School: Investigation

Jun 1 - Aug 6, 2021

Applications are closed


The theme for the 2021 school is UNC2452. This worldwide compromise was discovered in December 2020, and has been making headlines ever since.

Classes will delve into the UNC2452 compromise as viewed through the lens of each class. We will discuss supply-chain attacks, analyze the decompiled SUNBURST malware, and investigate detection and remediation techniques. The second half of the school will have participants crafting their own SUNBURST DGA decoder based on published analysis and Network Archaeology techniques.


Students learn the necessary concepts and skills for responding effectively to cyber security incidents. The goal is to provide participants with the equivalent skills and experience one would obtain working a full month on a professional Incident Response team dealing with an Advanced Persistent Threat intrusion. Students are trained on the three core pillars of incident response: Host Forensics, Network Archaeology and Malware Analysis. Students are also given the opportunity to learn about Incident Coordination and Operational Technology.

In addition to classroom training and lectures, students spend most of their time working on a small team project investigating real data from a historical incident. At the conclusion of the program, students present their findings to senior management in standard incident reporting format.

Rolling Applications

Applications will be reviewed on a rolling basis.


The first 5 weeks consist of morning classes. Each of our five core classes are taught for 4 hours in the morning, with some lab work in the afternoons.

Class Descriptions


Soon after the beginning of the school, students are given their first piece of the dataset. Using techniques taught in the classes, you will begin disassembling the dataset, looking for indicators of compromise and better evidence fragments, such as command and control traffic, transferred files, malware executables, and more.

Cyber Fire Staff will be accessible to help guide direction.


The school ends with a presentation of findings to senior site management. You play the role of an incident response team, presenting your findings to senior management. You will be required to package your findings in a standard report template, then give a verbal presentation, and field questions.