Rotem Guttman’s cyber forensics course is an immersive experience

The course earned Guttman a CMU Andy Award for “innovative and creative contributions”

Daniel Tkacik

Jan 3, 2022

Rotem Guttman in character

Source: Rotem Guttman

Rotem Guttman playing a character related to the cyber incident that students in his course are tasked with solving.

The Ambrosian national government was victim to a crippling cyberattack over the weekend, sending government officials into a frenzy to get their systems back online and figure out how their network was penetrated. Graduate students in Carnegie Mellon’s Information Networking Institute (INI) have been recruited to help solve the case.

If the country of Ambrosia sounds made up, it’s because it is. INI students in Rotem Guttman’s “Cyber Forensics and Incident Response” capstone course are thrown into this fictional world to figure out what exactly happened in the cyberattack, and how.

“By the end of the course, I want my students to be able to say that they are experienced in building a cyber incident case,” says Guttman, a researcher at the Software Engineering Institute and faculty at the INI who teaches the course. “If there’s a cyber incident on their first day of work, I don’t want the deer-in-headlights reaction. I want them to be like, ‘Yeah, I’ve got this.’”

If there’s a cyber incident on their first day of work, I don’t want the deer-in-headlights reaction.

Rotem Guttman, Professor, Information Networking Institute

Guttman has been teaching the course since 2015, but it wasn’t until the COVID-19 pandemic sent students home to learn remotely that the course rapidly evolved into its current form. Previously, most of the course was taught in a traditional lecture-based style. Once remote learning became the new normal, Guttman swiftly adapted.

“I know from my research what works teaching-wise, but I've never had the freedom to just go wild,” Guttman says. “When the COVID shutdown began, everyone was asking, ‘How do we make this transition?’ I was like, ‘I’ve got ideas.’”

The idea: immerse the students into a highly-realistic scenario where they must, over the course of a single semester, conduct a formal forensic investigation on a fictional cyber incident, build a case, and present it to a panel of judges. Thus, students were thrust into the Republic of Ambrosia, where the national government tasked them with investigating a massive data breach.

Throughout the investigation, student teams regularly met with a cast of characters related to the incident over Zoom, all played by Guttman himself. The teams asked questions and requested various data that might serve as helpful evidence in their case.

When I’m role playing as the vice president, I’m acting as one of the worst bosses you’re ever going to have.

Rotem Guttman, Professor, Information Networking Institute

Guttman says that everything in the course ties back to its specific learning objectives, the main one being to “give students the opportunity to actualize the technical skills they have acquired during the prerequisite courses in such a way that they can utilize them in the real world,” according to the course syllabus.

Other valuable lessons are sprinkled into the course as well, some of which might be commonly classified as “things they don’t teach you in school.” But Guttman does.

“When I’m role playing as the vice president, I’m acting as one of the worst bosses you’re ever going to have,” Guttman says. “Everyone has a bad boss at some point in their careers, and you need to know how to deal with that and protect yourself.”

At the end of the semester, teams presented their cases to a panel of CTOs, CEOs, and other industry professionals that Guttman brought in to be guest judges.

“This report was the exact type of report—same requirements—as if they were literally submitting it in a civil trial in the United States,” Guttman says. “And now they get to present that work in front of the same people they’re going to be looking for jobs from.”

Guttman says that the final grade students receive is based on the students’ work and how it fulfills the learning objectives, not on whether they convicted or acquitted the right people.

Communication is so important.

Rotem Guttman, Professor, Information Networking Institute

“One of the things we’re trying to evaluate them on is: how well can you express yourself? How well can you convey material?” Guttman says. “Communication is so important.”

Crucial to the execution of this highly-realistic immersive experience, Guttman says, was having real-life network data from an actual cyberattack for students to be able to analyze in search of clues and evidence. Without that data, the realism of the investigation would have been missing and students wouldn’t have been able to practice on and analyze real, actual data. To pull it off, Guttman launched an attack on a cluster of servers that his SEI colleague Will Nichols had assembled.

“This course would not have been possible without Will,” says Guttman.

Nichols says that the “garbage cluster,” a nickname both he and Guttman use, is the culmination of a multi-year long process involving the Lion Surplus store at Penn State, which sells non-functioning servers and other parts “for basically scrap value.” He’d look for additional deals online.

The result is a server cluster with around one-third of a terabyte of RAM and 128 cores. For comparison, the laptop used to write this story has 16 GB of RAM, twenty thousand times less than the “garbage cluster.”

I think the going rate right now to build a cluster like this, new, would be around $100,000.

Will Nichols, Researcher, Software Engineering Institute

“The total amount I’ve put into this cluster is about $1,800 after all is said and done, which I think is pretty good,” says Nichols. “I think the going rate right now to build a cluster like this, new, would be around $100,000.”

Thanks to the success of the course, Guttman says that the INI has invested in significant infrastructure upgrades so future instances of the course will be hosted on new equipment on a CMU-hosted datacenter. On top of that, the course itself garnered lots of attention from the University. Last month, Guttman received an Andy Award for “innovative and creative contributions.”

“The course is the outcome of a decade of my research combined with Will’s ability to make infrastructure materialize out of nothing,” says Guttman.