Certificate Programs: Incident Response

Certificate Programs: Incident Response

The SANS Technology Institute offers a post-baccalaureate certificate in Incident Response, based entirely upon four courses already available as an elective path through its graduate program leading to a Master of Science Degree in Information Security Engineering.

As an independent offering, the graduate certificate in Incident Response is a highly technical, 13 credit hour program with a cohesive and progressive set of learning outcomes. These learning outcomes are focused on developing the student's capability to manage both a computer and network-based forensics investigation as well as the appropriate incident responses.

Because the certificate program is based on the courses that may be chosen by a master's candidate during the normal course of studies, all credits earned while completing the Incident Response certificate program may be applied directly in fulfillment of the master's degree requirements should the student matriculate in the master's program within five years of earning the certificate.

Incident Response Certificate - 13 credit hours

Required courses (expand for more info):
ISE 5200 Hacking Techniques & Incident Response   |   SEC 504, GCIH, NetWars

SANS class: SEC504 Hacker Techniques, Exploits & Incident Handling
Assessment: GIAC GCIH, NetWars Continuous
4 Credit Hours

By adopting the viewpoint of a hacker, ISE 5200 provides an in-depth focus into the critical activity of incident handling. Students are taught how to manage intrusions by first looking at the techniques used by attackers to exploit a system. Students learn responses to those techniques, which can be adopted within the framework of the incident handling process to handle attacks in an organized way. The faculty instruction, lab exercises, exam, and NetWars simulation are coordinated to develop and test a student's ability to utilize the core capabilities required for incident handling.

ISE 6425: Advanced Computer Forensic Analysis and Incident Response   |   FOR 508, GCFA

SANS class: FOR 508 Advanced Digital Forensics, Incident Response, and Threat Hunting
Assessment: GIAC GCFA
3 Credit Hours

ISE 6425 teaches the necessary capabilities for forensic analysts and incident responders to identify and counter a wide range of threats within enterprise networks, including economic espionage, hacktivism, and financial crime syndicates. The course shows students how to work as digital forensic analysts and incident response team members to identify, contain, and remediate sophisticated threats-including nation-state sponsored Advanced Persistent Threats and financial crime syndicates. Students work in a hands-on lab developed from a real-world targeted attack on an enterprise network in order to learn how to identify what data might be stolen and by whom, how to contain a threat, and how to manage and counter an attack.


ISE 6440: Advanced Network Forensics and Analysis   |   FOR 572, GNFA

SANS class: FOR 572 Advanced Network Forensics and Analysis
Assessment: GNFA
3 Credit Hours

ISE 6440: Advanced Network Forensics and Analysis focuses on the most critical skills needed to mount efficient and effective post-incident response investigations. Moving beyond the host-focused experiences in ISE 6420 and ISE 6425, ISE 6440 covers the tools, technology, and processes required to integrate network evidence sources into investigations, covering high-level NetFlow analysis, low-level pcap exploration, and ancillary network log examination. Hands-on exercises in FOR 572 cover a wide range of open source and commercial tools, and real-world scenarios help the student learn the underlying techniques and practices to best evaluate the most common types of network-based attacks.


ISE 6460: Malware Analysis and Reverse Engineering   |   FOR 610, GREM

SANS class: FOR 610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Assessment: GIAC GREM
3 Credit Hours

ISE 6460 teaches students how to examine and reverse engineer malicious programs - spyware, bots, Trojans, etc. - that target or run on Microsoft Windows, within browser environments such as JavaScript or Flash files, or within malicious document files (including Word and PDF). The course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger and other tools. The malware analysis process taught in this class helps students understand how incident responders assess the severity and repercussions of a situation that involves malicious software and plan recovery steps. Students also experience how forensics investigators learn to understand key characteristics of malware discovered during the examination, including how to establish indicators of compromise (IOCs) for scoping and containing the incident.


Download the Incident Response Certificate Program Briefing Document in .pdf format.

Over the past few years, digital crime and intrusions have increased, and Fortune 500 companies are beginning to detail data breaches and hacks: the 2013 Verizon Data Breach report spanned 47,000 security incidents, 621 confirmed data disclosures, and at least 44 million compromised records, affecting nearly every industry and company size evaluated. In this same report, Verizon notes that "70% of breaches were discovered by external parties who then identified the victim...admittedly better than the 92% observed in [last year's report]." The need for professionals inside organizations that can identify and respond to incidents before they are discovered by clients or customers is self-evident and large.

Graduates of the Incident Response post-baccalaureate certificate program will be able to:

  1. Explain the role of digital forensics and incident response in the field of information security, and recognize the benefits of applying these practices to both hosts and networks when investigating a cyber incident.
  2. Analyze the structure of common attack techniques in order to evaluate an attacker's footprint, target the ensuing investigation and incident response, and anticipate and mitigate future activity.
  3. Evaluate the effectiveness of available digital forensic tools and use them in a way that optimizes the efficiency and quality of digital forensic investigations.
  4. Utilize multiple malware analysis approaches and tools to understand how malware programs interact with digital environments and how they were coded, in order to reverse the effects of the program on networks and systems.

For additional, detailed technical goals for each course, please review the educational goals listed for each SANS class.

Tuition for each course in a certificate program is $5,000, and all courses may be taken either live at a SANS event or online from home or work. Credit is earned only when a student enrolls first in a given certificate program and then registers for the appropriate graduate courses.

Admissions to the Incident Response Certificate Program

To apply, please view the Admissions Page dedicated to the SANS Graduate Certificate Programs.