Skip to main content

Threat Detection

Credits
6
Types
Specialisation complementary (Information Technologies)
Requirements
Department
AC
Las ciberamenazas son cada vez más frecuentes y con más impacto a la sociedad y a las empresas. En esta asignatura se verán mecanismos para la detección de amenazas. Concretamente se verán aspectos como:
- Funcionamiento del CyberThreat Intelligence
- Análisis de logs del sistema
- Reglas y mecanismos de detección
- Antivirus y su funcionamiento
- EDR/XDR, cómo funcionan y para qué se utilizan

Teachers

Person in charge

  • René Serral Gracià (rserral@ac.upc.edu)

Weekly hours

Theory
2
Problems
0
Laboratory
2
Guided learning
0
Autonomous learning
6

Objectives

  1. Identify threat actors and characterize the methodology of APTs (Advanced Persistent Threats), determining the factors that negatively impact system security in order to minimize their effects.
    Related competences: CT7.3,
  2. Manage, analyze and monitor the logs of Operating Systems (syslog/journalctl in Linux, Event Viewer in Windows), demonstrating knowledge of their structure to maintain systems and detect anomalies.
    Related competences: CTI2.2, CT6.3,
  3. Apply security information storage, processing and access tools through SIEM platforms and the use of YARA rules to centralize and correlate large volumes of events.
    Related competences: CT7.3, CT2.4,
  4. Understand the inner workings of detection systems (signatures, heuristics, behavior and AI), by reading and effectively using manuals and specifications of cybersecurity products written in English.
    Related competences: G3.1, CT2.3,
  5. Evaluate and compare different defense hardware and software solutions (Antivirus, EPP, EDR and XDR) according to quality and technical effectiveness criteria to select the best option according to the environment.
    Related competences: CT7.2,
  6. Evaluate and compare different defense hardware and software solutions (Antivirus, EPP, EDR and XDR) according to quality and technical effectiveness criteria to select the best option according to the environment.
    Related competences: CTI2.2, CT6.3,
  7. Direct and plan the security management of the IT infrastructure through the design of formal Cybersecurity Plans, ensuring their reliability in accordance with ethical principles and current regulations.
    Related competences: CTI2.1, CT2.3,
  8. Develop automated response and orchestration (SOAR) strategies, making technological decisions based on objective criteria and experimental data extracted from incidents.
    Related competences: CT7.2, G7.2,
  9. Analyze the presence of security breaches through system logs
    Related competences: G3.2, G6.1,
  10. Carry out the practical and laboratory tasks of the subject within the established deadlines, progressively applying guided and directed learning, and critically evaluating one's own progress, strengths and technical weaknesses in incident analysis.
    Related competences: G7.1, G7.2,

Contents

  1. Introduction to CyberThreat Intelligence
    This topic establishes the foundations of Cyber ¿¿Threat Intelligence (CTI). It analyzes the intelligence lifecycle to transform raw data into actionable knowledge, enabling organizations to move from a reactive to a proactive defense.

    It examines the levels of intelligence (strategic, operational, tactical, and technical) and how key concepts such as Indicators of Commitment (IoC) and Tactics, Techniques, and Procedures (TTP) are integrated into security tools (such as SIEM or EDR). The ultimate goal is to learn how to anticipate attacks, profile malicious actors, and expedite incident response.
  2. Log Analysis
    This topic delves into Log Analysis, a fundamental piece for threat visibility and detection. The student will learn to extract, interpret, and correlate operating system logs to track attacks and detect anomalies.

    In Linux environments, log management and analysis will be explored using key tools such as syslog and journalctl. For Windows, the study will focus on mastering the Event Viewer to identify critical security events, such as suspicious logins or system alterations. This basic technical domain is the previous and essential step for the subsequent centralization in SIEM systems.
  3. Evolution of threat detection
    This topic traces the technological evolution of defense tools, starting with the first signature-based antivirus. It analyzes the transition to Next Generation Antivirus (NGAV) and EPP platforms, focused on maximizing prevention on computers.

    Next, it addresses the paradigm shift towards continuous monitoring and response with the emergence of EDR (Endpoint Detection and Response). Finally, it studies the culmination of this process: XDR (eXtended Detection and Response), a technology that breaks down information silos by integrating endpoint, network, cloud, and identity data to provide holistic visibility and an automated response to complex attacks.
  4. Antivirus
    This topic delves into the detailed operation of **Antivirus**, historically the first line of defense at *endpoints*. It analyzes the evolution of their engines to deal with increasingly advanced malicious code.

    We will begin by studying **signature-based detection**, effective against known malware, but insufficient against new variants. To cover these shortcomings, more proactive approaches will be explored: **heuristic analysis** and **behavioral detection**, capable of identifying suspicious actions in real time without prior knowledge. Finally, the integration of **Artificial Intelligence** will be addressed, using machine learning to predict and block unknown threats (Zero-Day) before they are executed.
  5. EDR/XDR
    This topic delves into advanced detection and response technologies: EDR and XDR. The student will explore the key **functionalities** of EDR, designed to continuously monitor activity on *endpoints*, detect anomalous behavior, and facilitate the isolation and containment of threats that traditional antiviruses evade.

    The perspective will then be broadened to XDR, which unifies telemetry from multiple vectors (network, cloud, email, and identity) for a global view of the attack. Finally, the student will learn how to classify and manage different alert levels, a critical skill for prioritizing incidents, reducing alert fatigue, and optimizing the efficiency of response teams.
  6. Incident Response
    This topic focuses on Incident Response, addressing how organizations should act in a structured manner once a security breach is detected. It will study the design of cybersecurity plans, establishing clear and methodical protocols for containment, eradication, and recovery of the affected environment.

