your organisation.
Who is this Qualification for?
This course is ideally for senior practitioner-level cyber security professionals who wish to understand how to manage cyber security incidents effectively. Some examples of your job role may be, Senior incident response practitioners, Senior digital forensics practitioners or IT/Cyber security practitioners with responsibilities in incident management.
Accreditation / Qualification(s) offered
Successful completion of this course will mean you will be awarded the CCIM certificate.
What This Course Includes
The price includes course registration and the CCIM Certificate.
Delivery Partner
This course will be delivered by our partners, Protection Group International, as part of our Cyber Alliance who will be the training provider of this course.
Delivery method:
Virtual ClassroomInstructor-led course- Enquire about this course
- This is a virtual course with a live instructor. It includes interaction and group-work to embed learning. We encourage use of cameras, and have regular breaks to maintain freshness and engagement.
- Small Classes
- CCIM Certificate
- Does not Expire
0% interest for 4 months with PayPal Credit. Find out more
All prices are per person and exclude VAT.
This course can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:
Threat Landscape and Incident Readiness
- Engagement Lifecycle Management
- Incident Chronology
- Incident Response Plan (and it’s relation to business continuity and disaster recovery)
- Incident Response Team and Relevant Roles
- Law & Compliance
- Record Keeping, Interim Reporting & Final Results
- Threat Assessment
- Risk Analysis
- Business Impact Assessments
- Risk Assessments and Business Impact Assessments
- Attack and compromise lifecycle
- Attack / compromise lifecycles (kill chain)
- Compromise, Disruption, Extraction of data, etc
- Legal and Jurisdictional Issues
- Ethics
- Technical vulnerability root cause identification
- Physical threats
Insider Attacks
- Threat Identification
Collecting the Initial Facts
- Building the Attack Timeline
- Understanding Investigative Priorities
Initial Development of Leads
- Define Value of Leads
- Acting on Leads
Discover the Scope of the Incident
- Examining Initial Data
- Gathering and Reviewing Preliminary Evidence
Data Collection
- Live data collection
- When to perform a live response
- Selecting a live response tool
- What to collect
- Collection best practices
- Live data collection on Microsoft Windows Systems
- Live data collection on Unix-based systems
Forensic Duplication
- Forensic image formats
- Traditional duplication
- Live system duplication
- Duplication of Enterprise assets
- Duplication of Virtual machines
Network Evidence
- Network monitoring
- Types of network monitoring
- Setting up network monitoring
- Network data analysis
- Incident Response Team Exercise
- Applied Technical Knowledge for Incident Response
- Host Analysis Techniques
- Listing processes and their associated network sockets (if any)
- Assessing patch levels on a Windows host using the command prompt
- Finding interesting files on a Windows host
Understanding Common Data Formats
- Interpret email headers, commenting on the reliability of the information contained within
- Information contained within a PKI certificate
- Encoding employed for transmission of data (e.g. web and email)
Registration Records
- Open-Source Investigation and Web Enumeration
- Effective use of search engines and other open-source intelligence sources to gain information about a target
- Information that can be retrieved from common social networking sites
Extraction of Document Metadata
Community Knowledge
- Ability to interpret common anti-virus threat reports
- Ability to interpret open-source research when investigating incidents, eliminating false positives
- Knowledge of popular open-source security resources (web sites, forums, etc.)
- Static Network Traffic
Data Analysis
Malware Handling
- Methods of data collection and types of data to be collected
- Designing a collection system to ensure sufficient data is collected without overwhelming capture devices
- Impact assessment of any changes to network
- Knowledge of SPAN ports, traditional network TAPs and aggregating TAPs
- Ability to estimate capture requirements during scoping.
- Consideration of appropriate capture device deployment location.
- Constraints and limitations of capture and analysis toolsets. Knowledge of different capture options (e.g. NetFlow, limited capture, full packet capture etc.)
- The ability to assure integrity and security of network after introduction of a capture device
- Provide arguments and evidence that supports the integrity of any data captured
Data Sources and Network Log Sources
- Types of data to be collected and existing data sources
- Proxy logs
- Syslogs
- Email logs
- Firewall logs
- DHCP logs
- VPN logs
- Web server logs
- Antivirus logs
- DNS logs
- Domain logs
- Windows event logs
- Internet history
- Database logs
Correlating information contained within any number of different log formats
Triage Environment
Status Analysis
Dynamic Analysis
- Dynamic Network Traffic Analysis
Incident Response Manager Actions During an Incident
- Incident Response team lead and distribute efforts
- Convey technical findings in incident response cases with upper management and stakeholders
- Report Writing
- Client management
- Containment techniques
- Evidence handling
- Communications
- Recovery and remediation (linked to an organisation’s long- and short-term strategic goals)
- On-going technical prevention
- Threat intelligence, Contextualisation Attribution and Motivation
- Industry Best Practice
Exam Preparation
Ideally, you should have five or more years of practical experience in digital forensics and/or incident response role and CREST Registered Intrusion Analyst (CRIA) qualification or training. At a minimum, at least 12 months’ hands on experienced once CRIA has been achieved.
Ideally you will have knowledge of:
- Best practices for incident response and incident management.
- National cyber security regulations and requirements relevant to an organisation.
- Different types of cyber attackers, their capabilities, and objectives.
- What constitutes a threat to network security.
- Best practice measures or indicators of system performance and availability.
- Best practice resource management principles and techniques.
- Best practice server administration and systems engineering theories, concepts, and methods.
- Best practice auditing and logging procedures.
- Using network servers and networking tools used by an organisation or systems being tested.
- Penetration testing principles, techniques, and best practice application
And skill in:
- Developing policies which reflect an organisation’s business and cyber security strategic objectives
- To identify, capture, contain and report malware.
- Identify malware analysis tools.
- Perform root cause analysis for information security issues.
- Understand types of persistent data and how to collect them.
- Effectively use protocol analyzers.
- Critically evaluate and establish processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
- Assess system files that contain relevant information and where to find them.
- Understand electronic evidence law.
- Consider malware reverse engineering concepts.
- Recognise how and why adversaries abuse file type.
- Develop, test, and implement network infrastructure contingency and recovery plans.
- Effectively prepare and present briefings in a clear and concise manner.
- Prepare clear and concise reports, presentations, and briefings.
Enquire about this course
Please fill in the form below and a member of the team will be in contact with you as soon as possible. Replies are typically within 24 hours of your submission. Please allow additional time for bank holidays and weekends.
* Indicates required information
