Armoris training for CSIRT staff

This project aims to develop cybersecurity human resources in Mongolia through a series of practical technical training programs conducted by Armoris Co., Ltd. (Japan). The training has been implemented in a phased manner for four institutions: the Public CSIRT, the National CSIRT, the Cybercrime Division of the Police, and the Information Technology Department of Ulaanbaatar City. The programs are designed to provide systematic learning, ranging from fundamental IT infrastructure development to advanced exercises simulating real-world incident response, with the objective of strengthening participants’ capabilities to serve as CSIRT personnel and cybersecurity professionals in the future.

As the first stage of the training, the “ARMORIS DOJO BASIC COURSE” was conducted to reinforce and solidify participants’ knowledge of basic Linux and Windows environment setup, building on the skills acquired during the “IT Infrastructure Fundamentals for Cybersecurity Engineers” course held from September 29 to October 3, 2025. In this course, participants undertook both the Linux Basic Course and the Windows Basic Course, engaging in hands-on exercises focused on server construction in virtual environments, configuration of various services (such as Web, DNS, Mail, Proxy, and Active Directory), log analysis, and user management. By comparing vulnerable configurations with updated and secured settings and observing system log behavior, participants developed a deeper understanding of IT infrastructure from a security perspective.

Upon completion of all assigned tasks, participants were required to submit a report summarizing the training content, commands used, configuration details, challenges encountered, and key lessons learned. While the use of online resources, teamwork, and AI tools was permitted, emphasis was placed on each participant’s ability to independently understand and explain their operations and configurations. In addition, focused work sessions were held at the IT Park in Ulaanbaatar to support self-study and report preparation, providing participants with dedicated time and space to concentrate on problem-solving.

Subsequently, from December 15 to 19, 2025, a more advanced training program titled “Digital Forensics and Incident Response (DFIR) Exercise” was conducted. This training aimed to enhance participants’ understanding of the role and importance of digital forensics in incident response, while providing practical experience in building investigation environments, preserving evidence, analyzing logs, and reconstructing timelines. Unlike investigations conducted for law enforcement purposes, the training placed particular emphasis on strengthening incident response capabilities for CSIRTs and internal organizational response.

The DFIR training combined lectures by experts from Armoris Co., Ltd. with hands-on exercises, covering the use of various forensic tools in both Windows and Linux environments, network traffic analysis, and investigation exercises simulating malware infections and server intrusions. On the final day, group exercises and evaluations based on realistic incident scenarios were conducted, requiring participants to demonstrate investigation and analytical skills in a manner closely aligned with real operational practice.

Through this series of training programs, participants were able to progressively acquire skills ranging from a fundamental understanding of IT infrastructure to practical incident response and forensic investigation. Training by Armoris Co., Ltd. is scheduled to resume from June next year, and it is expected that further advanced human resource development will be achieved by the conclusion of the project.