On September 24–25, 2025, an Incident Response & Institutional Hardening Workshop was held in Podgorica, Montenegro, bringing together key stakeholders from government institutions, regulatory bodies, and technical teams.
The workshop on incident response and institutional hardening was organized jointly by CRDF Global and the US Department of State, as well as the Secure Cyberspace Foundation.
The workshop aimed to strengthen Montenegro’s national capabilities in detecting, responding to, and managing cyber incidents, in line with the country’s newly adopted Information Security Act and broader cybersecurity strategy. The event also supported Montenegro’s ongoing alignment with EU cybersecurity frameworks, such as the NIS2 Directive, and promoted the development of a resilient national cybersecurity ecosystem.
The two-day program combined theoretical sessions with practical exercises and simulations based on international best practices and real-life cyberattack scenarios. The training used the CyberBastion simulation platform to enable interactive scenario-based learning for participants.
The workshops were divided into six thematic modules:
Module 1 – Defense in Depth Model and Core Security Functions (NIST CSF):
Participants learned about the multi-layered protection model and discussed how the security functions of Govern, Identify, Protect, Detect, Respond, and Recover defined in the NIST Cybersecurity Framework 2.0 standard can be applied in Montenegro.
Scenario: Attack on a water treatment plant, focusing on assessing the effectiveness of controls and resilience.
• Module 2 – Threat profiling and forecasting:
Focused on profiling advanced persistent threat (APT) groups, their motives, and techniques. Participants analyzed real APT campaigns (e.g., Sandworm, APT29) using the Cyber Kill Chain and MITRE ATT&CK frameworks.
Scenario: Simulation of a disinformation campaign.
• Module 3 – Incident response process (PICERL model):
This covered the six phases of incident response: preparation, identification, containment, elimination, recovery, and lessons learned. Participants developed incident response manuals in accordance with NIST SP 800-61r3 and the Montenegrin legal framework.
Scenario: Case study of the Cuba ransomware campaign.
• Module 4 – Methods of collecting and using information in cybersecurity:
The difference between indicators of attack (IoA) and indicators of compromise (IoC) is discussed, as well as ways to effectively use cyber threat intelligence (CTI).
Scenario: Volt Typhoon – a simulation of an attack on the supply chain.
• Module 5 – Sources of security event data and detection rules:
Familiarizing participants with various data sources (system, network, and application logs) and SIGMA detection rules for detecting threats regardless of platform.
Scenario: Analysis of a spy campaign.
• Module 6 – Building an optimal cybersecurity infrastructure:
Participants designed resilient architectures and learned how to adapt defenses to the tactics, techniques, and procedures used by attackers.
Scenario: Fusion SOC concept applied to an attack on a power plant (Ukraine 2015).
Each module included discussion sessions, practical simulations, and an assessment of the effectiveness of selected security measures. During the final session, conclusions were summarized and certificates of completion were awarded.
We invite you to cooperate with us!
If your organization would like to use the CyberBastion platform in a similar or completely different scenario—focused on testing and developing the ability to build cyber resilience, coordinate actions, and respond appropriately to incidents—please contact us and cooperate with us.
Exercises carried out in CyberBastion can be based on recognized standards and regulations, such as NIS2, DORA, or GDPR, and can also be adapted to national or sectoral needs.
Together, we can prepare a simulation that will allow you to test both technical response procedures and organizational mechanisms for cooperation in crisis situations.
