Information Security Incident Handling Exercise

Information Security Incident Handling Exercise

Duration: one day

Abstract

The incident handling exercise allows participants to detect and respond to real-life incidents, and provides them with hands-on incident handling experience.
The exercise uses Sparks on Wheels (SoW), a fictitious company that innovatively manages transporting people within cities using electric cars, electric motorcycles and bicycles. Participants will be provided with a brief introduction that sets the context including the technical environment, a generic incident handling process and an incident report template. In addition, they will be provided with access to SoW services and infrastructure that contain artefacts and indicators of compromise that they should analyse to identify and respond to a set of incidents. Incidents can be detected through a variety of technical and organisational events that vary in difficulty and technical depth. Some incidents do not require highly specialised technical skills to be detected.

Participants are expected to analyse SOW environment and any other information provided to filter “noise” from meaningful/useful information following the process provided. They will be expected to perform the following activities while communicating and escalating issues to management and relevant stakeholders (represented by the exercise facilitators):

  • Detect security incidents.
  • Triage events/incidents.
  • Analyse incidents.
  • Contain and eradicate incidents.
  • Recover from incidents.
  • Write an incident report.

The exercise has been developed to ensure that participants will go through all incident handling steps and will not get stuck in the incident detection phase. The timeline of the exercise is designed to provide participants with hints to ensure they detect incidents before the allocated time expires.

Course Outline
Participants will be provided with VPN access to SoW and all information (including documentation and process) that detail its business and technical contexts.

Objective
• Train participants on how to detect and triage incidents.
• Train participants on following incident handling processes.
• Measure participants’ incident handling capabilities.

Who Should Attend?
• Incident handlers.
• Information security professionals.
• Service desk team members/leads.
• Other IT staff that may be involved in incident handling.

Duration
The full-day exercise agenda is as follows:
• 9:00-9:45 am (45 minutes): Introduction, agenda, setting the context, etc.
• 9:45-10:00 am (15minutes): Setup of VPN access to SoW service.
• 10:00-12 pm (120 minutes): Incident detection, triage and analysis.
• 12:00-1:00 pm (60 minutes): Lunch break.
• 1:00-3:00 pm (120 minutes): Continue detection, triage and analysis. Complete containment, recovery and restoration.
• 3:00-3:45 pm (45 minutes): Incident report.
• 3:45-4:15 (30 minutes): Incident debriefing.
• 4:15-4:45 (30 minutes): Discussions and feedback.

Prerequisites:
Participants are required to be bring their own laptops and chargers. Participants must have administrative privileges on their laptops. We will be configuring access to SoW environment hosted in AWS via Algo VPN. Make sure you have read the setup instructions for your platform and have the necessary dependencies installed: https://github.com/trailofbits/algo

Participants will be provided with Internet access.