This course prepares cybersecurity and IT personnel to detect, contain, and eradicate ransomware attacks while utilizing SIEM‑centric log analysis and coordinated incident‑response workflows—including crisis‑communication tactics for executives and stakeholders. Through labs and realistic scenarios, participants learn to transform raw security data into actionable intelligence and execute confident, well‑communicated response plans.
Course Overview Table
| Chapter | Details |
| Partner | Military Academy General Mihailo Apostolski – Skopje |
| Title | Advance Defence and Network Monitoring |
| Service | Cybersecurity |
| Target Group | IT/security staff in organizations that look into implementing or optimize SIEM solutions |
| Format | In-Person Training (with practical exercises/labs) |
| Focused on Key Technologies | Ransomware detection stacks, EDR, SIEM, Threat‑Intel feeds, Incident‑Response platforms |
| Status | Ready to offer |
| Stakeholders from SME/PA Side | Small-to-medium enterprises, public agencies, IT security teams |
| Requirements for Participation | Basic/intermediate networking knowledge, familiarity with Linux/Windows environments, and some cybersecurity fundamentals |
| Estimated Duration | Two-day (approximately 16 hours) |
Description of the Course
Introduction
Effective defence demands proactive monitoring, fast incident triage, and clear communication under pressure. This course arms security practitioners with the technical and procedural skills to detect malwares early via SIEM analytics, coordinate rapid containment, and steer crisis communication to maintain stakeholder trust.
Technical Context and Examples
Participants configure SIEM rules to flag ransomware indicators (e.g., mass file modifications, anomalous network traffic), integrate threat‑intelligence feeds, and practice full‑lifecycle response in a simulated breach. Real‑world case studies (e.g., WannaCry, Ryuk, Conti) demonstrate the cost of delayed detection and the power of rehearsed communication plans.
Detailed Explanation of Core Concepts
- Kill‑chain stages, early‑warning telemetry, EDR rule tuning, backup integrity checks, immutable storage
- Log collection pipelines, parsing & enrichment, correlation rules, UEBA, dashboarding for execs
- IR phases (prepare, detect, contain, eradicate, recover), playbook automation, executive & public messaging, regulatory notification timelines
Tentative agenda of the course
- Course Introduction
- Module 1: Ransomware Kill‑Chain & Defence Tactics
- Module 2: SIEM Fundamentals & Log Engineering
- Module 3: Advanced Analytics & Threat‑Intel Fusion
- Module 4: Incident Response Orchestration
- Module 5: Crisis Communication & Stakeholder Management
- Final Exam: Practical Assessment
Conclusion and Unique Value:
By the end of this course, participants will be able to effectively deploy, maintain, and have the fundamentals in operating an open-source SIEM solution. They will develop the skills to monitor security events in real time, integrate threat intelligence into their detection processes, and orchestrate swift incident response.
Additional Course Information
| Category | Details |
| Developed skills | Participants will acquire knowledge and skills, including: |
| · Crafting & tuning SIEM detection logic for ransomware indicators
· Executing rapid containment and forensic triage procedures · Drafting crisis‑communication templates and managing executive briefings · Coordinating technical and non‑technical teams during high‑stress incidents |
|
| Learning Methods Used | · Instructor‑led lectures & white‑board sessions
· Guided labs with SIEM/EDR and SOAR platforms · Group tabletop exercises for crisis‑communication practice |
| References/Resources | · NIST SP 800‑61r2 – Computer Security Incident Handling Guide
· MITRE ATT&CK & D3FEND for ransomware techniques & mitigations · FIRST Traffic Light Protocol (TLP) for information‑sharing discipline · Vendor docs for leading SIEM/SOAR and EDR solutions |
| Overview Slides | / |