Students learn the necessary concepts and skills for responding effectively to cyber security incidents.
The goal is to provide participants with the equivalent skills and experience
one would obtain working a full month on a professional Incident Response team
dealing with an Advanced Persistent Threat intrusion.
Students are trained on the three core pillars of incident response:
Students are also given the opportunity to learn about
Incident Coordination and Operational Technology.
In addition to classroom training and lectures,
students spend most of their time working on a team project
investigating real data from a historical incident.
At the conclusion of the program,
students present their findings to senior management
in standard incident reporting format.
This worldwide compromise was discovered in December 2020,
and was the largest cybersecurity incident to date.
Involving thousands of businesses and governments across the planet,
was ultimately revealed to be a new kind of cybersecurity attack,
one for which there was no easy solution.
DOE's Cyber Fire program was at the forefront of the response to this attack,
using Network Archaeology techniques to reverse-engineer the
SUNBURST DGA and create a custom in-house decoder used by analysts across the complex.
Cyber Toaster students will investigate and recreate a custom decoder for the SUNBURST DGA,
using techniques taught in the Network Archaeology class.
The Cyber Toaster runs at multiple DOE laboratories.
Students may apply to as many labs as they like,
but they should be prepared to interview at each site they apply to,
which may require additional site-specific paperwork.
Students at all labs will take classes and work on projects together.
Classes may be taught by local staff,
or by remote staff,
depending on what staff is available at each lab.
Each lab will provide a local focus on their culture and capabilities.
This schedule is subject to change before the beginning of the school.
The first thing most labs require is a drug test and badging.
You will then be introduced to your national lab, the local team you're joining, and the remote toaster staff and students.
You will then create various accounts you'll need for the internship,
and take loads and loads of training.
During this week you will also download and install required software,
and set up your virtual machine.
Toward the end of the week, you will participate in an introduction to incident coordination.
Malware Analysis will walk you through using various tools to pull apart executables,
and understand their capabilities and program flow.
Host Forensics will teach you how to analyze forensic memory and hard drive images.
Network Archaeology teaches techniques to extract undocumented protocol
communications from network traffic. Students will learn to use Cyber Fire
toolsets to create their own custom decoders.
Using Network Archaeology techniques,
students will create a custom decoder for the SUNBURST incident data from 2020.
During this week, students will also learn how Operational Technology (OT)
differs from traditional Information Technology, and get a chance to work
with OT equipment from a security perspective.
Students will be given their first piece of the project dataset.
This dataset either mimics a real APT incident,
or is real data from a past APT incident at a DOE site.
Using techniques taught in the classes,
and with staff assistance,
teams will disassemble the dataset,
looking for indicators of compromise and better evidence fragments,
such as command and control traffic,
The school ends with a presentation of findings to senior site management.
You play the role of an incident response team,
presenting your findings to senior management.
You will be required to package your findings in a standard report template,
then give a verbal presentation,
and field questions.
This week has not been finalized yet and may change drastically.
For the final week of the toaster, students will fly to the Washington, DC
area, to participate in the Omni/Toaster capstone event.
Toaster students will appear on a panel in front of the OMNI program
interns and their mentors, explaining their experiences and what they learned.
They will then assist Cyber Fire staff in the teaching portion of the event.
The final three days of the event feature a competitive puzzle event,
where teams made of Toaster students compete against teams of OMNI
students in a forensic-focused puzzle competition.
Applications will be accepted until Sat Apr 01 2023.
Applications for this year's school will be reviewed on a rolling basis.
You will be asked for the following documents as part of your initial application: