Incident Response Training

CISA offers no-cost cybersecurity Incident Response (IR) Training series with a range of offerings for beginner and intermediate cybersecurity analysts encompassing basic cybersecurity awareness, best practices for organizations, and facilitated lab activities. Course types include Awareness Webinars (100-level) and Cyber Range (200-level) Training. These courses provide valuable learning opportunities for everyone from cyber newbies to veteran cybersecurity engineers. Sign up for the training offerings via the Registration section or Upcoming Events sections below.

To learn more about how CISA may assist potentially impacted entities after a cyber incident, visit the Cyber Incident Response page. 

Awareness Webinars

Awareness webinars, also referred to as 100-level courses, are one-hour, entry-level, virtual and instructor-led classes with cybersecurity topic overviews for a general audience including managers and business leaders, providing core guidance and best practices to prevent incidents and prepare an effective response if an incident occurs. Previously recorded webinars are available on the CISA YouTube Channel Protect Your Network: Strengthen Your Cybersecurity with Our Incident Response Training Playlist and on the Federal Virtual Training Environment (FedVTE).

Training Topics:

Defending Internet Accessible Systems (IR104)

Internet-accessible systems have become the backbone of modern business and communication infrastructure, from smartphones to web applications such as Outlook to the explosive growth of the Internet of Things (IoT). Each of these systems, applications, and devices, however, can be targeted by threat actors and used to conduct malicious activity if left unsecured—worse, improperly configured and ill-maintained systems can leave vulnerabilities and sensitive information open to exploit.

Join us for the following information and more:

• Common attacks and vulnerabilities: Understand common vulnerabilities of internet-accessible how they are exploited by threat actors, and how to mitigate them to prevent attacks from succeeding.
• CISA guidance: Learn key guidance, resources, and best practices to address vulnerabilities and prepare effective incident response and recovery.
• Case studies: Examine the methods and impacts of real-life cyber-attacks, and how the targets responded and recovered.
• Knowledge check: Knowledge check questions will be asked throughout the course to reinforce key concepts and important takeaways.

This awareness webinar is designed for both technical and non-technical audiences.

Preventing Web and Email Server Attacks (IR105)

Web and email servers are the workhorses of the Internet — we couldn't run government, businesses, or our personal lives without them! However, the information exchanged through web and email servers can offer a tempting target for cyber attackers.

This webinar includes the following information and more:

• Common attack methods: Hackers can target and decode victims' web and email traffic, compromise email security to make phishing attempts more likely to succeed or can even use botnets to shut down access to websites and conduct large-scale campaigns of malicious activity.
• Key guidance for organizations: CISA provides resources and best practices to help individuals and organizations secure their web and email infrastructure.
• Case studies: Explore the methods and impacts of real-life cyberattacks, and how the victims responded and recovered.
• Knowledge check: The course concludes with a brief knowledge check section to reinforce key concepts and takeaways.

Preventing DNS Infrastructure Tampering (IR106)

The Domain Name System, commonly known as DNS, is often referred to as the “phone book” of the Internet. Every time we access the Internet to visit our favorite websites, shop and pay bills online, or access online portals for healthcare or banking, we depend on DNS infrastructure to securely route us to our intended destinations. While this shared infrastructure is incredibly powerful and useful, it also presents a rich attack surface for threat actors: allowing them to shut down websites and online services, replace legitimate website content with threats and extortion attempts, or even route traffic to a carbon copy of a legitimate website to steal any information entered by users trying to conduct business as usual.

This webinar provides key information you need to know to protect yourself and your organization from DNS infrastructure tampering including common vulnerabilities, how to identify a potential attack, and guidance and best practices to reduce the likelihood and impact of a successful DNS attack. This event is intended for a general audience including managers and business leaders but also includes topics and perspectives that may be useful to technical specialists.

Introduction to Network Diagramming (IR107)

To protect the confidentiality, integrity, and availability of an agency’s network and the data contained therein, cybersecurity professionals must be able to identify their network enterprise accurately and completely. Network diagrams are essential and serve to help visualize what is on the network, how the overall network is structured, and how all the devices on the network are connected. Every organization should build and maintain current and accurate network diagrams to help manage their network architecture and ultimately determine how to best mitigate potential or realized risks and vulnerabilities.

This webinar includes the following information and more:

• Importance of Network Diagrams: Students will learn the importance of creating and maintaining network topology diagrams. Students will also understand the importance of identifying data flows and storage, identifying remote access points and external connections, and network segmentation for security.
• Key Guidance for Organizations: CISA provides guidance on what to include in network diagrams.
• Knowledge check: The course concludes with a brief knowledge check section to reinforce key concepts and takeaways.

