Maxtrain.com - [email protected] - 513-322-8888 - 866-595-6863


Certified Incident Handling Engineer

Alert Me


The Certified Incident Handling Engineer course is designed to help incident handlers, system administrators, and general security engineers understand how to plan, create, and utilize their systems in order to prevent, detect, and respond to security breaches. Every business connected to the internet is getting probed by hackers trying to gain access. The ideal situation I to prevent this from happening, but realistically every business needs to know how to detect and resolve security breaches. Certified Incident Handlers are prepared to do handle these situations effectively.

In this 5 day instructor-led course students will learn common attack techniques, vectors, and tools used by hackers, so that they can effectively prevent, detect, and respond against them. This course is ideal for those who lead incident handling teams or are part of an incident handling team.

Furthermore, students will enjoy numerous hands-on laboratory exercises that focus on topics, such as reconnaissance, vulnerability assessments using Nessus, network sniffing, web application manipulation, malware and using Netcat plus several additional scenarios for both Windows and Linux systems. The 20 hours of experience in our labs is what will put you ahead of the competition and set you apart as a leader in incident handling.

Upon Completion

Students will:

  • Have knowledge to detect security threats, risk, and weaknesses.
  • Have knowledge to plan for prevention, detection, and responses to security breaches.
  • Have knowledge to accurately report on their findings from examinations.
  • Be ready to sit for the C)IHE Certification Exam

With 13 modules and 14 Labs, the C)IHE will prepare you to handle the toughest incidents of security breaches because you will have knowledge and experience under your belt.

Exam Information

The Certified Incident Handling Engineer exam is taken online through Mile2`s Assessment and Certification System (MACS), which is accessible on your mile2.com account. The exam will take 2 hours and consist of 100 multiple choice questions. The cost is $300 USD and must be purchased from the store on Mile2.com.

The GIAC Certified Incident Handler exam is another certification for incident handling professionals that this course has more than prepared you to pass. We strongly recommend the more advanced C)IHE exam by Mile2. Please consult your instructor if you have any further questions. The exam is available for purchase through giac.org


1: Introduction
  • Introduction
  • Courseware Materials
  • Who is this class for?
  • What is the purpose of this course?
  • What information will be covered?
  • The Exam
  • What is Incident Handling?
  • What is a security event?
  • Common Security Events of Interest
  • What is a security incident?
  • Why Incident Response?
  • Common Goals of Incident Response Management
  • What is an incident response plan?
  • When does the plan get initiated?
  • Six Step Approach to Incident Handling
  • Course Details
2: Threats, Vulnerabilities and Exploits
  • Overview
  • Malware
  • Botnets:
  • Attacks: IP Spoofing
  • CM: Ingress Filtering
  • ARP Cache Poisoning
  • ARP Normal Operation
  • ARP Cache Poisoning
  • ARP Cache Poisoning (Linux)
  • Countermeasures
  • What is DNS spoofing?
  • Tools: DNS Spoofing
  • Session Hijacking
  • Session Hijacking
  • 4 Methods continued
  • Methods to Prevent Session Hijacking
  • Buffer Overflows
  • Buffer Overflow Definition
  • Evading The Firewall and IDS
  • Evasive Techniques
  • Firewall – Normal Operation
  • Evasive Technique -Example
  • Attack: Phishing
  • Social Engineering
  • SET
  • SET
  • Attack: Denial of Service
  • Attack: Insider Threat
  • Wireless Attacks
  • Software Attacks
  • Vulnerability Assessment
  • Penetration Testing
  • Exploitation
  • Review
3: Preparation
  • Overview
  • Senior Management Support
  • Policies and Procedures
  • The Team
  • Identify Incident Response Team
  • Roles of the Incident Response Team
  • IRT Team Makeup
  • Team Organization
  • Incident Communication
  • Incident Reporting
  • Incident Response Training and Awareness
  • Underlining Technologies
  • Anti-virus
  • Virus Total
  • Demo
  • SEIM
  • User Identity
  • Ticketing System
  • Instructor Demo
  • RTIR Features and Demo
  • Digital Forensics
  • eDiscovery
  • Data Backup and Recovery
  • Underlining Technologies
  • Technical Baselines
  • Overview
  • What is Request Tracker?
  • RT Cake
  • Why Use Request Tracker?
  • Who Uses Request Tracker?
  • RT Components
  • Tickets
  • Queues
  • What is RTIR?
  • RTIR Components
  • RTIR Workflow
  • File an Incident Report
  • Create an Incident
  • Launch an Investigation
  • Initiating a Block
  • RTFM
5: Preliminary Response
  • Overview
  • Responder Toolkit
  • Responder`s System
  • What to look for
  • Attention
  • Volatility
  • First things first
  • Windows Log Events
  • Windows Log Events
  • Windows Services
  • Windows Network Usage
  • Windows Network Usage
  • Windows Scheduled Tasks
  • Windows Accounts
  • Windows Tools
  • Linux Log Events
  • Linux Log Events
  • Linux Processes
  • Linux Network Usage
  • Linux Scheduled Tasks
  • Linux Accounts
  • Linux Files
  • Linux Files
  • Linux Tools
  • Review
6: Identification and Initial Response
  • Goal
  • Challenges
  • Categorize Incidents
  • Incident Signs
  • Three Basic Steps
  • Receive
  • Examples of Electronic Signs
  • Examples of Human Signs
  • Analyze
  • Analysis
  • Incident Documentation
  • Incident Prioritization
  • Incident Notification
7: Sysinternals
  • Overview
  • Introduction
  • Where to get them
  • Process Explorer
  • Procexp Features
  • Process Monitor
  • Promon Filtering engine
  • Autoruns
  • PsTools
  • Psexec
  • Disk Utilities
  • Disk Monitor
  • Diskview
  • Security Utilities
  • Sigcheck
  • TCPView
8: Containment
  • Overview
  • Containment
  • Goals
  • Delaying Containment
  • Choosing a Containment Strategy
  • On-site Response
  • Secure the Area
  • Conduct Research
  • Procedures for Containment
  • Make Recommendations
  • Establish Intervals
  • Capture Digital Evidence
  • Change Passwords
9: Eradication
  • Overview
  • Eradication
  • Goals
  • Procedures for Eradication
10: Follow-up
  • Overview
  • Follow-up
  • Goals
  • Procedures of Follow-up
11: Incident-handling recovery
  • Overview
  • Recovery
  • Goals
  • Procedure for Recovery

