Advanced Network Archaeology
2022-05-23T00:00:00+00:00 - 2022-05-26 : Online - Advanced Network Archaeology event focused on Solarwinds DGA decoding.

Cyber Fire Simulation gives participants a full week to work with data from a historical event, with veteran investigator assistance. This is not an event to learn a new skill, but rather sharpen existing skills working with real data.

Note: Due to the nature of the data used in this exercise, only DOE federal and contractor employees are eligible to participate.

Participants act in one of four groups:

  • Network Archaeology
  • Malware Analysis
  • Host Forensics
  • Incident Coordination

Attendees start with an initial indicator and a piece of evidence, and work as a single team to respond to the incident.

The incident response team is expected to process network traffic, event logs, packet capture, memory images, hard drive images, and windows registry.

During daily executive management briefings, Simulation participants provide:

  • investigation updates
  • recommendations to the site for remediation
  • a list of infected resources
  • all evidence gathered to date
  • updated indicators of compromise

Event staff serve as mock IT, distributing collected evidence when asked, mock counterintelligence, sharing indicators to keep the group progressing, and as general computer security experts giving other tips and tricks as needed.

This online event will have participants creating their own Domain Generation Algorithm (DGA) decoder based on data from the Solarwinds compromise (UNC2452: SUNBURST/TEARDROP).

We will cover a history of the intrusion, and then dive deep into the structure of the protocol, techniques for decoding the protocol, and the computer science concepts underlying various aspects of the protocol. This is all taught with the goal of creating a custom decoder.

Participants will be using Python (or another language of their choice) to create decoders from provided “generic” pieces. Participants will also learn how to integrate published research from other investigators, and how to peer-review these published findings by reimplementing and examining statements with a critical eye.

At the conclusion of the event, participants will be able to explain the minute details of the protocol. Mastery of the course results in a working decoder created by the participant.