TracerFIRE
Abstract
TracerFIRE (Forensic and Incident Response Exercise) for the U.S. Department of Energy (DOE) is a program developed by Sandia National Laboratories to educate and train cyber security incident responders (CSIRs) and analysts in critical skill areas. The program also aims to improve collaboration and teamwork among staff members. Under this program, several hundred CSIRs from the DOE, other U.S. government agencies, and critical infrastructure organizations have been trained.
TracerFIRE 9, the latest iteration of the TracerFIRE scenario, is set in Albuquerque NM, where the electric skateboard startup WheelByte has suffered numerous cyber-attacks. Participants are hired by WheelByte to investigate a series of artifacts and forensic evidence, including malware based off of TinyNuke and the adversarial group OilRig. At the end, teams present their findings in the form of debriefs to a CISO panel.
This is the eighth year TracerFIRE has been offered at ACSAC. Discussion topics in the workshop include incident response, forensic investigation, and live analysis on file system, memory, and malware. Attendees will be introduced to a number of forensic tools and techniques that can later be used to solve forensic challenges on the second half of the workshop each day. Attendees will be able to:
- Familiarize themselves with the Cyber Kill Chain
- Perform forensic analysis on infected disk and memory images
- Analyze traffic on how malware communicates over its command and control (C2) using Wireshark and Security Onion
- Reverse Engineer malicious binaries
- Utilize a SIEM (Security Information and Event Management) and IDS (Intrusion Detection System).
Outline
Day 1:
- Introduction and demo of the tools (2-4 hours)
- Begin the competition (remainder of the day)
Day 2:
- Continue the competition
- Final Debrief and awards (last hour)
Prerequisites
Attendees will require a basic understanding of computer systems, networks and general cyber security concepts.
Student Equipment requirements:
Laptop with a remote desktop client installed.
Instructors
Kevin Nauer is a member of the technical staff at Sandia and has over 20 years of experience in researching malware and conducting digital forensic analysis. Recently, he has been leading a team of security practitioners to develop engaging scenarios that are used in various capture the flag type of exercises for universities and government agencies. Kevin holds a B.S. and M.S. in Computer Science and has previously served as a Captain in the US Army Intelligence and Security Command where he helped to lead a new organization to conduct digital media exploitation.
Nicholas Kantor is a security researcher at Sandia National Laboratories and a recent graduate from Carnegie Mellon University under their Master’s of Science in Information Security program. At Sandia Nick works on developing security scenarios such as TracerFIRE and research into new and exciting areas of cyber security.
Tyler Morris is a security researcher at Sandia National Laboratories and is pursuing his M.S. in Cybersecurity from Georgia Tech. At Sandia Tyler works on developing future cybersecurity technologies in areas of deception, forensics, software, and security scenarios like TracerFIRE.