Unit 3: Incident Response

UNIT TITLE Lead cyber security incident response

This unit develops the skills and knowledge required to lead a team in the response to a cyber security incident and take responsibility for planning, detecting and investigating security incidents and managing response.

It applies to individuals, employed or contractors who are working in positions of authority and are approved to implement change within a department or across the organisation. They have responsibility for directly supervising others.

No occupational licensing, certification or specific legislative requirements apply to this unit at the time of publication.

Elements describe the essential outcomes of the unit Performance criteria describe the performance needed to demonstrate achievement of the element.
1. Plan for security incident

1.1 Establish, define and maintain an organisational definition of information security incidents to allow accurate identification of and response to incidents

1.2 Establish incident detection and response objectives and requirements with senior management or client

1.3 Establish human, technological and equipment resource requirements to detect and respond to security incidents

1.4 Develop incident response policies, procedures, manuals and supporting documents

1.5 Define roles and responsibilities of team members and external providers

1.6 Identify and prioritise critical infrastructure and data assets

1.7 Determine and document incident thresholds

1.8 Obtain required resources to prepare for an incident

2. Detect and investigate security incidents

2.1 Build, deploy and test security detection tools to alert team members of critical security events

2.2 Triage security events to identify potential incidents

2.3 Conduct computer forensic investigation to confirm the extent of security incidents

2.4 Review investigation findings and propose potential consequences of security incidents

2.5 Document methods of compromise employed by the attacker

2.6 Lead team and monitor completion of allocated tasks and adherence to procedures

3. Plan response to incidents

3.1 Prepare a report detailing incidents and recommended solutions

3.2 Conduct an impact assessment against the report findings, analyse the assessment results and make adjustments to minimise risks

3.3 Consult senior management or client and obtain approval to implement preferred solutions

3.4 Develop an action plan to execute agreed solutions and seek approval for implementation

4. Respond to a computer intrusion

4.1 Communicate roles and responsibilities with team members

4.2 Isolate or monitor intrusion points, as documented in the action plan to prevent future attacks

4.3 Recover systems, data and connectivity to resume business operations

4.4 Oversee implementation of action plan and achievement of tasks within defined timeframes

4.5 Monitor effectiveness of action plan and adjust to ensure achievement of planed objectives

4.6 Review effectiveness of actions implemented and document findings, detailing recommendations to reduce likelihood of future incidents


Foundation skills essential to performance are explicit in the performance criteria of this unit of competency

TITLE Assessment Requirements for CYBLCS003 Lead cyber security incident response

Evidence of the ability to complete tasks outlined in elements and performance criteria of this unit in the context of the job role, and:

  • keep detailed technical logs containing indicators of compromise or attack discovered, the steps taken to mitigate the threat and the business impact of security intrusions
  • On a minimum of one (1) occasion build a:
    • Real-time endpoint detection and response tool
    • Breach assessment scanner
    • Malware analysis framework
  • Produce reports applying reverse engineering for a minimum of the following:
    • One web malware
    • One kernel malware
    • One firmware malware
    • Two user-land malware
    • Two shellcodes

The learner must be able to demonstrate essential knowledge required to effectively do the task outlined in elements and performance criteria of this unit, manage the task and manage contingencies in the context of the work role.

This includes knowledge of:

  • Legal and ethical boundaries
  • effective use of verbal and nonverbal communication to extract information from range of people and clearly communicate with senior management, clients, stakeholders and team members
  • language skills to translate technical findings to be understood by business and lay persons
  • indicators of compromise in the following locations:
    • DNS, net flow, PCAPs and web logs
    • Event logs
    • Binaries, executables, processes, DLLs and scripts
    • Users and groups
    • Software installed
    • Windows registry
    • File system
    • Browsing history
    • Document metadata
  • Deception Techniques:
    • Honeypots
    • Honeynets
  • Reverse Engineering Techniques:
    • Static reverse engineering:
      • Manual decompilation
      • Manual Unpacking
      • Binary reconstruction
    • Dynamic reverse engineering techniques:
      • Process analysis
      • System integrity and activity monitoring
      • Network analysis
      • Sandboxes


Assessment may be in the form of:

  • work samples
  • written assignments
  • theoretical examination
  • observation

Both practical skills and knowledge must be assessed.

Assessor requirements

No specialist vocational competency requirements for Assessors apply to this unit.