Certificate Programs: Incident Response

Certificate Programs: Incident Response

The SANS Technology Institute offers a post-baccalaureate certificate in Incident Response, based entirely upon four courses already available as an elective path through its graduate program leading to a Master of Science Degree in Information Security Engineering.

As an independent offering, the graduate certificate in Incident Response is a highly technical, 13 credit hour program with a cohesive and progressive set of learning outcomes. These learning outcomes are focused on developing the student's capability to manage both a computer and network-based forensics investigation as well as the appropriate incident responses.

Because the certificate program is based on the courses that may be chosen by a master's candidate during the normal course of studies, all credits earned while completing the Incident Response certificate program may be applied directly in fulfillment of the master's degree requirements should the student matriculate in the master's program within five years of earning the certificate.

Curriculum - 13 Credit Hours

Expand each course for a full description.

Required Courses:
ISE 5201: Hacker Tools, Techniques, Exploits, & Incident Handling |   SEC 504, GCIH

Content: SANS SEC 504 Hacker Techniques, Exploits & Incident Handling
Assessment: GIAC GCIH Exam
3 Credit Hours

By adopting the viewpoint of a hacker, ISE 5201 provides an in-depth focus into the critical activity of incident handling. Students are taught how to manage intrusions by first looking at the techniques used by attackers to exploit a system. Students learn responses to those techniques, which can be adopted within the framework of the incident handling process to handle attacks in an organized way. The faculty instruction, lab exercises, and exam are coordinated to develop and test a student's ability to utilize the core capabilities required for incident handling.

ISE 6425: Advanced Digital Forensics, Incident Response, & Threat Hunting |   FOR 508, GCFA

Content: SANS FOR 508 Advanced Digital Forensics, Incident Response, and Threat Hunting
Assessment: GIAC GCFA Exam
3 Credit Hours

ISE 6425 teaches the necessary capabilities for forensic analysts and incident responders to identify and counter a wide range of threats within enterprise networks, including economic espionage, hacktivism, and financial crime syndicates. The course shows students how to work as digital forensic analysts and incident response team members to identify, contain, and remediate sophisticated threats-including nation-state sponsored Advanced Persistent Threats and financial crime syndicates. Students work in a hands-on lab developed from a real-world targeted attack on an enterprise network in order to learn how to identify what data might be stolen and by whom, how to contain a threat, and how to manage and counter an attack.

ISE 6440: Advanced Network Forensics and Analysis   |   FOR 572, GNFA

Content: SANS FOR 572 Advanced Network Forensics and Analysis
Assessment: GIAC GNFA Exam
3 Credit Hours

ISE 6440: Advanced Network Forensics and Analysis focuses on the most critical skills needed to mount efficient and effective post-incident response investigations. Moving beyond the host-focused experiences in ISE 6420 and ISE 6425, ISE 6440 covers the tools, technology, and processes required to integrate network evidence sources into investigations, covering high-level NetFlow analysis, low-level pcap exploration, and ancillary network log examination. Hands-on exercises in FOR 572 cover a wide range of open source and commercial tools, and real-world scenarios help the student learn the underlying techniques and practices to best evaluate the most common types of network-based attacks.

ISE 6460: Reverse-Engineering Malware |   FOR 610, GREM

Content: SANS FOR 610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Assessment: GIAC GREM Exam
3 Credit Hours

ISE 6460 teaches students how to examine and reverse engineer malicious programs - spyware, bots, Trojans, etc. - that target or run on Microsoft Windows, within browser environments such as JavaScript or Flash files, or within malicious document files (including Word and PDF). The course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger and other tools. The malware analysis process taught in this class helps students understand how incident responders assess the severity and repercussions of a situation that involves malicious software and plan recovery steps. Students also experience how forensics investigators learn to understand key characteristics of malware discovered during the examination, including how to establish indicators of compromise (IOCs) for scoping and containing the incident.

ISE 6400: Certificate Program Capstone | DFIR NetWars Continuous

Content: DFIR NetWars Continuous
1 Credit Hour

DFIR NetWars Continuous is an incident simulator packed with a vast amount of forensic, malware analysis, threat hunting, and incident response challenges designed to help students gain proficiency without the risk associated when working real-life incidents.

Over the past few years, digital crime and intrusions have increased, and Fortune 500 companies are beginning to detail data breaches and hacks: the 2013 Verizon Data Breach report spanned 47,000 security incidents, 621 confirmed data disclosures, and at least 44 million compromised records, affecting nearly every industry and company size evaluated. In this same report, Verizon notes that "70% of breaches were discovered by external parties who then identified the victim...admittedly better than the 92% observed in [last year's report]." The need for professionals inside organizations that can identify and respond to incidents before they are discovered by clients or customers is self-evident and large.

Learn How To

  1. Explain the role of digital forensics and incident response in the field of information security, and recognize the benefits of applying these practices to both hosts and networks when investigating a cyber incident.
  2. Analyze the structure of common attack techniques in order to evaluate an attacker's footprint, target the ensuing investigation and incident response, and anticipate and mitigate future activity.
  3. Evaluate the effectiveness of available digital forensic tools and use them in a way that optimizes the efficiency and quality of digital forensic investigations.
  4. Utilize multiple malware analysis approaches and tools to understand how malware programs interact with digital environments and how they were coded, in order to reverse the effects of the program on networks and systems.

Quick Links:

Admissions Deadlines & Application Requirements
Tuition & Options for Funding