Tracer FIRE
Abstract
Tracer FIRE (Forensic and Incident Response Exercise) for the U.S. Department of Energy (DOE) is a program developed by Sandia National Laboratories to educate and train cyber security incident responders (CSIRs) and analysts in critical skill areas. The program also aims to improve collaboration and teamwork among staff members. Under this program, several hundred CSIRs from the DOE, other U.S. government agencies, and critical infrastructure organizations have been trained.
Tracer FIRE 12’s scenario involves multiple cyber-attacks on the fictional airline PigeonAir. PigeonAir operates in multiple lines of business including commercial air service, electric aircraft development and manufacturing, and cryptocurrency “Pidgium”. PigeonAir is a direct competitor of the multi-industry conglomerate Verixikon Airlines, who is worried about recent PigeonAir successes. Attackers have infiltrated PigeonAir systems, causing loss of data and various other cyber-related activities. Participants will investigate these attacks using open-source hunting tools, determine what occurred, and make recommendations to the oversight board on how to remediate/recover from these attacks.
This is the twelfth Tracer FIRE to be offered at ACSAC. Discussion topics in the workshop include incident response, forensic investigation, and live analysis on file system, memory, and malware. Attendees will be introduced to a number of forensic tools and techniques that can be used to solve forensic challenges within the second half of the workshop. Attendees will be able to:
- Familiarize themselves with the Cyber Kill Chain
- Perform forensic analysis on infected machines via Velociraptor
- Analyze traffic on how malware communicates over its command and control (C2) using Arkime and Elastic
- Reverse Engineer malicious binaries using Ghidra
- Utilize a SIEM (Security Information and Event Management) and IDS (Intrusion Detection System)
Outline
Day 1:
- Introduction and demo of the tools (7 hours)
- Begin the competition (remainder of the day)
Day 2:
- Continue the competition
- Final Debrief and awards (last hour)
Prerequisites
Attendees will require a basic understanding of computer systems, networks and general cyber security concepts.
Student Equipment requirements:
Laptop with network access.
Instructors
Kevin Nauer is a member of the technical staff at Sandia and has over 20 years of experience in researching malware and conducting digital forensic analysis. Recently, he has been leading a team of security practitioners to develop engaging scenarios that are used in various capture the flag type of exercises for universities and government agencies. Kevin holds a B.S. and M.S. in Computer Science and has previously served as a Captain in the US Army Intelligence and Security Command where he helped to lead a new organization to conduct digital media exploitation.
SeanMichael Galvin has been a senior Cybersecurity researcher at Sandia National Laboratories since 2015. At Sandia, SeanMichael works on the incident response team coordinating investigations of incidents at Sandia and abroad. He has worked with the Tracer FIRE team since 2013 using Tracer FIRE environments to help advance new incident responders and emulate APT attacks to better the defensive cyber posture at Sandia.
Kelcey Tietjen has been an active incident responder and forensicator since 2004. Kelcey has built, managed, or worked in incident response capabilities at Mandiant, Apple, Bechtel, and Los Alamos National Laboratory. He currently is focused on cloud incident response and forensics in a cybersecurity research group at Sandia National Laboratories.
Tyler Morris is a senior security researcher at Sandia National Laboratories. At Sandia Tyler works on developing future cybersecurity technologies in areas of cyber testbeds, forensics, software, and security scenarios like Tracer FIRE.