University of Technology Sydney

43010 Cyber Threat Intelligence and Incident Response

Warning: The information on this page is indicative. The subject outline for a particular session, location and mode of offering is the authoritative source of all information about the subject for that offering. Required texts, recommended texts and references in particular are likely to change. Students will be provided with a subject outline once they enrol in the subject.

Subject handbook information prior to 2025 is available in the Archives.

UTS: Information Technology: Electrical and Data Engineering
Credit points: 6 cp
Result type: Grade and marks

Requisite(s): ((48730 Cybersecurity AND 41181 Information Security and Management) OR 32548 Cybersecurity )
These requisites may not apply to students in certain courses.
There are course requisites for this subject. See access conditions.

Recommended studies:

sound knowledge of computer networking; knowledge of internet security vulnerabilities and defences at the network and application level; awareness of security operations (SecOps) concepts

Description

Cyber threat intelligence involves gathering and analysing information about potential cyber threats and risks from a range of sources. It helps organisations understand the tactics used by malicious actors and enables them to proactively identify and mitigate cyber threats.

Incident response is a structured process that empowers organisations to identify and address cybersecurity incidents and encompasses various stages, including preparing, preventing, detecting, analysing, containing, eliminating, and recovering from cyber-attacks or security breaches. It involves preparing for potential incidents, promptly detecting incidents and assessing the impact of the incidents, containing and eliminating the threat, recovering systems and data, and learning from the experience to enhance future incident response capabilities.

This subject brings these two concepts together by equipping students with the skills and knowledge to both prepare for, and respond to, cyber-attacks in organisational contexts. Through industry case studies and practical exercises, students will develop their abilities to proactively defend against cyber threats, mitigate risks, and strategically respond to incidents.

Subject learning objectives (SLOs)

Upon successful completion of this subject students should be able to:

1. Identify social, environmental, economic and ethical aspects of Security Operations (SecOps). (B.1)
2. Design a strategy for cyber threat intelligence and incident response that reflects contemporary research and industry practice. (C.1)
3. Analyse cyber threat intelligence from various sources to detect and respond to contemporary cyber incidents. (D.1)
4. Demonstrate the ability to respond appropriately to simulated cybersecurity incidents in a security operations (SecOps) context. (D.1)

Course intended learning outcomes (CILOs)

This subject also contributes specifically to the development of the following Course Intended Learning Outcomes (CILOs):

  • Socially Responsible: FEIT graduates identify, engage, interpret and analyse stakeholder needs and cultural perspectives, establish priorities and goals, and identify constraints, uncertainties and risks (social, ethical, cultural, legislative, environmental, economics etc.) to define the system requirements. (B.1)
  • Design Oriented: FEIT graduates apply problem solving, design and decision-making methodologies to develop components, systems and processes to meet specified requirements. (C.1)
  • Technically Proficient: FEIT graduates apply abstraction, mathematics and discipline fundamentals, software, tools and techniques to evaluate, implement and operate systems. (D.1)

Contribution to the development of graduate attributes

This subject contributes to the development of the following SFIA competencies for the role “Cyber Security Technician/Engineer”:

USUP: Incident Management – SFIA Level 3
SCAD: Security Operations – SFIA Level 4

Teaching and learning strategies

This subject is designed with learning activities to both help students build their knowledge of cyber threat intelligence processes as well as learn practical strategies for identifying and responding to cyber attacks (incident response).

Students build their knowledge through a series of online videos and readings which are completed before class. A weekly 1-hour online interactive workshop supports students in engaging with the technical content and guides students in preparing for their quizzes and project work.

In addition to the online workshops, students will complete a series of on-campus labs throughout the session focusing on security operations (SecOps). Students will be presented with realistic case studies of cyber attacks, and will engage hands-on with the processes of incident response such as incident detection, impact assessment and strategies to contain or eliminate the threat and recover systems and data. While completing each lab, students are expected to keep lab journal notes which are collated to become a lab portfolio which is submitted for assessment. Feedback on labs is provided to the whole class after each lab, to enable students to learn and improve in later lab tasks.

Students should note that some labs may be completed in a secure facility at UTS. This differs from a typical computer lab room in that students will only be permitted to enter and exit the facility at designated times, and will not be permitted to bring personal electronic devices into the secure facility. More information will be provided on UTS Canvas, but students who have concerns or questions about this are encouraged to speak with the Subject Coordinator in week 1.

Students are strongly encouraged to attend workshop and lab sessions which are designed for collaboration and to complement each other in helping students develop their proficiency in both cyber threat intelligence and incident response.

The different components of the subject are drawn together in a final case study project. In the final project, students are asked to apply their knowledge of cyber threat intelligence and incident response in researching and preparing a report relating to a provided case study, from the perspective of a professional cybersecurity analyst.

Content (topics)

  • An overview of information security and risk management
  • Planning for organizational readiness
  • Contingency strategies for incident response and business continuity
  • Incident response: planning
  • Incident response: organising and preparing the response team
  • Incident response: incident detection strategies
  • Incident response: detection systems
  • Incident response: response strategies
  • Incident response: recovery, maintenance, and investigations
  • Incident response: crisis management
  • Threat intelligence: map data to MITRE ATT&CK
  • Threat intelligence: analyse and recommend from ATT&CK-mapped data

Assessment

Assessment task 1: Quizzes

Intent:

To receive feedback on understanding of technical concepts introduced in the subject through videos, readings and online workshops.

Objective(s):

This assessment task addresses the following subject learning objectives (SLOs):

1 and 3

This assessment task contributes to the development of the following Course Intended Learning Outcomes (CILOs):

B.1 and D.1

Type: Quiz/test
Groupwork: Individual
Weight: 20%
Length:

20 minutes per quiz

Assessment task 2: Lab portfolio

Intent:

To demonstrate capability in responding to realistic cybersecurity incidents.

Objective(s):

This assessment task addresses the following subject learning objectives (SLOs):

3 and 4

This assessment task contributes to the development of the following Course Intended Learning Outcomes (CILOs):

D.1

Type: Laboratory/practical
Groupwork: Group, individually assessed
Weight: 50%

Assessment task 3: Case study report

Intent:

To demonstrate a holistic approach to cyber threat intelligence and incident response, integrating research skills with contemporary industry practice in designing a response to a case study scenario.

Objective(s):

This assessment task addresses the following subject learning objectives (SLOs):

1 and 2

This assessment task contributes to the development of the following Course Intended Learning Outcomes (CILOs):

B.1 and C.1

Type: Report
Groupwork: Group, group and individually assessed
Weight: 30%
Length:

6000 words

Minimum requirements

In order to pass the subject, a student must achieve an overall mark of 50% or more.

Required texts

Michael E. Whitman, Herbert J. Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition, Cengage, 2020