2024 Investigation School
2024-06-03T08:00:00-06:00 - 2024-08-09T17:00:00-06:00 : LANL, LLNL, ANL

Overview

Students learn the necessary concepts and skills for responding effectively to cyber security incidents. The goal is to provide participants with the equivalent skills and experience one would obtain working a full month on a professional Incident Response team dealing with an Advanced Persistent Threat intrusion. Students are trained on the three core pillars of incident response: Host Forensics, Network Archaeology, and Malware Analysis. Students are also given the opportunity to learn about Incident Coordination and Operational Technology.

In addition to classroom training and lectures, students spend most of their time working on a team project investigating real data from a historical incident. At the conclusion of the program, students present their findings to senior management in standard incident reporting format.

UNC2452: SUNBURST/TEARDROP

This worldwide compromise was discovered in December 2020, and was the largest cybersecurity incident to date. Involving thousands of businesses and governments across the planet, UNC2452 was ultimately revealed to be a new kind of cybersecurity attack, one for which there was no easy solution.

DOE's Cyber Fire program was at the forefront of the response to this attack, using Network Archaeology techniques to reverse-engineer the SUNBURST DGA and create a custom in-house decoder used by analysts across the complex.

Cyber Toaster students will investigate and recreate a custom decoder for the SUNBURST DGA, using techniques taught in the Network Archaeology class.

Multi-Lab

The Cyber Toaster runs at multiple DOE laboratories. Students may apply to as many labs as they like, but they should be prepared to interview at each site they apply to, which may require additional site-specific paperwork.

Students at all labs will take classes and work on projects together. Classes may be taught by local staff, or by remote staff, depending on what staff is available at each lab.

Each lab will provide a local focus on their culture and capabilities.

This schedule is subject to change before the beginning of the school.

Week 1: Onboarding

The first thing most labs require is a drug test and badging. You will then be introduced to your national lab, the local team you're joining, and the remote toaster staff and students. You will then create various accounts you'll need for the internship, and take loads and loads of training. During this week you will also download and install required software, and set up your virtual machine.

Toward the end of the week, you will participate in an introduction to incident coordination.

Weeks 2-3: Malware Analysis

Malware Analysis will walk you through using various tools to pull apart executables, and understand their capabilities and program flow.

Week 4: Host Forensics

Host Forensics will teach you how to analyze forensic memory and hard drive images.

Week 5: Network Archaeology

Network Archaeology teaches techniques to extract undocumented protocol communications from network traffic. Students will learn to use Cyber Fire toolsets to create their own custom decoders.

Week 6: SUNBURST / Operational Technology

Using Network Archaeology techniques, students will create a custom decoder for the SUNBURST incident data from 2020.

During this week, students will also learn how Operational Technology (OT) differs from traditional Information Technology, and get a chance to work with OT equipment from a security perspective.

Weeks 7-10: Analysis and Presentation

Students will be given their first piece of the project dataset. This dataset either mimics a real APT incident, or is real data from a past APT incident at a DOE site.

Using techniques taught in the classes, and with staff assistance, teams will disassemble the dataset, looking for indicators of compromise and better evidence fragments, such as command and control traffic, transferred files, malware executables, and more.

The school ends with a presentation of findings to senior site management. You play the role of an incident response team, presenting your findings to senior management. You will be required to package your findings in a standard report template, then give a verbal presentation, and field questions.

Deadline

Applications will be accepted 2023-09-01T00:00:00+00:00 - 2024-01-28 .

Applications for this year's school will be reviewed on a rolling basis.

Application Material

You will be asked for the following documents as part of your initial application:

  • Resume/CV
  • Cover Letter