Incident Response Training


CISA has developed no-cost cybersecurity incident response (IR) training for government employees and contractors across Federal, State, Local, Tribal, and Territorial government, and is open to educational and critical infrastructure partners.

The incident response curriculum provides a range of training offerings for beginner and intermediate cyber professionals encompassing basic cybersecurity awareness and best practices for organizations and hands-on cyber range training courses for incident response. Course types include: Awareness Webinars and Cyber Range Training. These courses provide valuable learning opportunities for everyone from cyber newbies to veteran cybersecurity engineers. Sign up for the 2022 IR training offerings via the Registration section below. If you cannot join a training, you can view recorded webinars from 2021 on the CISA YouTube Channel Protect Your Network: Strengthen Your Cybersecurity with Our Incident Response Training Playlist.

To learn more about how CISA may assist potentially impacted entities after a cyber incident, visit the Cyber Incident Response page. 

Registration

Visit the Cybersecurity Training Event Catalog to register for an event. 

Awareness Webinar Events

Awareness webinars are cybersecurity topic overviews for a general audience including managers and business leaders, providing core guidance and best practices to prevent incidents and prepare an effective response if an incident occurs. Additionally, these webinars will made available to the public at the Federal Virtual Training Environment (FedVTE). Recorded webinars from 2021 are available on the CISA YouTube Channel Protect Your Network: Strengthen Your Cybersecurity with Our Incident Response Training Playlist.

Awareness Webinar topics for 2022 include:

One-Hour Awareness Webinars

Topic Course Title
Ransomware Defend Against Ransomware Attacks
Indicators of Compromise Understanding Indicators of Compromise
Log Management To be announced
Internet-Accessible System Vulnerabilities Defending Internet Accessible Systems
Web and Email Server Attacks Preventing Web and Email Server Attacks
DNS Infrastructure Tampering Preventing DNS Infrastructure Tampering
Creating a Network Map Mapping Your Network for Better Protection, Detection, and Response

Cyber Range Training Events

Cyber Range Trainings are interactive virtual classes with hands-on step-action labs. Students participate in mini-lectures followed by lab activities to identify incidents and harden systems in the cyber range environment. These are ideal for beginner and intermediate cyber professionals who wish to learn technical hands-on incident response skills. Cyber Range Training courses provide guided step-action labs for cyber practitioners to practice investigating, remediating, and incident response skills. 

Cyber Range Training topics for 2022 include:   

Four-Hour Cyber Range Training Courses

Topic Course Title
Ransomware Defend Against Ransomware Attacks
Internet-Accessible System Vulnerabilities Defending Internet Accessible Systems
Web and Email Server Attacks Preventing Web and Email Server Attacks
DNS Infrastructure Tampering Preventing DNS Infrastructure Tampering
Log Management To be announced
Creating a Network Map Mapping Your Network for Better Protection, Detection, and Response

Contact Information 

To ask a question or provide other feedback on IR training, contact CyberInsights@cisa.dhs.gov.