Understanding Indicators of Compromise (IR108)

Major cyber-attacks have made headlines for years and the pace of threat activity faced by government and private sector organizations is accelerating. Often, the most damaging attacks reported are traced to Advanced Persistent Threats (APTs): groups of sophisticated hackers who gain entry into an unauthorized system and remain undetected for extended periods of time, allowing them to surveil and gather information, test security, or execute malicious activity without tripping network defenses.

Indicators of Compromise (IOCs) are the digital and informational "clues" that incident responders use to detect, diagnose, halt, and remediate malicious activity in their networks. This webinar provides an overview of IOCs for incident responders and those who work with them, introduces example scenarios and how IOCs can be used to trace activity and piece together a timeline of the threat, and discusses tools and frameworks to help incident responders use IOCs to detect, analyze, respond to, and report cyber threat activity.

Join us to learn the following information and more:

• Define IOCs and why tracking, investigating, and reporting IOCs are crucial to enterprise cybersecurity.
• Understand how IOCs are used for threat hunting and incident response, different types of indicators, and how to collect different categories of IOCs.
• Learn about the MITRE ATT&CK® framework and how it supports the analysis of IOCs, potential threat actors related to the activity and their associated strategies and tactics.
• Introduce free CISA cybersecurity tools, services, and resources to help organizations further advance their cybersecurity capabilities.

Defend Against Ransomware Attacks (IR109)

Ransomware attacks hit a new target every 14 seconds—shutting down digital operations, stealing information and exploiting businesses, essential services, and individuals alike. This one-hour webinar provides essential knowledge and reviews real-life examples of these attacks to help you and your organization to mitigate and respond to the ever-evolving threat of ransomware.

This webinar includes the following information and more:

• Common attack methods: Learn the definition of ransomware, summary of its large-scale impacts, and how these attacks have developed over time. The webinar will discuss common signs of a ransomware attack and how to respond if an attack is suspected.
• Key Guidance for Organizations: CISA provides guidance for how to mitigate the impact of ransomware attacks and recover in the event of an attack.
• Case studies: Explore the methods and impacts of real-life cyber-attacks, and how the victims responded and recovered.
• Knowledge check: The course concludes with a brief knowledge check section to reinforce key concepts and takeaways.

Introduction to Log Management (IR110)

Log files provide the data that are the bread and butter of incident response, enabling network analysts and incident responders to investigate and diagnose issues and suspicious activity from network perimeter to epicenter. This webinar introduces the fundamentals of investigating logs for incidents.

This webinar includes the following information and more:

• Common attack methods: Understand log analysis, and its importance as a crucial component of incident response and network security.  
• Key guidance for organizations: Introduce resources and tools that enable organizations and individuals to use log analysis to query for threat activity including SIEM, FPCAP analysis, and using PowerShell and Active Directory to run scripts. 
• Case studies: Explore the methods and impacts of real-life cyberattacks, and how the victims responded and recovered. 
• Knowledge check: The course concludes with a brief knowledge check section to reinforce key concepts and takeaways.

The target audience for this webinar is non-technical and beginning incident responders.

Cyber Range Training

Cyber Range Trainings, also referred to as 200-level courses, are four-hour, interactive, virtual, and instructor-led classes with step-action labs in a realistic technical environment. These offerings are available for government employees and contractors across Federal, State, Local, Tribal, and Territorial government, educational partners, and critical infrastructure partners.

Cyber Range Training courses provide guided step-action labs for cybersecurity analysts to learn and practice investigation, remediation, and incident response skills. Students participate in short lectures followed by lab activities to identify incidents and harden systems in the cyber range environment. These are ideal for beginner and intermediate cybersecurity analysts who wish to learn technical incident response skills.

Training Topics:   

Defending Internet Accessible Systems (IR204)

Internet-accessible systems have become the backbone of modern business and communication infrastructure, from smartphones to web applications, to the explosive growth of the “Internet of Things” (IoT). Each of these systems and devices, however, can be targeted by threat actors and used to conduct malicious activity if they are unsecured. Worse, these systems can leave vulnerabilities and sensitive information freely available to exploit if not properly configured and maintained.

Preventing Web and Email Server Attacks (IR205)

Participants will be introduced to common web and email vulnerabilities, as well as the technologies of encryption and authentication to enhance web and email security. This exercise uses an interactive approach to facilitate realistic technical training and interaction opportunities for learners.

