CS4684 Cyber Security Incident Response and Recovery

This course defines the nature and scope of cyber security incident handling services, including intrusion/incident detection, damage control, service continuity, forensic analysis, service/data restoration, and incident reporting. Material covers policy, planning, operations, and technology issues involved in related cyber incident handling plans; i.e., Business Continuity, Disaster Recovery, and Continuity of Operations. Specific incident types addressed include, natural disasters, denial of service, malicious code, malicious misuse of hardware and firmware, unauthorized access, data compromise and inappropriate use, including insider attacks. Emphasis is given to the detection and analysis of infiltration and exfiltration techniques employed during cyber attacks, thus enabling the incident handler to detect low noise attacks, and to deconstruct particularly insidious attacks. Based upon the choice of case studies, this course will be taught at either the unclassified or TS/SCI levels.


CS3690 or Consent of Instructor

Lecture Hours


Lab Hours


Course Learning Outcomes

Student will be able to:


  • Explain the CJCSM 6510.01B (DoD Cyber Incident Handling Program).
  • Describe all current DoD categories of cyber incidents and reportable cyber events. 
  • Explain the meaning and value of understanding each of the defined cyber incident (attack) delivery vectors.
  • Explain the meaning of "root cause" as it relates to the course topic, as well as which elements of the risk equation are used to describe/define it.
  • Identity the six phase CJCSM incident handling life cycle, including what tasks and/or outcomes are associated with each phase.
  • Identify the three main types of (digital-based) technical analysis: network, system, malware.
  • Describe each of the network data analysis/alerting methods: full-packet, session, statistical, alert. 
  • Describe each of the system analysis date types (using the PUFNTALR acronym).
  • Describe the four malware analysis techniques, including their order of technical depth: surface, run-time, static, reverse-engineering. 
  • Assess both technical and operational incident impact, via low, moderate, high levels applied to each of the three information security objectives.
  • Describe several issues related to decision-based tradeoffs that an incident responder will likely have to contend with while handling an incident.
  • Understand that even though the ideal outcome of technical analysis is the discovery of root cause(s); there are occasions where operational necessity or other matters of practicality may call for the remediation/recovery of affected systems despite not having identified the root cause(s). 
  • List examples of offensive cyber TTTP (tools, tactics, techniques, and procedures), with an eye to understanding how these activities are likely to leave indicators (digital artifacts) behind for the incident responder/investigator to collect and analyze.
  • Use several tools useful for investigating network artifacts (e.g., Wireshark, nmap, Snort) and system artifacts (e.g., CyberTriage, Volatility, and shell scripting). 
  • Describe the structure of Snort rules, and learn to write custom Snort rules that address a specific incident under investigation.
  • Explain specific OS process attributes/characteristics that can serve as reliable indicators of a rogue (malicious) process. 
  • List the special issues and challenges involved in responding to incidents when the affected systems are cloud-hosted. 
  • Explain what a BIA (business impact analysis) is, how to perform one, and the critical role it plays in pre-planning for incident response management capabilities. 
  • Understand critical role that contingency planning plays in the development of a robust incident handling capability. 
  • Describe multiple technologies that support the recovery of both data and processing capability during recovery from an incident. 
  • Explain the meanings of MTD, RTO, and RPO, and their usage in determining technology type and expenditures for incident recovery capability investment.