    In addition, special emphasis will be placed on the modernization of this capacity through automation. The student will understand the value and operation of SOAR (Security Orchestration, Automation, and Response) solutions, key tools for orchestrating defenses, automating repetitive tasks, and drastically reducing reaction times to attacks.

Activities

Activity Evaluation act


Introduction to CyberThreat Intelligence

This topic establishes the foundations of Cyber ¿¿Threat Intelligence (CTI). It analyzes the intelligence lifecycle to transform raw data into actionable knowledge, enabling organizations to move from a reactive to a proactive defense. It examines the levels of intelligence (strategic, operational, tactical, and technical) and how key concepts such as Indicators of Commitment (IoC) and Tactics, Techniques, and Procedures (TTP) are integrated into security tools (such as SIEM or EDR). The ultimate goal is to learn how to anticipate attacks, profile malicious actors, and expedite incident response.
Objectives: 1
Contents:
Theory
4h
Problems
0h
Laboratory
2h
Guided learning
0h
Autonomous learning
4h

Log Analysis

This topic delves into Log Analysis, a fundamental piece for threat visibility and detection. The student will learn to extract, interpret, and correlate operating system logs to track attacks and detect anomalies. In Linux environments, log management and analysis will be explored using key tools such as syslog and journalctl. For Windows, the study will focus on mastering the Event Viewer to identify critical security events, such as suspicious logins or system alterations. This basic technical domain is the previous and essential step for the subsequent centralization in SIEM systems.
  • Theory: Log Analysis 1. Linux 1. syslog 2. journalctl 2. Windows 1. Event Viewer 3. Security Information and Event Management (SIEM) 1. Log Centralization 2. Log Correlation 4. YARA Rules
  • Laboratory: Log analysis in Linux and Windows
Objectives: 2 9
Contents:
Theory
5h
Problems
0h
Laboratory
6h
Guided learning
0h
Autonomous learning
6h

Evolution of threat detection

This topic traces the technological evolution of defense tools, starting with the first signature-based antivirus. It analyzes the transition to Next Generation Antivirus (NGAV) and EPP platforms, focused on maximizing prevention on computers. Next, it addresses the paradigm shift towards continuous monitoring and response with the emergence of EDR (Endpoint Detection and Response). Finally, it studies the culmination of this process: XDR (eXtended Detection and Response), a technology that breaks down information silos by integrating endpoint, network, cloud, and identity data to provide holistic visibility and an automated response to complex attacks.
  • Theory: 1. Antivirus 2. Next Generation Antivirus 3. EndPoint Protection Platform (EPP) 4. EndPoint Detection and Response (EDR) 5. eXtended Detection and Response (XDR)
  • Laboratory: EDR Installation
Objectives: 4 5 6
Contents:
Theory
5h
Problems
0h
Laboratory
4h
Guided learning
0h
Autonomous learning
4h

Antivirus

Antivirus 1. Signature Based 2. Heuristic Detection 3. Behavioral Detection 4. AI Detection
  • Laboratory: YARA rules for malware detection
Objectives: 4 5 9
Contents:
Theory
2h
Problems
0h
Laboratory
4h
Guided learning
0h
Autonomous learning
6h

Midterm

Exam during the round of partial exams with the syllabus seen to date
Objectives: 1 2 3 4 9
Week: 7
Theory
0h
Problems
0h
Laboratory
0h
Guided learning
0h
Autonomous learning
0h

Corporate talk

An incident response expert will come to explain how their SOC works.

Contents:
Theory
2h
Problems
0h
Laboratory
0h
Guided learning
0h
Autonomous learning
0h

EDR/XDR

EDR/XDR 1. Functionalities 2. Alert Levels
Objectives: 4 5 6
Contents:
Theory
4h
Problems
0h
Laboratory
4h
Guided learning
0h
Autonomous learning
8h

Incident Response

Incident Response 1. Cybersecurity Plans 2. Automated Response
Objectives: 7 8
Contents:
Theory
4h
Problems
0h
Laboratory
8h
Guided learning
0h
Autonomous learning
9h

Second Midterm

Midterm with all the subject's material
Objectives: 1 2 3 4 5 6 7 8 9
Week: 14
Theory
0h
Problems
0h
Laboratory
0h
Guided learning
0h
Autonomous learning
0h

Lab Exam


Objectives: 10
Week: 14
Theory
0h
Problems
0h
Laboratory
0h
Guided learning
0h
Autonomous learning
0h

Teaching methodology

The subject will be basically composed of three types of learning:
1. Theory master class with real examples and interaction with students
2. Practical laboratory classes for the analysis of real applied cases
3. Company talks, where experts from the sector will come to show how they manage security in companies

Evaluation methodology

The autonomous learning competence is evaluated based on the reports delivered by the student during the course. Its weight is 5% on the final grade.

The technical competences are evaluated based on the theory (45%) and the laboratory exam (50%, N_lab).

The theory gets evaluated based on the partial and the final exams. The mark of the 2 partial exams is computed as the averaged mean of the 2 tests, with the following weights: 40 and 60%. If this mark is equal or larger than 5.0, attending the final exam is optional. In any case, the average grade of the theory midterms must exceed 3.5 in order to be able to average with the rest of the grades and pass the subject.

In case a student attends the final exam, his/her theory mark will be the highest between the mark obtained in the final exam and the averaged mean of the partial exams.

The mark obtained in the subject will be computed as follows:
N_midterms =N_m1*0.4 + N_m2*0.6 <-- computes only if is >= 3.5
N_theory = max(N_midterms, N_final_exam)

N_final = N_theory * 0.45 + N_lab * 0.5 + N_reports * 0.05

Bibliography

Basic

Previous capacities

The subject requires basic knowledge of cybersecurity, such as public and private key cryptography, cybersecurity basics, actors in the environment... so you must have taken or be taking the Computer Security subject.