Skip to main content

Tracer FIRE

Abstract

Tracer FIRE (Forensic and Incident Response Exercise) for the U.S. Department of Energy (DOE) is a program developed by Sandia National Laboratories to educate and train cyber security incident responders (CSIRs) and analysts in critical skill areas. The program also aims to improve collaboration and teamwork among staff members. Under this program, several hundred CSIRs from the DOE, other U.S. government agencies, and critical infrastructure organizations have been trained.

Tracer FIRE 12’s scenario involves multiple cyber-attacks on the fictional airline PigeonAir. PigeonAir operates in multiple lines of business including commercial air service, electric aircraft development and manufacturing, and cryptocurrency “Pidgium”. PigeonAir is a direct competitor of the multi-industry conglomerate Verixikon Airlines, who is worried about recent PigeonAir successes. Attackers have infiltrated PigeonAir systems, causing loss of data and various other cyber-related activities. Participants will investigate these attacks using open-source hunting tools, determine what occurred, and make recommendations to the oversight board on how to remediate/recover from these attacks.

photos of students in prior Tracer FIRE

This is the twelfth Tracer FIRE to be offered at ACSAC. Discussion topics in the workshop include incident response, forensic investigation, and live analysis on file system, memory, and malware. Attendees will be introduced to a number of forensic tools and techniques that can be used to solve forensic challenges within the second half of the workshop. Attendees will be able to:

  • Familiarize themselves with the Cyber Kill Chain
  • Perform forensic analysis on infected machines via Velociraptor
  • Analyze traffic on how malware communicates over its command and control (C2) using Arkime and Elastic
  • Reverse Engineer malicious binaries using Ghidra
  • Utilize a SIEM (Security Information and Event Management) and IDS (Intrusion Detection System)

Outline

Day 1:

  • Introduction and demo of the tools (7 hours)
  • Begin the competition (remainder of the day)

Day 2:

  • Continue the competition
  • Final Debrief and awards (last hour)

Prerequisites

Attendees will require a basic understanding of computer systems, networks and general cyber security concepts.

Student Equipment requirements:

Laptop with network access.

Instructors

Kevin Nauer is a member of the technical staff at Sandia and has over 20 years of experience in researching malware and conducting digital forensic analysis. Recently, he has been leading a team of security practitioners to develop engaging scenarios that are used in various capture the flag type of exercises for universities and government agencies. Kevin holds a B.S. and M.S. in Computer Science and has previously served as a Captain in the US Army Intelligence and Security Command where he helped to lead a new organization to conduct digital media exploitation.