Phase2 Advantage Cybersecurity and Certifications

Certified Cyber Incident Response Manager (C-CIRM)

Instructor-Led Online Training

CCIRM Exam Prep Guide

As organizations continue to rely on expanding infrastructure in an increasingly hostile threat landscape, the escalation of incidents involving malicious actors poses critical risks to information systems and networks. The ability to identify threats, respond to incidents, restore systems, and enhance security postures is vital to the survival of the operation.

This training course brings Incident Response core competencies to advanced levels by presenting students with 16 detailed learning objectives. Students will be provided with the knowledge and the practical skills needed to investigate and respond to network and system incidents. With a specific focus on the identification and remediation of incidents involving host and network devices, students will cover topics such as Threat Intelligence Collection, Investigative Techniques, Creating Playbooks, and Malware Triage. Lab exercises utilize the Project Ares® Cyber Range and Wireshark network protocol analyzer software.

Course Instructor

Michael I. Kaplan - Phase2 Advantage

Michael I. Kaplan is the Director of Operations for Phase2 Advantage, a cybersecurity training and publishing company based in Savannah, Georgia. He is also the Chairman of the Savannah Technical College Cybersecurity Advisory Committee and heavily involved in curriculum design initiatives.

Michael has written numerous courses and cybersecurity training programs for corporate, academic, and government personnel. He has also developed training programs for Law Enforcement and Fugitive Task Force Investigators on the topics of Criminal Topology, Forensic Document Analysis, and Investigations.  Michael’s technical areas of specialization are Incident Handling and Response, Network Forensics, Digital Forensics, and Information Technology Risk Management. He also provides curriculum and program development services for government, corporate, and academic organizations both domestically and internationally.

NICE Cybersecurity Workforce Framework

The Certified Cyber Incident Response Manager course is a component of the career progression track that supports the required Categories, Specialty Areas and Work Roles as defined by the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.  It provides a common language to speak about cyber roles and jobs and can be referenced to define professional requirements in cybersecurity.

INFORMATION SYSTEMS SECURITY MANAGER
(OV-MGT-002)

CYBER CRIME INVESTIGATOR
(IN-INC-001)

VULNERABILITY ASSESSMENT ANALYST
(PR-VAM-001)

EXPLOITATION ANALYST
(AN-EXP-001)

CYBER DEFENSE INCIDENT RESPONDER
(PR-CIR-001)

THREAT/WARNING ANALYST
(AN-TWA-001)

Course Outline and Knowledge Points

Click the blue arrow to the left of the domain title to view an expanded list of key knowledge points.

  • What Constitutes an Incident?
  • Technology as a Landscape for Crime
  • The Incident Response Life Cycle
  • What is Incident Response?
  • 7 Stages of the Attack Life Cycle
  • 10 Steps to Help Reduce Incidents
  • Cyber Adversaries vs. Cyber Defenders
  • Nation State vs. Non-Nation State Actors
  • Components of the Threat Landscape
  • Legal Challenges in Digital Investigations
  • Challenges to Cyber Crime Investigations
  • International Enforcement Challenges
  • Defining the Incident Response Mission
  • Internal Communication Procedures
  • External Communication Procedures
  • Incident Response Team Deliverables
  • Building a Field Forensic System
  • Preparing the Infrastructure
  • Time Zones and Investigative Timelines
  • Collecting Initial Facts
  • Incident Response Checklists
  • Maintaining Case Notes
  • Building an Attack Timeline
  • Vulnerability Program Essentials
  • Prioritizing Vulnerability and Risk
  • Rating Vulnerability Levels
  • Analyzing a Vulnerability Notification
  • Establishing an Efficient Workflow
  • Vulnerability Scanning Software
  • Baseline Measuring Objectives
  • Identifying Usage Patterns
  • Network Sensor Deployment
  • Statistical Monitoring
  • Header and Full Packet Logging
  • Network Monitoring Evaluation
  • Potential Signs of Compromise
  • The Case for Network Monitoring
  • Turning Leads into Indicators
  • The Life Cycle of Indicator Generation
  • Indicator of Compromise Verification
  • Event-Based Alert Monitoring
  • Understanding Elements of Proof
  • Incident Scene Management
  • Chain of Custody
  • The Purpose of Investigations
  • Investigative Interview Strategies
  • Documenting Interviews
  • Understanding the Maneuver Warfare Mindset
  • The Threat Intelligence Cycle
  • Intelligence Collection
  • Analysis and Production
  • Dissemination of Intelligence
  • Threat Intelligence Sources
  • Network Forensics vs. Digital Forensics
  • General Process for Performing Analysis
  • Available Data Sources
  • Outlining the Approach
  • Selection of Analysis Methods
  • Evaluating Analysis Results
  • Responsibilities of The First Responder
  • The Host Device Power State
  • Standard Windows Directory Structure
  • Locating Endpoint Data
  • The Windows Registry
  • The Importance of IoT Devices
  • When to Perform a Live Response
  • Live Response Challenges
  • Selecting a Live Response Tool
  • Data Collection Considerations
  • Common Live Response Data
  • Collection Best Practices
  • Malware Triage Concepts
  • Malware Handling Procedures
  • Malware Distribution and Documentation
  • Assessing Malicious Sites
  • Introduction to Static and Dynamic Analysis
  • Automated Analysis: Sandboxes
  • Effective Incident Remediation
  • Assigning a Remediation Owner
  • Remediation Posturing Actions
  • Eradication Plan Development
  • Plan Timing and Execution
  • Developing Strategic Recommendations
  • Introduction to Report Writing
  • Report Style and Formatting
  • General Analysis Report Formatting
  • Quality Assurance for Investigative Reports
  • Report Content and Organization
  • Documenting Lessons Learned
  • Response Playbook Components
  • Building a Response Playbook
  • Common Playbook Response Scenarios
  • Planning Table-Top Exercises
  • Planning Simulated Attacks
  • Sample Playbook: Unauthorized Access