Frequently Asked Questions 

  • What is “incident response” training? Where can I learn more about it?
    • Based on the definition provided in NIST Special Publication 800-61, Computer Security Incident Handling Guide, cybersecurity incident response is a complex capability encompassing detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services. 
    • The NICE Cybersecurity Workforce Framework outlines work roles for incident response professionals and tasks, skills, knowledge, and abilities required to be competent in an incident response role. Specifically, incident response is classified as a specialty area under the “Protect and Defend” category; however, the core skills taught apply beyond the scope of incident response activity. 
    • When cyber incidents occur, the Department of Homeland Security (DHS) provides assistance to potentially impacted entities, analyzes the potential impact across critical infrastructure, investigates those responsible in conjunction with law enforcement partners, and coordinates the national response to significant cyber incidents. The Department works in close coordination with other agencies with complementary cyber missions, as well as private sector and other non-federal owners and operators of critical infrastructure, to ensure greater unity of effort and a whole-of-nation response to cyber incidents. To learn more, visit the Cyber Incident Response page.
  • Which types of courses are relevant to me?
    • The Incident Response (IR) series is designed to provide incident response training and organizational guidance for Federal, State, Local, Tribal, and Territorial government staff, contractors, and stakeholders at all levels of incident response, from general organizational staff to experienced incident response specialists. 
    • Webinar courses provide an entry-level topic overview for those who know little about incident response in general, or a specific cybersecurity subject. They are recommended for anyone who works in or adjacent to network security and incident response, or anyone interested in learning more about personal or professional cybersecurity, organizational best practices for incident response, or specific attack types such as ransomware or business email compromise. 
    • Cyber Range Training courses are hands-on labs designed to teach the basics of network investigation and defense. They are accessible to new cybersecurity workers who may lack hands-on skill practice, but some theoretical understanding of cybersecurity and incident response enhances the value of the instruction.
  • How do I participate in a training event?
    • To participate, you can sign up for open courses in the course catalog. Please note that courses may not open for registration until approximately four weeks before the training date. When a course does open, an invitation to register is distributed to interested stakeholders. If you would like to be included on future IR training announcements, please email CyberInsights@cisa.dhs.gov
  • Can I stream courses online?  
  • What course topics are available?
    • Below is a list of confirmed IR course topics to be offered in Fiscal Year 2022. This list may be updated as we expand the IR curriculum:
      • Ransomware 
      • Indicators of Compromise
      • Internet-Accessible System Vulnerabilities 
      • Web and Email Server Attacks 
      • DNS Infrastructure Tampering 
      • Log Management
      • Creating a Network Map
  • Can I earn continuing education credits for these trainings? 
    • While acceptance may vary depending on your certification vendor, all IR courses can be used to earn CPE credits.
      • Webinar: 1 credit hour
      • Cyber Range Training: 4 credit hours
  • What about the previous types of courses CISA offered in the IR Training series?
    • In Fiscal Year 2021 CISA offered the following IR courses in addition to the ones described previously. These courses are not offered in Fiscal Year 2022 but check back to see our Fiscal Year 2023 offerings. Recorded webinars from 2021 are available on the CISA YouTube Channel Protect Your Network: Strengthen Your Cybersecurity with Our Incident Response Training Playlist.
      • Course Types
        • Observe the Attack: 2 credit hours. The “Observe the Attack” series red/blue team demonstration events are ideal for those who supervise, manage, support, or facilitate incident or crisis response. If you are looking for a front-row seat to a real-time incident response scenario, these events are for you!
        • Cyber Range Challenge: 6 credit hours. Cyber Range Challenges are hands-on incident response scenarios designed for experienced practitioners. Students are asked to complete class profiles to summarize their skill and experience, and teams are balanced so that newer incident responders can learn from and work with more experienced professionals. These are critical thinking and problem-solving challenges as much as they are a test of investigation and network defense skills. 
      • Course topics that were covered in 2021 but not in 2022:
        • Cloud-based Server Attacks 
        • Cloud Leak
        • Business Email Compromise 

CISA Resources

Privacy Act Statement

Authority: 5 U.S.C. § 301 and 44 U.S.C. § 3101 authorize the collection of this information.

Purpose: The information on this website is intended for government cybersecurity professionals who are participating in the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) Program and for cybersecurity professionals who would like more information on implementing a continuous monitoring program. The primary purpose for the collection of this information is to allow the DHS to contact you about your registration using an approved version of Adobe Connect for the DHS CDM training program.

Routine Uses: The information collected may be disclosed as generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act of 1974, as amended. This includes using the information as necessary and authorized by the routine uses published in DHS/ALL-002 - Department of Homeland Security (DHS) Mailing and Other Lists System November 25, 2008, 73 FR 71659.

Disclosure: Providing this information is voluntary. However, failure to provide this information will prevent DHS from contacting you in the event there are queries about your request or registration.

Was this webpage helpful?  Yes  |  Somewhat  |  No