Cyber Fire Simulation gives participants a full week to work with data from a historical event, with veteran investigator assistance. This is not an event to learn a new skill, but rather sharpen existing skills working with real data.
Note: Due to the nature of the data used in this exercise, only DOE federal and contractor employees are eligible to participate.
Participants act in one of four groups:
- Network Archaeology
- Malware Analysis
- Host Forensics
- Incident Coordination
Attendees start with an initial indicator and a piece of evidence, and work as a single team to respond to the incident.
The incident response team is expected to process network traffic, event logs, packet capture, memory images, hard drive images, and windows registry.
During daily executive management briefings, Simulation participants provide:
- investigation updates
- recommendations to the site for remediation
- a list of infected resources
- all evidence gathered to date
- updated indicators of compromise
Event staff serve as mock IT, distributing collected evidence when asked, mock counterintelligence, sharing indicators to keep the group progressing, and as general computer security experts giving other tips and tricks as needed.