Credits
6
Types
Specialisation complementary (Information Technologies)
Requirements
- Corequisite: SI
Department
AC
- Funcionamiento del CyberThreat Intelligence
- Análisis de logs del sistema
- Reglas y mecanismos de detección
- Antivirus y su funcionamiento
- EDR/XDR, cómo funcionan y para qué se utilizan
Teachers
Person in charge
- René Serral Gracià (rserral@ac.upc.edu)
Weekly hours
Theory
2
Problems
0
Laboratory
2
Guided learning
0
Autonomous learning
6
Objectives
-
Identify threat actors and characterize the methodology of APTs (Advanced Persistent Threats), determining the factors that negatively impact system security in order to minimize their effects.
Related competences: CT7.3, -
Manage, analyze and monitor the logs of Operating Systems (syslog/journalctl in Linux, Event Viewer in Windows), demonstrating knowledge of their structure to maintain systems and detect anomalies.
Related competences: CTI2.2, CT6.3, -
Apply security information storage, processing and access tools through SIEM platforms and the use of YARA rules to centralize and correlate large volumes of events.
Related competences: CT7.3, CT2.4, -
Understand the inner workings of detection systems (signatures, heuristics, behavior and AI), by reading and effectively using manuals and specifications of cybersecurity products written in English.
Related competences: G3.1, CT2.3, -
Evaluate and compare different defense hardware and software solutions (Antivirus, EPP, EDR and XDR) according to quality and technical effectiveness criteria to select the best option according to the environment.
Related competences: CT7.2, -
Evaluate and compare different defense hardware and software solutions (Antivirus, EPP, EDR and XDR) according to quality and technical effectiveness criteria to select the best option according to the environment.
Related competences: CTI2.2, CT6.3, -
Direct and plan the security management of the IT infrastructure through the design of formal Cybersecurity Plans, ensuring their reliability in accordance with ethical principles and current regulations.
Related competences: CTI2.1, CT2.3, -
Develop automated response and orchestration (SOAR) strategies, making technological decisions based on objective criteria and experimental data extracted from incidents.
Related competences: CT7.2, G7.2, -
Analyze the presence of security breaches through system logs
Related competences: G3.2, G6.1, -
Carry out the practical and laboratory tasks of the subject within the established deadlines, progressively applying guided and directed learning, and critically evaluating one's own progress, strengths and technical weaknesses in incident analysis.
Related competences: G7.1, G7.2,
Contents
-
Introduction to CyberThreat Intelligence
This topic establishes the foundations of Cyber ¿¿Threat Intelligence (CTI). It analyzes the intelligence lifecycle to transform raw data into actionable knowledge, enabling organizations to move from a reactive to a proactive defense.
It examines the levels of intelligence (strategic, operational, tactical, and technical) and how key concepts such as Indicators of Commitment (IoC) and Tactics, Techniques, and Procedures (TTP) are integrated into security tools (such as SIEM or EDR). The ultimate goal is to learn how to anticipate attacks, profile malicious actors, and expedite incident response. -
Log Analysis
This topic delves into Log Analysis, a fundamental piece for threat visibility and detection. The student will learn to extract, interpret, and correlate operating system logs to track attacks and detect anomalies.
In Linux environments, log management and analysis will be explored using key tools such as syslog and journalctl. For Windows, the study will focus on mastering the Event Viewer to identify critical security events, such as suspicious logins or system alterations. This basic technical domain is the previous and essential step for the subsequent centralization in SIEM systems. -
Evolution of threat detection
This topic traces the technological evolution of defense tools, starting with the first signature-based antivirus. It analyzes the transition to Next Generation Antivirus (NGAV) and EPP platforms, focused on maximizing prevention on computers.
Next, it addresses the paradigm shift towards continuous monitoring and response with the emergence of EDR (Endpoint Detection and Response). Finally, it studies the culmination of this process: XDR (eXtended Detection and Response), a technology that breaks down information silos by integrating endpoint, network, cloud, and identity data to provide holistic visibility and an automated response to complex attacks. -
Antivirus
This topic delves into the detailed operation of **Antivirus**, historically the first line of defense at *endpoints*. It analyzes the evolution of their engines to deal with increasingly advanced malicious code.
We will begin by studying **signature-based detection**, effective against known malware, but insufficient against new variants. To cover these shortcomings, more proactive approaches will be explored: **heuristic analysis** and **behavioral detection**, capable of identifying suspicious actions in real time without prior knowledge. Finally, the integration of **Artificial Intelligence** will be addressed, using machine learning to predict and block unknown threats (Zero-Day) before they are executed. -
EDR/XDR
This topic delves into advanced detection and response technologies: EDR and XDR. The student will explore the key **functionalities** of EDR, designed to continuously monitor activity on *endpoints*, detect anomalous behavior, and facilitate the isolation and containment of threats that traditional antiviruses evade.
