ISCAP Proceedings: Abstract Presentation
Simulating Cyber Threat Intelligence in a Higher Education Course
Cody Welu
Dakota State University
Abstract
Utilizing real-world cyber threat intelligence (CTI) scenarios in the classroom can be challenging due to the sensitive nature of such investigations. Still, it is important to educate students on CTI components, taxonomies, and methodologies that are in use across the industry. This aim of this research is to present a pedagogical framework for integrating cyber threat intelligence simulations into undergraduate cybersecurity curriculum. The proposed framework relies heavily on MITRE ATT&CK to provide a common language with which to discuss and categorize adversary behaviors.
The proposed framework teaches students CTI objectives through threat actor profiling, analysis of indicators of compromise, and threat intelligence and incident response reporting. The framework is designed to be used throughout an upper division cybersecurity course that focuses on threat hunting and incident response through experiential learning. In the threat actor profiling stage, students are encouraged to perform research on well-known threats to an industry of their choice. Using MITRE ATT&CK as a reference, attacker behaviors are mapped, and possible indicators of compromise are generated. A few specific attacker methodologies are selected, and a dataset is generated in a virtual lab environment. Finally, students learn reporting throughout the process by generating CTI reports based on their scenarios early in the course, and incident reports after their investigation wraps up. The proposed framework is integrated throughout the entirety of a threat hunting and incident response course, from attacker behavior analysis through network security monitoring and detection, to incident response and forensic activities. This cohesiveness throughout a course engages students through the entire process an analyst may go through during a threat hunt turned incident response.