Training Courses

FIRST is providing several different trainings with the goal to educate new CSIRTs and enhance the capabilities of current teams. All material is available under the Creative Commons BY-NC-SA 4.0 license.

If you are interested in hosting a training please contact us through FIRST Training Support. Please note that we need a request at least 60 days before the training to allow enough time to find a suitable trainer. The earlier we know the topic for the training, expected number of attendees and their assumed skill level, the better we can accommodate the request.

Available Trainings

• FIRST CSIRT Basic Course
• FIRST Threat intelligence fundamentals Course
• FIRST Fusion Course
• DNS: Preventation, Detection, Disruption and Defense
• Mastering CVSSv3.1
• PSIRT Training
• Incident Handling for Policy makers
• Breach Workshops
• Conducting Exercises to improve Incident Response
• Third party training material

FIRST CSIRT Basic Course

The goal of the basic course is to give an introduction into the operation of a CSIRT. It consists of the following six modules:

1. CSIRT Fundamentals
2. Starting with a CSIRT
3. CSIRT Operation
4. Working with Information Sources
5. Incident Coordination
6. CSIRT Performance Measurement

FIRST Threat intelligence fundamentals Course

FIRST has a large threat intelligence community forming the Cyber Threat Intelligence special interest group. Practitioners from this community have developed a Threat intelligence fundamentals training, covering:

• What is cyber threat intelligence?
• Collection methods
• Analysis techniques
• Reporting

The training can be delivered in 1,5-2 days. Most students can benefit from the training, but some prior knowledge of some part of the cyber domain is beneficial.

FIRST Threat intel Pipelines Course

FIRST Fusion Training

Services that conduct analysis and inclusion of multiple data sources. Take feeds of information, regardless of the source, and integrate it into an overall view of the situation (Situational Awareness).

The need for this training is identified by existing and upcoming CSIRTs. In both instances they are looking how to serve their constituency by providing appropriate information. We recommend participants in this training to be familiar with the basic concepts of threat intelligence and to have working knowledge of basic Linux commands.

The training will cover the following topics:

• Determine the methods and techniques (algorithms) or technologies used to analyze (fuse) the information.
• Analysis (fusing) of the data resources using the data in the knowledge management system to identify commonalities and relationships amongst the data.
• Security Advisement: Services providing advice to a constituent or line-of- business on the execution and implementation of pertinent security operations or functions.
• Patch Management: Services that assist constituency with the capabilities necessary to manage the identification of inventory, systems to patch, deployment and verification of patch installation.

This training can be delivered in 1-1,5 days.

It consist of seven modules:

1. Actionable Information
2. Collection
3. Preparation
4. Storage
5. Analysis
6. Distribution
7. Lab: Extracting Indicators
8. Lab: Handout

Please note that this is an older version of the training. It was updated in 2022, but the outline is similar to this one.

Malware Analysis

A one day course focused around rapid triage of malicious content and next steps. These steps can be taken by a small team when targeted by specific malware. After completion of this process you can hand off to your AV vendor with a summary of your findings and links to any reports that you have generated. The aim is to complete this process in about 30 minutes, have a definite answer whether something is malware or not, and give the AV vendor enough to go on as a starting point.

1. The malware ecosystem
2. Analysing Malware Artefacts
3. Sharing Artefact information

Download all materials

DDoS Mitigation Fundamentals

This training course offers a comprehensive introduction to DDoS attacks. The material covers the following topics:

• What role do DDoS services play in the underground?
• Most prevalent types of attacks
• How do popular webservers handle DoS situations
• What are strategies to mitigations.

The training consists of ten modules and some supporting material

1. Table of Contents
2. Introduction
3. The Adversary
4. Network Fundamentals
5. Attack Surface
6. Network Technology
7. Attacks
8. Reflection and amplification attacks
9. Mitigation Strategies
10. Working Together
11. Supporting Materials

Download all materials

DNS: Prevention, Detection, Disruption and Defense

Materials available to course participants following training delivery upon request.

The duration of this training as a in person event is 1 day.

Mastering CVSSv3.1

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. This self-paced e-learning course will specifically help you master CVSS version 3.1.

