2022 Investigation School
2022-06-07T00:00:00+00:00 - 2022-08-12 : Multiple Sites

Students learn the necessary concepts and skills for responding effectively to cyber security incidents. The goal is to provide participants with the equivalent skills and experience one would obtain working a full month on a professional Incident Response team dealing with an Advanced Persistent Threat intrusion. Students are trained on the three core pillars of incident response: Host Forensics, Network Archaeology, and Malware Analysis. Students are also given the opportunity to learn about Incident Coordination and Operational Technology.

In addition to classroom training and lectures, students spend most of their time working on a small team project investigating real data from a historical incident. At the conclusion of the program, students present their findings to senior management in standard incident reporting format.


This worldwide compromise was discovered in December 2020, and was the largest cybersecurity incident to date. Involving thousands of businesses and governments across the planet, UNC2452 was ultimately revealed to be a new kind of cybersecurity attack, one for which there was no easy solution.

DOE's Cyber Fire program was at the forefront of the response to this attack, using Network Archaeology techniques to reverse-engineer the SUNBURST DGA and create a custom in-house decoder used by analysts across the complex.

This year's summer school will spend a full week (10% of the program) investigating and recreating a custom decoder for the SUNBURST DGA, using techniques taught in the Network Archaeology class.


This year, the Incident Investigation Track will run at multiple National Laboratories! Livermore National Laboratory will host two students that will work alongside six Los Alamos National Laboratory summer students. All students will take classes and work on projects together, but each site will present a focus on local site culture and activities.


The first 6 weeks consist of morning classes. Each of our five core classes are taught for 4 hours in the morning, with some lab work in the afternoons.

Class Descriptions

One week will be devoted into a deep-dive into UNC2452. At the conclusion of the event, many students will have a complete working SUNBURST DGA decoder.


Soon after the beginning of the school, students are given their first piece of the dataset. Using techniques taught in the classes, you will begin disassembling the dataset, looking for indicators of compromise and better evidence fragments, such as command and control traffic, transferred files, malware executables, and more.

Cyber Fire Staff will be accessible to help guide direction.


The school ends with a presentation of findings to senior site management. You play the role of an incident response team, presenting your findings to senior management. You will be required to package your findings in a standard report template, then give a verbal presentation, and field questions.


Applications will be accepted until {{registration.end | date}}.

Applications for this year's school will be reviewed on a rolling basis.

Application Material

You will be asked for the following documents as part of your initial application:

  • Resume/CV
  • Cover Letter
  • Transcripts (unofficial is fine)
Application Form

{{registration.verb}} Now