Legitimized [GIAC Certified Incident Handler Certification (GCIH)] Expert – Led Video Course – MASTERYTRAIL

Lesson 1: Introduction to Incident Handling

1.1 Definition of incident handling
1.2 GCIH exam objectives overview
1.3 Incident handling lifecycle
1.4 Importance of response readiness
1.5 Roles of incident responders
1.6 Categories of security incidents
1.7 Key challenges in handling incidents
1.8 Best practices in industry
1.9 Frameworks: NIST, SANS, ISO
1.10 Case study introduction

Lesson 2: Security Foundations

2.1 Basic networking concepts
2.2 TCP/IP stack review
2.3 Common protocols and vulnerabilities
2.4 Firewalls and IDS/IPS basics
2.5 Operating system architecture
2.6 Privilege escalation basics
2.7 Cryptography fundamentals
2.8 Authentication and access control
2.9 Common attack surfaces
2.10 Importance of logs

Lesson 3: Incident Response Cycle

3.1 Preparation phase overview
3.2 Detection and identification
3.3 Containment strategies
3.4 Eradication and recovery
3.5 Post-incident activities
3.6 Lessons learned meetings
3.7 Key documentation needs
3.8 Role of policies and playbooks
3.9 Escalation procedures
3.10 Continuous improvement

Lesson 4: Incident Response Teams

4.1 Incident Response Team (IRT) roles
4.2 CERT vs CSIRT differences
4.3 Communication channels
4.4 Chain of command
4.5 Coordination with external agencies
4.6 Legal and compliance aspects
4.7 Building incident response policies
4.8 Training and simulations
4.9 Knowledge base and IR tools
4.10 Evaluating team readiness

Lesson 5: Attacker Techniques Overview

5.1 Reconnaissance tactics
5.2 Social engineering methods
5.3 Exploiting vulnerabilities
5.4 Gaining persistence
5.5 Privilege escalation methods
5.6 Pivoting across systems
5.7 Data exfiltration techniques
5.8 Covering tracks
5.9 Common attacker tools
5.10 Case study examples

Lesson 6: Reconnaissance Techniques

6.1 Passive vs active reconnaissance
6.2 Open-source intelligence (OSINT)
6.3 DNS interrogation
6.4 Whois and registrar lookups
6.5 Social engineering reconnaissance
6.6 Network mapping tools
6.7 Web application reconnaissance
6.8 Email harvesting
6.9 Search engine exploitation
6.10 Footprinting case study

Lesson 7: Scanning & Enumeration

7.1 Port scanning basics
7.2 Banner grabbing
7.3 Service identification
7.4 Vulnerability scanners (Nmap, Nessus)
7.5 SMB and NetBIOS enumeration
7.6 SNMP enumeration
7.7 LDAP enumeration
7.8 Web directory brute-forcing
7.9 Automation of scanning
7.10 Logging and detection

Lesson 8: Exploitation Techniques

8.1 Buffer overflows basics
8.2 Exploiting weak passwords
8.3 SQL injection
8.4 Cross-site scripting (XSS)
8.5 Command injection
8.6 File inclusion attacks
8.7 Remote code execution
8.8 Metasploit exploitation modules
8.9 Client-side exploitation
8.10 Wireless exploitation

Lesson 9: Privilege Escalation

9.1 Local privilege escalation concepts
9.2 Windows escalation techniques
9.3 Linux privilege escalation
9.4 Exploiting misconfigurations
9.5 Password dumping tools
9.6 Kernel exploits
9.7 SUID/SGID exploitation
9.8 Registry and service misconfigurations
9.9 Escalation persistence methods
9.10 Real-world scenarios

Lesson 10: Maintaining Access

10.1 Rootkits overview
10.2 Backdoors and trojans
10.3 Web shells
10.4 Persistence techniques in Windows
10.5 Persistence in Linux/Unix
10.6 Remote administration tools
10.7 Credential storage attacks
10.8 Living-off-the-land binaries (LOLBins)
10.9 Using scheduled tasks for persistence
10.10 Detecting persistence