Experience these benefits and more:

• Practice in a realistic environment: Analyze network and host-based artifacts and implement remediation changes for the identified vulnerabilities.
• Learn how to implement CISA guidance: Course exercises include implementation of the recommendations in BOD 18-01.
• Identify and mitigate vulnerabilities in real time: Students will identify common web and email vulnerabilities and mitigate them by reconfiguring the web server and DNS settings. 
• Expert facilitation and peer discussion: Throughout the course, expert cybersecurity engineers will moderate discussion and conduct a recovery debrief for the exercises. Participants are also encouraged to help one another and offer relevant input to address peers' questions.

Preventing DNS Infrastructure Tampering (IR206)

DNS is one of the core foundations of the internet however, it continues to be one of the mechanisms attackers use to perform malicious activities across the globe. In this course participants will learn about various concepts associated with DNS, become familiar with DNS tools and mapping information, get an introduction to common DNS tampering techniques, and gain an understanding of DNS mitigation strategies to enhance security. Experience these benefits and more:

• Practice in a realistic environment: Analyze network and host-based artifacts and implement remediation changes for the identified vulnerabilities. 
• Learn how to implement remediations: Course exercises include remediation technologies.
• Identify and mitigate vulnerabilities in real time: Students will identify DNS infrastructure tampering techniques and mitigate them.
• Expert facilitation and peer discussion: Throughout the course, expert cybersecurity engineers will moderate discussion and conduct a recovery debrief for the exercises. Participants are also encouraged to help one another and offer relevant input to address peers' questions.

Understanding Indicators of Compromise (IR208)

Major cyber-attacks have made headlines for years and the pace of threat activity faced by government and private sector organizations is accelerating. Indicators of Compromise (IOCs) are the digital and informational "clues" that incident responders use to detect, diagnose, halt, and remediate malicious activity in their networks. In this training, participants will be introduced to common IOCs and common protocols used to find them in their own systems.

This laboratory-style training is structured as six modules that explore the following aspects: 

• Describe Initial Access and example IOCs, and find the specific user-agent or known source IP of a password spray.
• Describe Execution and example IOCs, and find the execution IOC from PowerShell module logs.
• Describe Persistence and example IOCs, and identify back-doored accounts given Active Directory persistence IOCs.
• Describe Privilege Escalation and example IOCs, and identify the file hash and folder location for IOCs associated with DLL search order hijacking attack.
• Describe Defensive Evasion and example IOCs, and find improperly signed binaries associated with invalid code signing certificates.
• Describe Lateral Movement and example IOCs, and derive the IOCs from a threat actor report and search aggregated event logs to find them.

Defend Against Ransomware Attacks (IR209)

Ransomware is the fastest growing malware threat targeting home, business, and government networks. Anyone with a computer connected to the internet is a target. Ransomware infection is one computer, one person, one click away from penetrating a networks defense. If just one computer becomes infected with ransomware it could quickly spread all over the network, which is why ransomware protection is critical. Ransomware incidents have become increasingly prevalent and pose an enormous risk to you and your organization’s critical infrastructure. In this training, participants will be introduced to common applications and process that harden network defenses, as well as key terms to be aware of in the prevention of ransomware attacks.

This laboratory-style training is structured as six modules that explore the following aspects:

• Define ransomware and identify best practices and preventive measures to mitigate the impact of ransomware attacks.
• Practice in a realistic environment: Analyze network and host-based artifacts and implement remediation changes for the identified vulnerabilities.
• Learn how to apply specific tools to configure and backup active directory policies, reset KRBTGT account passwords and create application allowlisting policies.
• Identify and mitigate vulnerabilities in real time: Students will identify malicious domains and mitigate them by establishing a sinkhole and by blocking the malicious domain. 
• Expert facilitation and peer discussion: Throughout the course, expert cybersecurity engineers will moderate discussions and conduct a recovery debrief for the exercises. Participants are also encouraged to help one another and offer relevant input to address peers' questions.

Frequently Asked Questions

What is “incident response” training? Where can I learn more about it?

• Based on the definition provided in NIST Special Publication 800-61, Computer Security Incident Handling Guide, cybersecurity incident response is a complex capability encompassing detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services.
• The NICE Cybersecurity Workforce Framework outlines work roles for incident response analysts and tasks, skills, knowledge, and abilities required to be competent in an incident response role. Specifically, incident response is classified as a specialty area under the “Protect and Defend” category; however, the core skills taught apply beyond the scope of incident response activity.
• When cyber incidents occur, the Department of Homeland Security (DHS) provides assistance to potentially impacted entities, analyzes the potential impact across critical infrastructure, investigates those responsible in conjunction with law enforcement partners, and coordinates the national response to significant cyber incidents. The Department works in close coordination with other agencies with complementary cyber missions, as well as private sector and other non-federal owners and operators of critical infrastructure, to ensure greater unity of effort and a whole-of-nation response to cyber incidents. To learn more, visit the Cyber Incident Response page.

