2025 Investigation School
2025-06-02T08:00:00-06:00 - 2025-08-08T17:00:00-06:00 : LANL, LLNL, ANL

Overview

Students learn the necessary concepts and skills for responding effectively to cyber security incidents. The goal is to provide participants with the equivalent skills and experience one would obtain working a full month on a professional Incident Response team dealing with an Advanced Persistent Threat intrusion. Students are trained on the three core pillars of incident response: Host Forensics, Network Archaeology, and Malware Analysis. Students are also given the opportunity to learn about Incident Coordination and Operational Technology.

In addition to the classroom training and lectures, student teams will investigate a synthetic or historic cybersecurity breach dataset. At the conclusion of the program, students present their findings to senior management in standard incident reporting format.

Multi-Lab

The Cyber Toaster runs at multiple DOE laboratories. Students may apply to as many labs as they like, but they should be prepared to interview at each site they apply to, which may require additional site-specific paperwork.

Students at all labs will take classes and work on projects together. Classes may be taught by local staff, or by remote staff, depending on what staff is available at each lab.

Each lab will provide a local focus on their culture and capabilities.

This schedule is subject to change before the beginning of the school.

Week 1: Onboarding

The first thing most labs require is a drug test and badging. You will then be introduced to your national lab, the local team you're joining, and the remote toaster staff and students. You will then create various accounts you'll need for the internship, and take loads and loads of training. During this week you will also download and install required software, and set up your virtual machine.

Weeks 2-3: Malware Analysis

Malware Analysis will walk you through using various tools to pull apart executables, and understand their capabilities and program flow.

Week 4: Host Forensics

Host Forensics will teach you how to analyze forensic memory and hard drive images.

Week 5: Network Archaeology

Network Archaeology teaches techniques to extract undocumented protocol communications from network traffic. Students will learn to use Cyber Fire toolsets to create their own custom decoders.

Week 6: Operational Technology

During this week, students will learn how Operational Technology (OT) differs from traditional Information Technology, and get a chance to work with OT equipment from a security perspective.

Weeks 7-10: Analysis and Presentation

Students will be given their first piece of the project dataset. This dataset either mimics a real APT incident, or is real data from a past APT incident at a DOE site.

Using techniques taught in the classes, and with staff assistance, teams will disassemble the dataset, looking for indicators of compromise and better evidence fragments, such as command and control traffic, transferred files, malware executables, and more.

The school ends with a presentation of findings to senior site management. You play the role of an incident response team, presenting your findings to senior management. You will be required to package your findings in a standard report template, then give a verbal presentation, and field questions.

Deadline

Applications will be accepted 2024-08-27T00:00:00+00:00 - 2025-04-01 .

Applications for this year's school will be reviewed on a rolling basis.

Application Material

You will be asked for the following documents as part of your initial application:

  • Resume/CV
  • Cover Letter