The perspective will then be broadened to XDR, which unifies telemetry from multiple vectors (network, cloud, email, and identity) for a global view of the attack. Finally, the student will learn how to classify and manage different alert levels, a critical skill for prioritizing incidents, reducing alert fatigue, and optimizing the efficiency of response teams. -
Incident Response
This topic focuses on Incident Response, addressing how organizations should act in a structured manner once a security breach is detected. It will study the design of cybersecurity plans, establishing clear and methodical protocols for containment, eradication, and recovery of the affected environment.
In addition, special emphasis will be placed on the modernization of this capacity through automation. The student will understand the value and operation of SOAR (Security Orchestration, Automation, and Response) solutions, key tools for orchestrating defenses, automating repetitive tasks, and drastically reducing reaction times to attacks.
Activities
Activity Evaluation act
Introduction to CyberThreat Intelligence
This topic establishes the foundations of Cyber ¿¿Threat Intelligence (CTI). It analyzes the intelligence lifecycle to transform raw data into actionable knowledge, enabling organizations to move from a reactive to a proactive defense. It examines the levels of intelligence (strategic, operational, tactical, and technical) and how key concepts such as Indicators of Commitment (IoC) and Tactics, Techniques, and Procedures (TTP) are integrated into security tools (such as SIEM or EDR). The ultimate goal is to learn how to anticipate attacks, profile malicious actors, and expedite incident response.Objectives: 1
Contents:
Theory
4h
Problems
0h
Laboratory
2h
Guided learning
0h
Autonomous learning
4h
Log Analysis
This topic delves into Log Analysis, a fundamental piece for threat visibility and detection. The student will learn to extract, interpret, and correlate operating system logs to track attacks and detect anomalies. In Linux environments, log management and analysis will be explored using key tools such as syslog and journalctl. For Windows, the study will focus on mastering the Event Viewer to identify critical security events, such as suspicious logins or system alterations. This basic technical domain is the previous and essential step for the subsequent centralization in SIEM systems.- Theory: Log Analysis 1. Linux 1. syslog 2. journalctl 2. Windows 1. Event Viewer 3. Security Information and Event Management (SIEM) 1. Log Centralization 2. Log Correlation 4. YARA Rules
- Laboratory: Log analysis in Linux and Windows
Contents:
Theory
5h
Problems
0h
Laboratory
6h
Guided learning
0h
Autonomous learning
6h
Evolution of threat detection
This topic traces the technological evolution of defense tools, starting with the first signature-based antivirus. It analyzes the transition to Next Generation Antivirus (NGAV) and EPP platforms, focused on maximizing prevention on computers. Next, it addresses the paradigm shift towards continuous monitoring and response with the emergence of EDR (Endpoint Detection and Response). Finally, it studies the culmination of this process: XDR (eXtended Detection and Response), a technology that breaks down information silos by integrating endpoint, network, cloud, and identity data to provide holistic visibility and an automated response to complex attacks.- Theory: 1. Antivirus 2. Next Generation Antivirus 3. EndPoint Protection Platform (EPP) 4. EndPoint Detection and Response (EDR) 5. eXtended Detection and Response (XDR)
- Laboratory: EDR Installation
Contents:
Theory
5h
Problems
0h
Laboratory
4h
Guided learning
0h
Autonomous learning
4h
Corporate talk
An incident response expert will come to explain how their SOC works.Contents:
Theory
2h
Problems
0h
Laboratory
0h
Guided learning
0h
Autonomous learning
0h
Theory
4h
Problems
0h
Laboratory
4h
Guided learning
0h
Autonomous learning
8h
Theory
0h
Problems
0h
Laboratory
0h
Guided learning
0h
Autonomous learning
0h
Teaching methodology
The subject will be basically composed of three types of learning:1. Theory master class with real examples and interaction with students
2. Practical laboratory classes for the analysis of real applied cases
3. Company talks, where experts from the sector will come to show how they manage security in companies
Evaluation methodology
The autonomous learning competence is evaluated based on the reports delivered by the student during the course. Its weight is 5% on the final grade.The technical competences are evaluated based on the theory (45%) and the laboratory exam (50%, N_lab).
The theory gets evaluated based on the partial and the final exams. The mark of the 2 partial exams is computed as the averaged mean of the 2 tests, with the following weights: 40 and 60%. If this mark is equal or larger than 5.0, attending the final exam is optional. In any case, the average grade of the theory midterms must exceed 3.5 in order to be able to average with the rest of the grades and pass the subject.
In case a student attends the final exam, his/her theory mark will be the highest between the mark obtained in the final exam and the averaged mean of the partial exams.
The mark obtained in the subject will be computed as follows:
N_midterms =N_m1*0.4 + N_m2*0.6 <-- computes only if is >= 3.5
N_theory = max(N_midterms, N_final_exam)
N_final = N_theory * 0.45 + N_lab * 0.5 + N_reports * 0.05
Bibliography
Basic
-
Cyber Threat Intelligence: The No-Nonsense Guide for CISOs and Security Managers
- Roberts, Aaron,
Apress,
ISBN: 978-1484272190
https://www.amazon.es/Cyber-Threat-Intelligence-No-Nonsense-Security/dp/1484272196#detailBullets_feature_div