Lesson 11: Malware Handling

11.1 Types of malware
11.2 Worms vs viruses
11.3 Trojans and backdoors
11.4 Ransomware attacks
11.5 Malware propagation techniques
11.6 Fileless malware
11.7 Indicators of compromise (IoC)
11.8 Malware analysis stages
11.9 Malware containment
11.10 Prevention strategies

Lesson 12: Rootkits & Spyware

12.1 Kernel-mode rootkits
12.2 User-mode rootkits
12.3 Firmware and bootkits
12.4 Spyware techniques
12.5 Rootkit detection tools
12.6 Anti-rootkit strategies
12.7 Registry persistence by spyware
12.8 Hidden process detection
12.9 File integrity monitoring
12.10 Real case analysis

Lesson 13: Web Application Attacks

13.1 OWASP Top 10 overview
13.2 SQL injection handling
13.3 Cross-site scripting defense
13.4 CSRF exploitation and prevention
13.5 File upload vulnerabilities
13.6 Directory traversal attacks
13.7 Web server misconfigurations
13.8 Session hijacking
13.9 Web application firewalls (WAFs)
13.10 Log monitoring for web attacks

Lesson 14: Password Attacks

14.1 Password cracking concepts
14.2 Dictionary attacks
14.3 Brute-force attacks
14.4 Rainbow tables
14.5 Hashcat usage
14.6 John the Ripper basics
14.7 Credential stuffing
14.8 Multi-factor authentication bypass
14.9 Password attack detection
14.10 Mitigation strategies

Lesson 15: Denial of Service Attacks

15.1 DoS fundamentals
15.2 DDoS botnets
15.3 Application layer DoS
15.4 Volumetric attacks
15.5 Protocol exploitation attacks
15.6 Reflection and amplification
15.7 DoS detection tools
15.8 DoS mitigation techniques
15.9 Role of ISPs in DDoS defense
15.10 Historical DDoS incidents

Lesson 16: Insider Threats

16.1 Types of insiders
16.2 Motivations of insiders
16.3 Indicators of insider threat
16.4 Social engineering by insiders
16.5 Data exfiltration methods
16.6 Policy enforcement
16.7 Insider threat monitoring
16.8 Behavioral analytics
16.9 Case study: malicious insider
16.10 Insider threat response

Lesson 17: Wireless Attacks

17.1 Wi-Fi fundamentals
17.2 WPA2/WPA3 vulnerabilities
17.3 Rogue access points
17.4 Evil twin attacks
17.5 Man-in-the-middle over Wi-Fi
17.6 Packet sniffing wireless networks
17.7 Bluetooth exploitation
17.8 Wireless IDS/IPS
17.9 Detecting rogue devices
17.10 Best practices in wireless security

Lesson 18: Phishing & Social Engineering

18.1 Phishing attack lifecycle
18.2 Spear phishing attacks
18.3 Whaling campaigns
18.4 Voice phishing (vishing)
18.5 SMS phishing (smishing)
18.6 Social engineering psychology
18.7 BEC (Business Email Compromise)
18.8 Detecting phishing attempts
18.9 Anti-phishing training
18.10 Real-world phishing cases

Lesson 19: Incident Detection Tools

19.1 SIEM solutions overview
19.2 IDS/IPS detection
19.3 Endpoint detection and response (EDR)
19.4 Threat intelligence integration
19.5 Log correlation analysis
19.6 Packet capture and analysis
19.7 Honeypots and honeynets
19.8 Alert triage
19.9 Automation in detection
19.10 Continuous monitoring