Which types of courses are relevant to me?

• The Incident Response Training series is designed to provide incident response training and organizational guidance.
• Webinar courses provide an entry-level topic overview for those who know little about incident response in general, or a specific cybersecurity subject. They are recommended for anyone who works in or adjacent to network security and incident response, or anyone interested in learning more about personal or professional cybersecurity, organizational best practices for incident response, or specific attack types such as ransomware or business email compromise. 
• Cyber Range Training courses have lab exercises designed to teach the basics of network investigation and defense. They are accessible to new cybersecurity workers who may lack real-world skill practice, but some theoretical understanding of cybersecurity and incident response enhances the value of the instruction.

Who can register for the courses?

• The Awareness Webinars are open to a general audience.
• The Cyber Range Training courses are available for government employees and contractors across Federal, State, Local, Tribal, and Territorial government, educational partners, and critical infrastructure partners. Please use your corporate, government, military, or education email addresses when registering as personal email addresses will not be approved for class attendance.

How do I participate in a training event?

• To participate, you can sign up for open courses in the course catalog. Please note that courses may not open for registration until approximately four weeks before the training date.

How can I be notified of upcoming courses?

• When a course does open, an invitation to register is distributed to interested stakeholders. If you would like to be included on future IR training announcements, please email CyberInsights@cisa.dhs.gov and indicate which course type you would like to be notified about. 

Can I stream courses online?

• Previous Awareness Webinars are made available for public viewing on-demand through FedVTE. Stream webinars at your convenience and share them with your friends and colleagues!
• Previously recorded webinars are also available on the CISA YouTube Channel Protect Your Network: Strengthen Your Cybersecurity with Our Incident Response Training Playlist.
• Cyber Range Trainings are not available on-demand, as they require participation in a cyber range environment.

What course topics are available?

• Below is a list of confirmed IR course topics to be offered in Fiscal Year 2022. This list may be updated as we expand the IR curriculum:
  • Ransomware 
  • Indicators of compromise
  • Internet-accessible system vulnerabilities 
  • Web and email server attacks 
  • Domain Name System (DNS) infrastructure tampering 
  • Log management
  • Network diagramming

Can I earn continuing education credits for these trainings? 

• While acceptance may vary depending on your certification vendor, all IR courses can be used to earn CPE credits.
  • Webinar: 1 credit hour
  • Cyber Range Training: 4 credit hours

What about the previous types of courses CISA offered in the IR Training series?

• In Fiscal Year 2021 CISA offered the following IR courses in addition to the ones described previously.
  • Course Types
    • Observe the Attack: 2 credit hours. The “Observe the Attack” series red/blue team demonstration events are ideal for those who supervise, manage, support, or facilitate incident or crisis response. If you are looking for a front-row seat to a real-time incident response scenario, these events are for you!
    • Cyber Range Challenge: 6 credit hours. Cyber Range Challenges are incident response scenarios designed for experienced practitioners. Students are asked to complete class profiles to summarize their skill and experience, and teams are balanced so that newer incident responders can learn from and work with more experienced professionals. These are critical thinking and problem-solving challenges as much as they are a test of investigation and network defense skills. 
  • Course topics that were discontinued after 2021:
    • Cloud-based server attacks 
    • Cloud leak
    • Business email compromise

Privacy Act Statement

Authority: 5 U.S.C. § 301 and 44 U.S.C. § 3101 authorize the collection of this information.

Purpose: The information on this website is intended for government cybersecurity professionals who are participating in the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) Program and for cybersecurity professionals who would like more information on implementing a continuous monitoring program. The primary purpose for the collection of this information is to allow the DHS to contact you about your registration using an approved version of Adobe Connect for the DHS CDM training program.

Routine Uses: The information collected may be disclosed as generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act of 1974, as amended. This includes using the information as necessary and authorized by the routine uses published in DHS/ALL-002 - Department of Homeland Security (DHS) Mailing and Other Lists System November 25, 2008, 73 FR 71659.

Disclosure: Providing this information is voluntary. However, failure to provide this information will prevent DHS from contacting you in the event there are queries about your request or registration.