Digital Threat Digest Insights Careers Let's talk

CREST Certified Incident Manager (CCIM)

Our CREST-aligned Incident Management Specialist training provides the expert level knowledge and skills required for highly experienced cyber security professionals who have spent significant practitioner time working on incident response engagements.


Training is aligned to support individuals seeking to undertake the CREST Certified Incident Manager (CCIM) exam.

This training can be delivered virtually, at our London or Bristol facilities, or at our clients’ premises; training is typically for group bookings only.


CREST Certified Incident Manager (CCIM)


By the end of this training, you will have expanded and consolidated your technical understanding and practical experience of working on cyber security incidents to manage incidents and relevant stakeholders successfully in your organisation.


Senior practitioner-level cyber security professionals who wish to understand how to manage cyber security incidents effectively. Example roles might include:

  • Senior incident response practitioners
  • Senior digital forensics practitioners
  • IT/Cyber security practitioners with responsibilities in incident management
Learning outcomes
  • Identify, capture, contain and report malware.
  • Effectively use protocol analyzers.
  • Perform root cause analysis for information security issues.
  • Critically evaluate and establish processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
  • Understand types of persistent data and how to collect them.
  • Assess system files that contain relevant information and where to find them.
  • Understand electronic evidence law.
  • Consider malware reverse engineering concepts.
  • Recognise how and why adversaries abuse file type.
  • Identify malware analysis tools.
  • Develop, test, and implement network infrastructure contingency and recovery plans.
  • Effectively prepare and present briefings in a clear and concise manner.
  • Prepare clear and concise reports, presentations, and briefings.

Ideally, five or more years practical experience in a digital forensics and/or incident response role and CREST Registered Intrusion Analyst (CRIA) qualification or training. As a minimum, at least 12 months’ hands on experienced once CRIA has been achieved.

Knowledge of:

  • Best practices for incident response and incident management.
  • National cyber security regulations and requirements relevant to an organisation.
  • Different types of cyber attackers, their capabilities, and objectives.
  • What constitutes a threat to network security.
  • Best practice measures or indicators of system performance and availability.
  • Best practice resource management principles and techniques.
  • Best practice server administration and systems engineering theories, concepts, and methods.
  • Best practice auditing and logging procedures.
  • Using network servers and networking tools used by an organisation or systems being tested.
  • Penetration testing principles, techniques, and best practice application

Skill in:

  • Developing policies which reflect an organisation’s business and cyber security strategic objectives

This training can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:

Threat Landscape and Incident Readiness

  • Engagement Lifecycle Management
  • Incident Chronology
  • Incident Response Plan (and it’s relation to business continuity and disaster recovery)
  • Incident Response Team and Relevant Roles
  • Law & Compliance
  • Record Keeping, Interim Reporting & Final Results
  • Threat Assessment
  • Risk Analysis
  • Business Impact Assessments
  • Risk Assessments and Business Impact Assessments
  • Attack and compromise lifecycle
  • Attack / compromise lifecycles (kill chain).
  • Compromise, Disruption, Extraction of data, etc
  • Legal and Jurisdictional Issues
  • Ethics
  • Technical vulnerability root cause identification
  • Physical threats

Insider Attacks

  • Threat Identification

Collecting the Initial Facts

  • Building the Attack Timeline
  • Understanding Investigative Priorities

Initial Development of Leads

  • Define Value of Leads
  • Acting on Leads

Discover the Scope of the Incident

  • Examining Initial Data
  • Gathering and Reviewing Preliminary Evidence

Data Collection

  • Live data collection
  • When to perform a live response
  • Selecting a live response tool
  • What to collect
  • Collection best practices
  • Live data collection on Microsoft Windows Systems
  • Live data collection on Unix-based systems

Forensic Duplication

  • Forensic image formats
  • Traditional duplication
  • Live system duplication
  • Duplication of Enterprise assets
  • Duplication of Virtual machines

Network Evidence

  • Network monitoring
  • Types of network monitoring
  • Setting up network monitoring
  • Network data analysis
  • Incident Response Team Exercise
  • Applied Technical Knowledge for Incident Response
  • Host Analysis Techniques
  • Listing processes and their associated network sockets (if any)
  • Assessing patch levels on a Windows host using the command prompt
  • Finding interesting files on a Windows host

Understanding Common Data Formats

  • Interpret email headers, commenting on the reliability of the information contained within
  • Information contained within a PKI certificate
  • Encoding employed for transmission of data (e.g. web and email)

Registration Records

  • Open Source Investigation and Web Enumeration
  • Effective use of search engines and other open source intelligence sources to gain information about a target
  • Information that can be retrieved from common social networking sites

Extraction of Document Metadata

Community Knowledge

  • Ability to interpret common anti-virus threat reports
  • Ability to interpret open-source research when investigating incidents, eliminating false positives
  • Knowledge of popular open-source security resources (web sites, forums, etc.)
  • Static Network Traffic

Data Analysis

Malware Handling

  • Methods of data collection and types of data to be collected
  • Designing a collection system to ensure sufficient data is collected without overwhelming capture devices
  • Impact assessment of any changes to network
  • Knowledge of SPAN ports, traditional network TAPs and aggregating TAPs
  • Ability to estimate capture requirements during scoping.
  • Consideration of appropriate capture device deployment location.
  • Constraints and limitations of capture and analysis toolsets. Knowledge of different capture options (e.g. NetFlow, limited capture, full packet capture etc.)
  • The ability to assure integrity and security of network after introduction of a capture device
  • Provide arguments and evidence that supports the integrity of any data captured

Data Sources and Network Log Sources

  • Types of data to be collected and existing data sources
  • Proxy logs
  • Syslogs
  • Email logs
  • Firewall logs
  • DHCP logs
  • VPN logs
  • Web server logs
  • Antivirus logs
  • DNS logs
  • Domain logs
  • Windows event logs
  • Internet history
  • Database logs

Correlating information contained within any number of different log formats

Triage Environment

Status Analysis

Dynamic Analysis

  • Dynamic Network Traffic Analysis

Incident Response Manager Actions During an Incident

  • Incident Response team lead and distribute efforts
  • Convey technical findings in incident response cases with upper management and stakeholders
  • Report Writing
  • Client management
  • Containment techniques
  • Evidence handling
  • Communications
  • Recovery and remediation (linked to an organisation’s long- and short-term strategic goals)
  • On-going technical prevention
  • Threat intelligence, Contextualisation Attribution and Motivation
  • Industry Best Practice

Exam Preparation