Lesson 20: Incident Containment

20.1 Containment principles
20.2 Isolating compromised hosts
20.3 Blocking malicious IPs
20.4 DNS sinkholing
20.5 Account lockdowns
20.6 Quarantine strategies
20.7 Data preservation during containment
20.8 Minimizing collateral damage
20.9 Containment communication protocols
20.10 Containment testing

Lesson 21: Eradication Techniques

21.1 Removing malware
21.2 Patching vulnerabilities
21.3 Removing backdoors
21.4 Registry and configuration fixes
21.5 Rootkit eradication challenges
21.6 Credential reset protocols
21.7 Host re-imaging
21.8 Validation of eradication
21.9 Forensic collection before eradication
21.10 Case studies

Lesson 22: Recovery Process

22.1 Restoring operations
22.2 Validating system integrity
22.3 Network reintroduction protocols
22.4 Continuous monitoring post-recovery
22.5 Verifying data integrity
22.6 Recovery documentation
22.7 Business continuity plans
22.8 Disaster recovery role in incidents
22.9 Testing restored systems
22.10 Lessons learned

Lesson 23: Forensic Readiness

23.1 Importance of digital forensics
23.2 Volatile vs non-volatile data
23.3 Chain of custody
23.4 Evidence preservation
23.5 Imaging storage media
23.6 Live response forensics
23.7 Memory capture tools
23.8 Common forensic frameworks
23.9 Legal admissibility of evidence
23.10 Forensic case study

Lesson 24: Windows Forensics

24.1 Windows registry analysis
24.2 Event log analysis
24.3 Prefetch files
24.4 Browser artifacts
24.5 Recycle bin forensics
24.6 NTFS artifacts
24.7 LNK files and jump lists
24.8 Timeline analysis
24.9 Windows Sysinternals tools
24.10 Practical case example

Lesson 25: Linux Forensics

25.1 File system structures
25.2 Log file examination
25.3 Bash history analysis
25.4 Cron jobs and scheduled tasks
25.5 Linux memory acquisition
25.6 Processes and services forensics
25.7 User and authentication logs
25.8 Rootkit detection in Linux
25.9 File integrity monitoring tools
25.10 Real-world case

Lesson 26: Network Forensics

26.1 Basics of packet capture
26.2 Wireshark analysis
26.3 NetFlow analysis
26.4 Protocol anomalies
26.5 Session reconstruction
26.6 Detecting exfiltration
26.7 Identifying lateral movement
26.8 Email header analysis
26.9 Network forensic case studies
26.10 Preserving network evidence

Lesson 27: Threat Intelligence

27.1 Role of threat intelligence
27.2 Tactical vs strategic intelligence
27.3 Indicators of compromise (IoCs)
27.4 Threat intelligence feeds
27.5 Threat hunting methodologies
27.6 ATT&CK framework usage
27.7 Threat sharing platforms (STIX, TAXII)
27.8 Threat actor profiling
27.9 Predictive threat intelligence
27.10 Practical examples

Lesson 28: Cloud Security Incidents

28.1 Cloud service models
28.2 Shared responsibility model
28.3 Cloud threats overview
28.4 Misconfigured cloud storage
28.5 Cloud credential theft
28.6 Cloud forensics challenges
28.7 Cloud-native security tools
28.8 Incident response in AWS
28.9 Incident response in Azure
28.10 Case study

Lesson 29: Mobile Security Incidents

29.1 Mobile OS architecture
29.2 Common mobile threats
29.3 Mobile malware
29.4 Jailbreaking and rooting
29.5 Mobile app vulnerabilities
29.6 Mobile device management (MDM)
29.7 Mobile forensic acquisition
29.8 Incident response for mobile devices
29.9 BYOD security risks
29.10 Case examples

Lesson 30: Ransomware Response

30.1 Ransomware evolution
30.2 Initial infection vectors
30.3 Encryption techniques used
30.4 Detecting ransomware early
30.5 Containment of ransomware spread
30.6 Negotiation considerations
30.7 Backup and recovery strategy
30.8 Post-ransomware forensic analysis
30.9 Legal and compliance issues
30.10 Case studies