12: Virtual Machine Security

  • Virtualization Components
  • Virtualization Attacks
  • Identifying VMs
13: Malware Incident Response
  • Agenda
  • History of Malware
  • Computer Viruses
  • Compiled Viruses
  • Interpreted Viruses
  • Computer Worms
  • Trojans
  • Backdoors
  • Instructor Demo
  • Executable Wrappers
  • Instructor Demo
  • Rootkits
  • Instructor Demo
  • Mobile Code
  • Blended Attacks
  • Cookies
  • Browser Plug-ins
  • E-mail Generators
  • Key Loggers
  • Instructor Demo
  • Review
  • Agenda
  • The Policy
  • Policy Considerations
  • User Awareness
  • Instructor Demo
  • Vulnerability Vs. Threat Mitigation
  • Patch Management
  • Account Security
  • Host Hardening
  • Host Hardening - Examples
  • Anti-virus Software
  • Instructor Demo
  • Spyware Detection and Removal
  • Intrusion Prevention Systems
  • Firewall and Routers
  • Application Security Settings
  • Instructor Demo
  • Review
  • Agenda
  • The Decision Flow
  • Confirm the Infection
  • Determine Course of Action Decision Flow
  • Clean the System Decision Flow
  • Attempt to Clean the System
  • Clean the System
  • Attempt to Restore System State
  • Rebuild the System Decision Flow
  • Rebuild the System
  • Conduct a Post-Attack Review
  • Review


1: Netcat (Basics of Backdoor Tools)

Currently not disclosed

2: Exploiting and Pivoting our Attack

Currently not disclosed

3: Creating a Trojan

Currently not disclosed

4: Capture FTP Traffic

Currently not disclosed

5: ARP Cache Poisoning Basics

Currently not disclosed

6: ARP Cache Poisoning - RDP

Currently not disclosed

7: Input Manipulation

Currently not disclosed

8: Shoveling a Shell

Currently not disclosed

9: Virus Total

Currently not disclosed

10: Create Malware using SET

Currently not disclosed

11: The Trojans

Currently not disclosed

12: Examine System Active Processes and Running Services

Currently not disclosed

13: Examine Startup Folders

Currently not disclosed

14: The Local Registry

Currently not disclosed

15: The IOC Finder – Collect

Currently not disclosed

16: IOC Finder – Generate Report

Currently not disclosed

17: Malware Removal

Currently not disclosed


  • Security Sentinel
  • Information Systems Security Officer
  • OR Equivalent Experience


The C)IHE course is an incident handling course that teaches students how to plan for, detect, and respond to security breaches. In order to do this effectively we require students to understand the material in our C)ISSO: Information Systems Security Officer course. If you have taken the course or have equivalent experience/knowledge, you'll be able to learn the art of incident handling in the C)IHE course.

After you complete the C)IHE we encourage you to learn about disaster recovery and business continuity through our C)DRE: Disaster Recovery Engineer Course.

$3500.00 List Price

5 Days Course

Class Dates

Request a Date or a Private Class below.

Loading ...