Course Learning Objectives

Upon successful completion of the C)CIRM training program, participants will be able to:

  • CLO #01: Define the characteristics of a computer security incident, list the stages of the incident response life cycle, recognize the stages of the attack life cycle, and identify methods to reduce the likelihood of security incidents.
  • CLO #02: Explain the components of the current threat landscape, the capabilities of nation-state and non-nation-state threat actors, threats posed by digital computer crimes, legal challenges common to digital investigations, and the legal principles of investigating and prosecuting cybercrime.
  • CLO #03: Prepare a security strategy using labs and industry tools to create an effective incident response capability, define the response mission, prepare for incident response investigations, list potential signs of compromise, and verify indicators of compromise (IOC’s).
  • CLO #04: Compare the processes of performing forensic analysis, selection of analysis methods, host and network data collection practices, selection of live response tools and strategies, the location of potential data sources, and the challenges of live data acquisition from a network.
  • CLO #05: Propose a malware policy based on industry best practices which addresses the identification of malicious files, initial triage, handling procedures, documentation and distribution guidelines, static and dynamic analysis methods, and the use of sandboxes for automated analysis.
  • CLO #06: Recommend an incident response implementation that includes creating a remediation team, posturing actions, incident containment strategies, eradication plan development, plan timing and execution, developing strategic recommendations, and documenting lessons learned.

Project Ares® Cyber Range Labs

Project Ares® Cyber Range Labs

Students enrolled in classroom or instructor-led online formats of this course will be using the Project Ares® Cyber Range for practical labs.  Project Ares® Cyber Range labs are available to self-study students for an additional fee.

Instructor-Led & Self-Guided Wireshark Lab Exercises

Creating the Virtual Machine for Labs

Color Rules and
Packet Export

The Wireshark
User Interface

Creating Tables
and Graphs

Customizing
Wireshark Settings

File and Object
Reassembly

Applying
Capture Filters

Adding Comments
to Trace Files

Applying
Display Filters

Command-Line
Capture Tools

Course Training Materials

Exam Prep Guide

Course Workbook & Labs

Lab Images (if Applicable)

Practice Assessment Quizzes

40-Hour CPE Credit Certificate

Knowledge Assessment Examination

Knowledge Assessment Exam

Exam Description Digital Badge CCIRM

Upon completion of online courses, students will be prepared to sit for the knowledge assessment exam. The online examination will consist of True/False, Multiple Choice, and Fill in the Blank questions. The exam may be taken at any time within 6 months of completing the certification course.

Students will have two hours to complete a computer-based examination consisting of 100 questions. A score of 70% or higher is required to earn the certification. Upon successful completion of the exam, students will be sent a hardcopy of their certification and their CPE credit documentation via email (PDF format) within 72-hours of the exam date.

The examination is “closed book.” However, students will be allowed to use their notes on material presented during the course as well as their Course Workbooks.

Register Today for the Next Training Session

COURSE DATES

June 07 – July 14

TRAINING DAYS

Monday & Wednesday

CLASS TIMES

6:00 pm – 9:00 pm

COURSE FEE

$3,000

COURSE ENROLLMENT

Register for Training

Contact Us to Learn More

To find out more about course fees, group rates, and discounted fees for government personnel please contact us via the email and phone number below.

OFFICE:
(912) 335-2217

EMAIL:
michael.kaplan@phase2advantage.com