Lesson 31: Advanced Persistent Threats (APT)

31.1 APT definition and lifecycle
31.2 Nation-state attackers
31.3 APT kill chain
31.4 Persistence techniques in APTs
31.5 APT exfiltration methods
31.6 Detecting APT indicators
31.7 Threat intelligence for APTs
31.8 APT response playbooks
31.9 Famous APT case studies
31.10 Lessons learned

Lesson 32: Incident Communication

32.1 Internal communication protocols
32.2 External communication guidelines
32.3 Press release handling
32.4 Stakeholder updates
32.5 Law enforcement communication
32.6 Regulatory communication
32.7 Avoiding panic in communication
32.8 Communication templates
32.9 Role of PR in incidents
32.10 Case examples

Lesson 33: Legal & Compliance

33.1 Data protection laws overview
33.2 GDPR and incident reporting
33.3 HIPAA breach handling
33.4 PCI-DSS incident requirements
33.5 SOX compliance
33.6 Cybercrime legal frameworks
33.7 Role of law enforcement
33.8 Evidence admissibility rules
33.9 Incident disclosure obligations
33.10 Compliance audits

Lesson 34: Metrics & Reporting

34.1 Incident severity classification
34.2 Metrics for response efficiency
34.3 Mean time to detect (MTTD)
34.4 Mean time to respond (MTTR)
34.5 Incident cost evaluation
34.6 Reporting templates
34.7 Visual dashboards for incidents
34.8 Stakeholder reporting
34.9 Lessons learned documentation
34.10 Post-mortem reviews

Lesson 35: Incident Handling Tools

35.1 SIEM solutions comparison
35.2 EDR/EPP platforms
35.3 Threat hunting tools
35.4 Malware sandboxing tools
35.5 Forensic acquisition tools
35.6 Log analysis platforms
35.7 Automation and orchestration (SOAR)
35.8 Incident ticketing systems
35.9 Open-source tools for IR
35.10 Case toolkits

Lesson 36: Incident Response Planning

36.1 Building incident response plans
36.2 Defining scope of IR plans
36.3 Aligning with frameworks (NIST, ISO)
36.4 Business continuity integration
36.5 Risk-based response planning
36.6 Testing IR plans
36.7 Plan update cycles
36.8 Playbooks creation
36.9 Stakeholder approvals
36.10 Example IR plan

Lesson 37: Simulation & Drills

37.1 Tabletop exercises
37.2 Red team-blue team simulations
37.3 Purple teaming
37.4 Live-fire incident drills
37.5 Simulation tools
37.6 Evaluating team performance
37.7 Gap analysis
37.8 Updating IR plans post-drill
37.9 Training staff continuously
37.10 Lessons learned from drills

Lesson 38: Incident Postmortem

38.1 Purpose of postmortem
38.2 Incident documentation review
38.3 Root cause analysis
38.4 Timeline reconstruction
38.5 Lessons learned extraction
38.6 Stakeholder postmortem reporting
38.7 Future preventive measures
38.8 Updating playbooks
38.9 Communication of findings
38.10 Example postmortem template

Lesson 39: Business Continuity in IR

39.1 Role of BCP in incident response
39.2 Disaster recovery planning
39.3 Identifying critical systems
39.4 High availability systems
39.5 Data backup and redundancy
39.6 Alternate work sites
39.7 Business continuity drills
39.8 Integrating IR and BCP
39.9 Crisis management team
39.10 Best practices

Lesson 40: Emerging Threats

40.1 IoT security threats
40.2 AI-driven attacks
40.3 Supply chain compromises
40.4 Deepfake threats
40.5 Quantum cryptography risks
40.6 Zero-day vulnerabilities
40.7 Cloud-native attack trends
40.8 Nation-state advanced attacks
40.9 Critical infrastructure targeting
40.10 Emerging threat mitigation