In this course, you will learn how to:

• Articulate tactical and business benefits of CVSS
• Describe relevant changes from CVSS v2.0 to CVSS v3.0
• Distinguish among Base, Temporal, and Environmental Metrics
• Identify CVSS scoring rubrics and how to use them
• Make calculations for the various types of CVSS metrics
• Apply CVSS metrics to case studies about real-world vulnerabilities
• Show your knowledge about CVSS v3.1 in a course project
• Leverage resource guides for continued learning on CVSS

The course is available on our Learning Platform

There is also a shorter, slides based, version of the training available: Introduction to CVSS v3.0

PSIRT Training

This video-based course introduces practitioners to the core Service Areas of the PSIRT Services Framework.

The course covers the key concepts of developing and maintaining a mature PSIRT. Topics include:

• What a PSIRT is and the various organizational structures to them;
• The foundations of a solid PSIRT;
• How to define and manage stakeholders;
• Vulnerability discovery, reporting, and intake;
• Vulnerability qualification and reproduction;
• Patch management, remediation, and incident handling;
• Stakeholder notification, coordination, and disclosure;
• Training within your organization to ensure efficient product security processes.

The course is available on our Learning Platform

Incident Handling for Policy makers

This course is aimed at policymakers and decision makers. Participants will learn how incident response on a global scale functions and what the preconditions for establishing a successful CSIRT community are. Rather than presenting simple recipes the training focuses on concepts which are worked out by analysing real world incidents.

Incident Response for Policy makers

Breach Workshops

This series of three workshops will walk participants through a major security incident. In an interactive setting participants will have to take decisions, affecting the outcome. There are three workshops available:

• A major datacenter breach
• The infection of waterplant
• An APT in a financial institution

FIRST Breach Workshops

Conducting Exercises to improve Incident Response

Conducting exercices is extremely valuable to practice and improve your incident handling skills. This training course will teach students how to create and conduct an exercise, from a table top exercise to a full-fledged event with multiple participants.

Conducting Exercises to Improve Incident Response

IPv6 Security

The Training will give an overview of the security aspects of the 'new' Internet Protocol IPv6. Participants will learn the differences to IPv4-related to security. The training also covers a deep dive into selected protocol details and their accompanied attacks including demonstrations. The participants will get recommendations on the mitigation of IPv6-related attacks and how to strategically approach IPv6 Security in an organisation. Last but not least, an overview of useful IPv6 Security Resources and Tools is provided.

IPv6 Security

The Lab/Demo setup is available as five VirtualBox images. To use it download the zip archive IPv6-Security-VMs.zip. Attention: This file is 6.6 GB in size.

FIRST Security Bootcamp

This Training will give non expert an introduction into the basic functioning of the internet with a particular focus on security. The content is a pre requisit for the FIRST CSIRT Basic Course.

FIRST Security Bootcamp

This training is also available as five part online course.

Third party training material

A number of other organisations make training materials available under an open source license, which may be of interest to the FIRST community. Below some resources are listed in the hope that they may be useful. Being listed does not imply an endorsement of the material by FIRST.

TRANSITS Materials

TRANSITS aims to provide affordable, high-quality training to both new and experienced CSIRT personnel, as well as individuals with a bona-fide interest in establishing a CSIRT. The training course materials have been collaboratively developed by members of GÉANT’s task force TF-CSIRT and are frequently updated in order to ensure they remain relevant to existing practices.

TRANSITS material

ENISA CSIRT training material

The European Network and Information Security Agency has developed a full curriculum of courses for CSIRTs. This material is typically a bit more advanced than the FIRST basic training. It is useful for teams that want to acuire more specific skills.

All material is available from ENISA's training website

RIPE

The RIPE Network Coordination Centre offers a number of training course mostly focusing around networking issues. Many of these trainings have strong security aspects and may be of interest to teams dealing with such issues. Some of the material is available under 2-Clause BSD License from RIPE's Training website

ICS-CERT

The ISC-CERT operates a virtual leraning portal. These online trainings target ICS operation and security. They are available, free of charge, from the ICS-CERT VLP portal.

MISP

All official MISP Training Materials are available under an open license. This includes:

• Core MISP (software and standard) trainings
• Threat intelligence and OSINT training
• Building information sharing communities workshop

OASIS STIX/TAXII Version 2 Training

OASIS Cyber Threat Intelligence (CTI) developed a full day of training that covers STIX/TAXII Version 2 Concepts & Overview; STIX Data Model Foundations; TAXII Foundations; STIXPreferred Interoperability Certification and STIX/TAXII In Practice.

All material is available here.