mile2® Store

C)IHE Incident


Course Overview

5 Days $3,500 40 CPE Credits

The Certified Incident Handling Engineer course is designed to help incident handlers, system administrators, and general security engineers understand how to plan, create, and utilize their systems in order to prevent, detect, and respond to security breaches. Every business connected to the internet is getting probed by hackers trying to gain access. The ideal situation I to prevent this from happening, but realistically every business needs to know how to detect and resolve security breaches. Certified Incident Handlers are prepared to do handle these situations effectively.

Students will learn common attack techniques, vectors, and tools used by hackers, so that they can effectively prevent, detect, and respond against them. This course is ideal for those who lead incident handling teams or are part of an incident handling team.

Furthermore, students will enjoy numerous hands-on laboratory exercises that focus on topics, such as reconnaissance, vulnerability assessments using Nessus, network sniffing, web application manipulation, malware and using Netcat plus several additional scenarios for both Windows and Linux systems. The 20 hours of experience in our labs is what will put you ahead of the competition and set you apart as a leader in incident handling.


Upon Completion

Students will:

    • Have knowledge to detect security threats, risk, and weaknesses.
    • Have knowledge to plan for prevention, detection, and responses to security breaches.
    • Have knowledge to accurately report on their findings from examinations.
    • Be ready to sit for the C)IHE Certification Exam


Course Content

With 13 modules and 14 Labs, the C)IHE will prepare you to handle the toughest incidents of security breaches because you will have knowledge and experience under your belt.

Click on a module its agenda. Labs details are currently kept confidential.

Modules Labs

1: Introduction

Courseware Materials
Who is this class for?
What is the purpose of this course?
What information will be covered?
The Exam
What is Incident Handling?
What is a security event?
Common Security Events of Interest
What is a security incident?
Why Incident Response?
Common Goals of Incident Response Management
What is an incident response plan?
When does the plan get initiated?
Six Step Approach to Incident Handling
Course Details

2: Threats, Vulnerabilities and Exploits

Attacks: IP Spoofing
CM: Ingress Filtering
ARP Cache Poisoning
ARP Normal Operation
ARP Cache Poisoning
ARP Cache Poisoning (Linux)
What is DNS spoofing?
Tools: DNS Spoofing
Session Hijacking
Session Hijacking
4 Methods continued
Methods to Prevent Session Hijacking
Buffer Overflows
Buffer Overflow Definition
Evading The Firewall and IDS
Evasive Techniques
Firewall – Normal Operation
Evasive Technique -Example
Attack: Phishing
Social Engineering
Attack: Denial of Service
Attack: Insider Threat
Wireless Attacks
Software Attacks
Vulnerability Assessment
Penetration Testing

3: Preparation

Senior Management Support
Policies and Procedures
The Team
Identify Incident Response Team
Roles of the Incident Response Team
IRT Team Makeup
Team Organization
Incident Communication
Incident Reporting
Incident Response Training and Awareness
Underlining Technologies
Virus Total
User Identity
Ticketing System
Instructor Demo
RTIR Features and Demo
Digital Forensics
Data Backup and Recovery
Underlining Technologies
Technical Baselines


What is Request Tracker?
RT Cake
Why Use Request Tracker?
Who Uses Request Tracker?
RT Components
What is RTIR?
RTIR Components
RTIR Workflow
File an Incident Report
Create an Incident
Launch an Investigation
Initiating a Block

5: Preliminary Response

Responder Toolkit
Responder’s System
What to look for
First things first
Windows Log Events
Windows Log Events
Windows Services
Windows Network Usage
Windows Network Usage
Windows Scheduled Tasks
Windows Accounts
Windows Tools
Linux Log Events
Linux Log Events
Linux Processes
Linux Network Usage
Linux Scheduled Tasks
Linux Accounts
Linux Files
Linux Files
Linux Tools

6: Identification and Initial Response

Categorize Incidents
Incident Signs
Three Basic Steps
Examples of Electronic Signs
Examples of Human Signs
Incident Documentation
Incident Prioritization
Incident Notification