Lesson 41: Risk Management & IR

41.1 Role of risk management in IR
41.2 Risk assessment methods
41.3 Identifying high-risk assets
41.4 Risk prioritization in IR
41.5 Risk mitigation techniques
41.6 Cost vs benefit analysis
41.7 Residual risk considerations
41.8 Integrating IR with ERM
41.9 Risk communication
41.10 Case study

Lesson 42: Threat Hunting

42.1 Threat hunting principles
42.2 Hypothesis-driven hunting
42.3 Data sources for hunting
42.4 Threat hunting frameworks
42.5 Tools for proactive hunting
42.6 Hunting with ATT&CK framework
42.7 Automating threat hunts
42.8 Reporting hunting results
42.9 Continuous hunting culture
42.10 Case examples

Lesson 43: Cyber Kill Chain & MITRE ATT&CK

43.1 Cyber kill chain phases
43.2 Reconnaissance stage
43.3 Weaponization and delivery
43.4 Exploitation and installation
43.5 Command and control
43.6 Actions on objectives
43.7 MITRE ATT&CK matrix overview
43.8 Mapping attacks to ATT&CK
43.9 Defenses aligned to ATT&CK
43.10 Practical application

Lesson 44: Security Awareness

44.1 Importance of awareness programs
44.2 Phishing training campaigns
44.3 Role-based security training
44.4 Security awareness tools
44.5 Gamification in training
44.6 Measuring awareness effectiveness
44.7 Insider threat awareness
44.8 Regulatory training requirements
44.9 Continuous learning culture
44.10 Awareness program lifecycle

Lesson 45: Cyber Insurance

45.1 Role of cyber insurance
45.2 Coverage scope
45.3 Insurance claim process
45.4 Incident notification requirements
45.5 Exclusions and limitations
45.6 Premium calculations
45.7 Role in risk management
45.8 Case examples of insurance claims
45.9 Regulatory impacts
45.10 Future of cyber insurance

Lesson 46: Red Teaming & IR

46.1 Role of red teams
46.2 Simulating real-world attacks
46.3 Blue team responses
46.4 Purple teaming collaboration
46.5 Red team tools and tactics
46.6 Red vs blue exercises
46.7 Measuring defense readiness
46.8 Incident handler lessons from red teams
46.9 Continuous improvement from red team findings
46.10 Case studies

Lesson 47: Incident Automation & SOAR

47.1 SOAR definition
47.2 Automating triage
47.3 Automated containment actions
47.4 Playbook automation
47.5 AI in incident response
47.6 Integrating SOAR with SIEM
47.7 Benefits of automation
47.8 Challenges in SOAR deployment
47.9 Metrics for automation success
47.10 Future of automated incident handling

Lesson 48: Incident Documentation

48.1 Importance of accurate documentation
48.2 IR templates and forms
48.3 Log retention policies
48.4 Documentation in chain of custody
48.5 Documentation during drills
48.6 Automation in documentation
48.7 Common mistakes in documentation
48.8 Audit trails
48.9 Documentation review process
48.10 Practical templates

Lesson 49: Career in Incident Handling

49.1 GCIH exam overview
49.2 Exam domains breakdown
49.3 Recommended training resources
49.4 Hands-on lab preparation
49.5 Career paths for incident handlers
49.6 Certifications roadmap (GCIH, GCIA, GCFA)
49.7 Skills in demand
49.8 Salary trends
49.9 Professional communities and networking
49.10 Continuous learning

Lesson 50: Final Review & Case Studies

50.1 Comprehensive exam revision
50.2 Key incident handling models
50.3 Real-world breach investigations
50.4 Famous cyber incidents analysis
50.5 Tools recap and labs
50.6 Reporting best practices
50.7 Mock incident response exercise
50.8 Common mistakes to avoid
50.9 Ethical responsibilities
50.10 Final readiness checklist