Module: CYS5001-20 Intrusion Analysis and Response

Level: 5

Credit Value: 20

Module Tutor: John Curry

Module Tutor Contact Details: j.curry@bathspa.ac.uk

1. Brief description and aims of module:

Knowing when the confidentiality, integrity or availability of an enterprise computer system has been compromised is critical for business continuity. Understanding how to confirm a breach and respond accordingly to minimise impact and expedite a return to normal working practices is essential for the cyber security practitioner.

Intrusion Analysis and Response aims to help you develop the specialised technical knowledge needed to identify and act on potential network intrusions. We begin with a review of several types of network breach, how they are conducted, and their potential effects on business continuity. Next, we critically examine systems for detecting and preventing intrusions, including what network traffic they observe, what rules they use to flag unexpected activity, and what actions they take to eliminate threats. We then turn to incident analysis and response. Here you compare published guidance from the public and private sector, and apply methods for intrusion containment, restoring operations and improving security posture via post-incident analysis.

2.Outline syllabus

• The top 10 current network attacks

• Physical security: reducing the risk of on-site attacks

• The types, operation, and trade-offs of intrusion detection systems (IDS) and intrusion prevention systems (IPS)

• Signature, anomaly and behaviour-based detection methods

• Filtering and investigating activity alerts

• Incident response plans and protocol

• The NIST (National Institute of Standards and Technology) incident response lifecycle and alternative incident response guidance

• NCSC (National Cyber Security Centre) Incident Management guidance

• Containment strategies (segmentation, isolation, removal)

• Restoring operations: eradication and recovery activities

• Remediating vulnerabilities and enhancing security controls

• Media sanitisation techniques

• Post-incident review and incident reporting

3. Teaching and learning activities

Class Hours

Classes are predominately workshop based, allowing time to engage technologies and strategies for detecting and resolving network intrusions. Workshops are contextualised with seminar segments where concepts, published frameworks and best practice is critically examined.

Independent Learning

You are expected to undertake readings set by tutors, as well as deepen your understanding of intrusion detection/prevention and response by analysing relevant case studies.

Assessment Item 1:

• Assessment Type: Course Work

• Description: Network intrusion analysis (3,000 words).

• % Weighting: 60%

Assessment Item 2:

• Assessment Type: Course Work

• Description: Post-incident report (2,000 words)

• % Weighting: 40%