Students Learn to Combat Hackers
New digital forensics course teaches students how to detect and contain data breaches
When a company was hacked in 2011, it took information technology administrators an average of 416 days before realizing that a breach even occurred. Now that timeline has been whittled down to 136 days, but that still leaves a large window for damage to occur.
“Prevention is getting difficult due to persistent and sophisticated threat actors,” said Jibran Ilyas, computer science adjunct lecturer in Northwestern’s McCormick School of Engineering. “The next best thing is to detect the breach as fast as possible and contain it. We want to keep getting faster and faster to minimize the damage.”
Along with Northwestern Engineering’s Yan Chen, Ilyas is teaching students to do just that. The pair teamed up to create and teach EECS 395: Digital Forensics and Incident Response.
“Though information security has drawn great attention, Northwestern has a limited number of faculty to offer related courses,” said Chen, professor of electrical engineering and computer science. “There has been a long-lasting gap between the student demand for security courses and what we can offer. Jibran’s course is a great first step to fill this gap, and we hope we will be able to offer more practical security courses in the future.”
Debuting last quarter, the class was split between lectures about basic theory and labs that challenged students to apply their new knowledge in practical scenarios. Students learned how to investigate digital artifacts left on hard drives, logs, and other network devices and how to preserve and analyze data on Windows, Mac, and Linux platforms. They also learned about different types of attacks, including cyber crimes and nation-state-sponsored attacks, and how to combat them.
“These investigations are similar to solving a jigsaw puzzle,” said Ilyas (MSIT ’13), director of incident response at Stroz Friedberg. “But you have to solve it by using tactics and recognizing patterns without knowing what the finished picture looks like.”
A digital forensics practitioner, Ilyas said the field has become much more sophisticated over the years. Before when a data breach was detected, information technology administrators wiped the hard drive and reinstalled the operating system for recovery. Unfortunately, today that isn’t enough.
“People did not run full investigations,” he said. “Now we try to discover the attacker entry points and movement within the network, contain the intrusion, understand the motives, and learn from the incident to prevent future attacks.”
Forensics experts also collect key evidence to help prosecute attackers in a court of law.
Students in the course practice these skills by studying and working on real scenarios with sanitized data. The course’s final project asked students to examine a credit card breach that occurred at a popular hotel chain. Working in small groups, students were pressed to discover what the hackers did to breach the chain’s network and retrieve data as well as determine how many credit cards were stolen.
“We give students a feel of real cases, so they gain the same experience as they would by working in the field,” Ilyas said. “We also have them work in groups because that’s also true to life. No one solves these cases alone. It’s always a group effort.”
Having received overwhelmingly positive student reviews, EECS 395 will be offered again in winter 2017.
“I learned an incredible amount about digital forensics and incident response that I had no knowledge of before,” said David Rhodes Petty, a senior studying computer science. “This class made me interested to pursue this further after college. So I gained a new possible career path that I very likely would not have considered without taking the class.”
“I have never had a professor that was so passionate about his work,” senior Isabella Valdescruz said about Ilyas. “He made an entire class passionate about it as well.”