Module: CYS5001-20 Intrusion Analysis and Response
Level: 5
Credit Value: 20
Module Tutor: John Curry
Module Tutor Contact Details: j.curry@bathspa.ac.uk
1. Brief description and aims of module:
Knowing when the confidentiality, integrity or availability of an enterprise computer system has been compromised is critical for business continuity. Understanding how to confirm a breach and respond accordingly to minimise impact and expedite a return to normal working practices is essential for the cyber security practitioner.
Intrusion Analysis and Response aims to help you develop the specialised technical knowledge needed to identify and act on potential network intrusions. We begin with a review of several types of network breach, how they are conducted, and their potential effects on business continuity. Next, we critically examine systems for detecting and preventing intrusions, including what network traffic they observe, what rules they use to flag unexpected activity, and what actions they take to eliminate threats. We then turn to incident analysis and response. Here you compare published guidance from the public and private sector, and apply methods for intrusion containment, restoring operations and improving security posture via post-incident analysis.
2.Outline syllabus
The top 10 current network attacks
Physical security: reducing the risk of on-site attacks
The types, operation, and trade-offs of intrusion detection systems (IDS) and intrusion prevention systems (IPS)
Signature, anomaly and behaviour-based detection methods
Filtering and investigating activity alerts
Incident response plans and protocol
The NIST (National Institute of Standards and Technology) incident response lifecycle and alternative incident response guidance
NCSC (National Cyber Security Centre) Incident Management guidance
Containment strategies (segmentation, isolation, removal)
Restoring operations: eradication and recovery activities
Remediating vulnerabilities and enhancing security controls
Media sanitisation techniques
Post-incident review and incident reporting
3. Teaching and learning activities
Class Hours
Classes are predominately workshop based, allowing time to engage technologies and strategies for detecting and resolving network intrusions. Workshops are contextualised with seminar segments where concepts, published frameworks and best practice is critically examined.
Independent Learning
You are expected to undertake readings set by tutors, as well as deepen your understanding of intrusion detection/prevention and response by analysing relevant case studies.
Assessment Type: Course Work
Description: Network intrusion analysis (3,000 words).
% Weighting: 60%
Assessment Type: Course Work
Description: Post-incident report (2,000 words)
% Weighting: 40%