Secu2: Incident response

Everyone is talking about "cyberwar", industrial espionage and data theft. Once attacks have been detected, it is important to act in a considered and organized manner. We therefore offer a workshop which will provide an action basis for reacting to IT security incidents. 


Basic incident response procedure

  • 5-phase model
  • What is only possible internally? What can be outsourced?
  • Dos and dont's (unknown tools, "blaming", etc.)

Preparation: Incident readiness

  • Basic tools
  • Personal preparation ("know your tools, know your procedures")
  • Organizational preparation (reporting chains and awareness)
  • Technical preparation - analysis of the existing network ("baselining", structure, etc.)

Attack detection

  • Working methods of hackers
  • Anti-forensic measures and what can still be seen
  • Warnings from third parties
  • IPS, SIEM, etc.

Attack analysis

  • Log files and protocols
  • Security tests and malware analysis
  • Forensic studies vs. triage: Consideration of individual analysis methods
  • Identification of the attack vector

Defensive measures and clearing up

  • Importance of people when protecting systems
  • Concentration on tools
  • Limits of IPS, SIEM, AV and firewall

"Lessons learned" and organizational structures

Attack patterns and analysis of exemplary attacks

  • "Know your enemy"
  • Phishing and classic Internet criminality
  • Investigation and targeted attacks
  • OpSec and the interaction between IT security and other security
  • Analysis of exemplary attacks

Technical requirements

Basic knowledge of networks, forensics and Linux 


Three days