7: Sysinternals

Where to get them
Process Explorer
Procexp Features
Process Monitor
Promon Filtering engine
Disk Utilities
Disk Monitor
Security Utilities

8: Containment

Delaying Containment
Choosing a Containment Strategy
On-site Response
Secure the Area
Conduct Research
Procedures for Containment
Make Recommendations
Establish Intervals
Capture Digital Evidence
Change Passwords

9: Eradication

Procedures for Eradication

10: Follow-up

Procedures of Follow-up

11: Incident-handling recovery

Procedure for Recovery

12: Virtual Machine Security

Virtualization Components
Virtualization Attacks
Identifying VMs

13: Malware Incident Response

History of Malware
Computer Viruses
Compiled Viruses
Interpreted Viruses
Computer Worms
Instructor Demo
Executable Wrappers
Instructor Demo
Instructor Demo
Mobile Code
Blended Attacks
Browser Plug-ins
E-mail Generators
Key Loggers
Instructor Demo
The Policy
Policy Considerations
User Awareness
Instructor Demo
Vulnerability Vs. Threat Mitigation
Patch Management
Account Security
Host Hardening
Host Hardening - Examples
Anti-virus Software
Instructor Demo
Spyware Detection and Removal
Intrusion Prevention Systems
Firewall and Routers
Application Security Settings
Instructor Demo
The Decision Flow
Confirm the Infection
Determine Course of Action Decision Flow
Clean the System Decision Flow
Attempt to Clean the System
Clean the System
Attempt to Restore System State
Rebuild the System Decision Flow
Rebuild the System
Conduct a Post-Attack Review

1: Netcat (Basics of Backdoor Tools)

Currently not disclosed

2: Exploiting and Pivoting our Attack

Currently not disclosed

3: Creating a Trojan

Currently not disclosed

4: Capture FTP Traffic

Currently not disclosed

5: ARP Cache Poisoning Basics

Currently not disclosed

6: ARP Cache Poisoning - RDP

Currently not disclosed

7: Input Manipulation

Currently not disclosed

8: Shoveling a Shell

Currently not disclosed

9: Virus Total

Currently not disclosed

10: Create Malware using SET

Currently not disclosed

11: The Trojans

Currently not disclosed

12: Examine System Active Processes and Running Services

Currently not disclosed

13: Examine Startup Folders

Currently not disclosed

14: The Local Registry

Currently not disclosed

15: The IOC Finder – Collect

Currently not disclosed

16: IOC Finder – Generate Report

Currently not disclosed

17: Malware Removal

Currently not disclosed


Class Format Options

Mile2 offers courses around the year and around the globe. You can attend this course in 2 ways:

    1. Instructor-led Classroom: Attend in person.
    2. Live-virtual Training: Attend the Instructor-led class remotely.


Who Should Attend

The C)IHE course is an incident handling course that teaches students how to plan for, detect, and respond to security breaches. In order to do this effectively we require students to understand the material in our C)ISSO: Information Systems Security Officer course. If you have taken the course or have equivalent experience/knowledge, you'll be able to learn the art of incident handling in the C)IHE course.

After you complete the C)IHE we encourage you to learn about disaster recovery and business continuity through our C)DRE: Disaster Recovery Engineer Course.


Exam Information

The Certified Incident Handling Engineer exam is taken online through Mile2’s Assessment and Certification System (MACS), which is accessible on your account. The exam will take 2 hours and consist of 100 multiple choice questions. The cost is $400 USD and must be purchased from the store on

The GIAC Certified Incident Handler exam is another certification for incident handling professionals that this course has more than prepared you to pass. We strongly recommend the more advanced C)IHE exam by Mile2. Please consult your instructor if you have any further questions. The exam is available for purchase through

Purchase the exam
GTR Classes - C)PTE 11/30–12/4 REGISTER HERE C)IHE 12/07–12/11 REGISTER HERE
Toggle Bar