Information Security Incident Handling Exercise

Presented at Kiwicon 2038AD: The Dystopic Future is Now (2018), Nov. 14, 2018, 9 a.m. (480 minutes)

The incident handling exercise allows participants to detect and respond to real-life incidents, and provides them with hands-on incident handling experience. The exercise uses Sparks on Wheels (SoW), a fictitious company that innovatively manages transporting people within cities using electric cars, electric motorcycles and bicycles. Participants will be provided with a brief introduction that sets the context including the technical environment, a generic incident handling process and an incident report template. In addition, they will be provided with access to SoW services and infrastructure that contain artefacts and indicators of compromise that they should analyse to identify and respond to a set of incidents. Incidents can be detected through a variety of technical and organisational events that vary in difficulty and technical depth. Some incidents do not require highly specialised technical skills to be detected. Participants are expected to analyse SOW environment and any other information provided to filter “noise” from meaningful/useful information following the process provided. They will be expected to perform the following activities while communicating and escalating issues to management and relevant stakeholders (represented by the exercise facilitators): Detect security incidents. Triage events/incidents. Analyse incidents. Contain and eradicate incidents. Recover from incidents. Write an incident report. The exercise has been developed to ensure that participants will go through all incident handling steps and will not get stuck in the incident detection phase. The timeline of the exercise is designed to provide participants with hints to ensure they detect incidents before the allocated time expires. Course Outline Participants will be provided with VPN access to SoW and all information (including documentation and process) that detail its business and technical contexts. Objective • Train participants on how to detect and triage incidents. • Train participants on following incident handling processes. • Measure participants’ incident handling capabilities. Who Should Attend? • Incident handlers. • Information security professionals. • Service desk team members/leads. • Other IT staff that may be involved in incident handling. Duration The full-day exercise agenda is as follows: • 9:00-9:45 am (45 minutes): Introduction, agenda, setting the context, etc. • 9:45-10:00 am (15minutes): Setup of VPN access to SoW service. • 10:00-12 pm (120 minutes): Incident detection, triage and analysis. • 12:00-1:00 pm (60 minutes): Lunch break. • 1:00-3:00 pm (120 minutes): Continue detection, triage and analysis. Complete containment, recovery and restoration. • 3:00-3:45 pm (45 minutes): Incident report. • 3:45-4:15 (30 minutes): Incident debriefing. • 4:15-4:45 (30 minutes): Discussions and feedback. Prerequisites: Participants are required to be bring their own laptops and chargers. Participants must have administrative privileges on their laptops. We will be configuring access to SoW environment hosted in AWS via Algo VPN. Make sure you have read the setup instructions for your platform and have the necessary dependencies installed: Participants will be provided with Internet access.


  • Ahmed ElAshmawy
    Ahmed is a Principal Consultant at Axenic Ltd. He has significant experience as a trainer, as well as being a hands-on practitioner. He is a CERT-Certified Computer Security Incident Handler (CSIH) and a SEI-Authorised Instructor. He has been previously a member of the technical team of Q-CERT, Qatar’s national Computer Emergency Response Team. He developed and conducted a number of incident response tabletop exercises, using real-world scenarios, in addition to incident management frameworks and processes for several organisations.

Similar Presentations: