DPI911 - Incident Response

Outline info
Semester
School
Last revision date 2024-01-29 00:30:09.791
Last review date 2024-04-01 00:15:06.256


Subject Title
Incident Response

Subject Description
Despite best efforts, evolving computer threats mean that network defenses are frequently penetrated and security incidents have become a regular occurrence in our I.T. infrastructures. It is accepted that it is a matter of when, rather than if, an incident will occur. This course covers various aspects of computer incident response. Topics include incident response preparedness, incident detection and characterization, data collection, data analysis and remediation.

Credit Status
1 credit (3 units)
Required for IFS - Bachelor of Technology (Informatics and Security)

Learning Outcomes
Upon successful completion of this subject the student will be able to:

  • Explain the steps required to create incident response processes for security breaches in information systems
  • Assemble and analyze data from a security incident to determine the nature and scope of the incident to formulate and execute remediation plans
  • Create a plan for containment, eradication and improved controls to alleviate harm incurred by a security incident
  • Implement containment, eradication and improved controls to resume normal system operation after a security incident
  • Develop strategic recommendations from incident analysis which will initiate change in security policy

Academic Integrity
Seneca upholds a learning community that values academic integrity, honesty, fairness, trust, respect, responsibility and courage. These values enhance Seneca's commitment to deliver high-quality education and teaching excellence, while supporting a positive learning environment. Ensure that you are aware of Seneca's Academic Integrity Policy which can be found at: http://www.senecapolytechnic.ca/about/policies/academic-integrity-policy.html Review section 2 of the policy for details regarding approaches to supporting integrity. Section 2.3 and Appendix B of the policy describe various sanctions that can be applied, if there is suspected academic misconduct (e.g., contract cheating, cheating, falsification, impersonation or plagiarism).

Please visit the Academic Integrity website http://open2.senecac.on.ca/sites/academic-integrity/for-students to understand and learn more about how to prepare and submit work so that it supports academic integrity, and to avoid academic misconduct.

Discrimination/Harassment
All students and employees have the right to study and work in an environment that is free from discrimination and/or harassment. Language or activities that defeat this objective violate the College Policy on Discrimination/Harassment and shall not be tolerated. Information and assistance are available from the Student Conduct Office at student.conduct@senecapolytechnic.ca.

Accommodation for Students with Disabilities
The College will provide reasonable accommodation to students with disabilities in order to promote academic success. If you require accommodation, contact the Counselling and Accessibility Services Office at ext. 22900 to initiate the process for documenting, assessing and implementing your individual accommodation needs.

Camera Use and Recordings - Synchronous (Live) Classes
Synchronous (live) classes may be delivered in person, in a Flexible Learning space, or online through a Seneca web conferencing platform such as MS Teams or Zoom. Flexible Learning spaces are equipped with cameras, microphones, monitors and speakers that capture and stream instructor and student interactions, providing an in-person experience for students choosing to study online.

Students joining a live class online may be required to have a working camera in order to participate, or for certain activities (e.g. group work, assessments), and high-speed broadband access (e.g. Cable, DSL) is highly recommended. In the event students encounter circumstances that impact their ability to join the platform with their camera on, they should reach out to the professor to discuss. Live classes may be recorded and made available to students to support access to course content and promote student learning and success.

By attending live classes, students are consenting to the collection and use of their personal information for the purposes of administering the class and associated coursework. To learn more about Seneca's privacy practices, visit Privacy Notice.

Prerequisite(s)
SRT311
SPR600 is a co-requisite

Topic Outline
Introduction to the Incident Response Process

  • Definition of an incident
  • Targeted  attack life cycle
  • Initial attack vectors
  • Stages of the process
Pre-Incident Preparation
  • Skills required
  • Infrastructure and toolkit
  • Organizational preparedness
Detection and Characterization
  • Building a timeline
  • Leads and indicators
  • Interviewing
  • Determining scope
Data Collection
  • Live data collection
  • Forensic duplication
  • Network evidence
  • Enterprise services
Data Analysis
  • Methodology
  • Investigating operating systems: e.g.
    • Windows systems
      • NTFS and file system analysis
      • Prefetch
      • Event logs
      • Scheduled tasks
      • The registry
      • Other artifacts of Interactive systems
      • Memory
      • Event logs
      • Alternative persistence mechanisms
    • Mac OS X systems
      • HFS+ and file system ana;lysis
      • Core OS data
    • Linux systems
  • Investigating Applications
    • What is application data?
    • Where is application data stored?
    • Methodology
    • Web browsers
    • Email clients
    • Instant message clients
  • Malware triage
    • Malware handling
    • Triage environment
    • Static analysis
    • Dynamic analysis
  • Intelligence Management and Utilization
Remediation
  • Basic concepts
  • Pre-checks
  • Timing and Implementation
  • Containment
  • Eradication
  • Reporting
    • Strategic recommendations
    • Writing a forensic report
    • Presenting recommendations
  • Documentation

Mode of Instruction
Modes: In-class lecture, in-class exercises, and hands-on activity
Hours per week: 4
Room configuration: Computer lab
Typical scheduling pattern: Winter term

Prescribed Texts
Incident Response & Computer Forensics, ed. 3 (2014)
by Luttgens, Pepe, and Mandia
published by McGraw Hill Education
ISBN: 978-0-07-179868-6

Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan
by Jeff Bollinger, Brandon Enright, Matthew Valites (May 24 2015)
published by O'Reilly Media
ISBN: 978-1491949405

Blue Team Handbook: Incident Response Edition
by Don Murdoch (2014)
self-published
ISBN-13: 978-150073475

Reference Material
Online readings, assigned by the professor

Required Supplies
Removable hard drive

Student Progression and Promotion Policy
Satisfactorily complete all assignments. Assignment submissions that do not meet specifications will be returned to the student for revision and resubmission.
Satisfactorily complete all labs. Lab submissions that do not meet specifications will be returned to the student for revision and resubmission.
Pass the weighted average of all assessments
Pass the practical test
Satisfactorily complete the final project.

http://www.senecapolytechnic.ca/about/policies/student-progression-and-promotion-policy.html

Grading Policyhttp://www.senecapolytechnic.ca/about/policies/grading-policy.html

A+ 90%  to  100%
A 80%  to  89%
B+ 75%  to  79%
B 70%  to  74%
C+ 65%  to  69%
C 60%  to  64%
D+ 55%  to  59%
D 50%  to  54%
F 0%    to  49% (Not a Pass)
OR
EXC Excellent
SAT Satisfactory
UNSAT Unsatisfactory

For further information, see a copy of the Academic Policy, available online (http://www.senecapolytechnic.ca/about/policies/academics-and-student-services.html) or at Seneca's Registrar's Offices..


Modes of Evaluation
Practical test      20%
Labs                    30%
Quiz (5+)             10%
Final Project       40%
-             Proposal       10%
-             Presentation 10%
-             Final Report   20%           

Approved by: Suzanne Abraham