Skip to main content

Tracer FIRE

Abstract

Tracer FIRE (Forensic and Incident Response Exercise) for the U.S. Department of Energy (DOE) is a program developed by Sandia National Laboratories to educate and train cyber security incident responders (CSIRs) and analysts in critical skill areas. It will be offered virtually this year in conjunction with the ACSAC schedule of events on December 6 and 7 (Monday and Tuesday). The program aims to improve collaboration and teamwork among staff members while they learn how to respond a cyber attack. Under this program, several hundred CSIRs from the DOE, other U.S. government agencies, and critical infrastructure organizations have been trained.

Tracer FIRE 10 is being offered this year and is a new scenario that involves multiple cyber attacks on a fictional state government named VeriXikon. Attackers have infiltrated the government network and are causing power outages and tampering with an election. There are also some indications of cryptocurrency mining. Participants will investigate these attacks using open-source hunting tools and determine exactly what occurred and make recommendations to the government on how to remediate these attacks.

This is the ninth year Tracer FIRE has been offered at ACSAC. Discussion topics in the workshop include incident response, forensic investigation, and live analysis on file system, memory, and malware. Attendees will be introduced to a number of forensic tools and techniques that can later be used to solve forensic challenges on the second half of the workshop each day. Attendees will be able to:

  • Familiarize themselves with the Cyber Kill Chain
  • Perform forensic analysis on infected disk and memory images
  • Analyze traffic on how malware communicates over its command and control (C2) using Arkime and Security Onion
  • Reverse Engineer malicious binaries
  • Utilize a SIEM (Security Information and Event Management) and IDS (Intrusion Detection System).

Those interested in attending this year's Tracer FIRE, please check off the appropriate box on the registration form and add the fee for this workshop.

Outline

Day 1:

  • Introduction and demo of the tools (2-4 hours)
  • Begin the competition (remainder of the day)

Day 2:

  • Continue the competition
  • Final Debrief and awards (last hour)

Prerequisites

Attendees will require a basic understanding of computer systems, networks and general cyber security concepts.

Student Equipment requirements:

Laptop with a remote desktop client installed.

Instructors

Kevin Nauer is a member of the technical staff at Sandia and has over 20 years of experience in researching malware and conducting digital forensic analysis. Recently, he has been leading a team of security practitioners to develop engaging scenarios that are used in various capture the flag type of exercises for universities and government agencies. Kevin holds a B.S. and M.S. in Computer Science and has previously served as a Captain in the US Army Intelligence and Security Command where he helped to lead a new organization to conduct digital media exploitation.

Nicholas Kantor is a security researcher that has been at Sandia National Laboratories for 5 years and holds an M.S. in Information Security from Carnegie Mellon University. At Sandia Nick works on developing security scenarios such as Tracer FIRE and research into new and exciting areas of cyber security.

Tyler Morris is a security researcher at Sandia National Laboratories. At Sandia Tyler works on developing future cybersecurity technologies in areas of deception, forensics, software, and security scenarios like Tracer FIRE.

Michael “Mikey” Reeves has been a security researcher at Sandia National Laboratories for 2 years and holds an M.S. in Computer Science from Purdue University. At Sandia, Mikey pursues forward-thinking research in the areas of forensics, threat intelligence, and virtualization/networking technologies. One such research project is developing forensic scenarios for Tracer FIRE. He writes about his interests on his website: https://mastermjr.com.

Workshop Details and Registration

  1. This training is being held in conjunction with ACSAC and is offered virtually as is true for the en- tire ACSAC conference.
  2. The two-day class is being held December 6 and 7th (Monday and Tuesday).
  3. If you are interested in attending, please check off the appropriate box on the conference registration form and add in the Tracer FIRE fee.