Tracer FIRE

[This is a two-day course]

This is the fifth year Tracer FIRE has been offered at ACSAC, but it is definitely not the same course that has been offered in the past, and we encourage past attendees to consider taking the course again. While the general topics of incident response, forensic investigation and analysis, file systems, memory layout and malware analysis haven't changed – the past year has seen a complete update of the course content and forensic challenges.

This year, students and professionals will:

• Learn how to forensically analyze disk and memory images of infected Windows systems
• Investigate how a malicious PDF is used in a phishing attack
• Use Wireshark to identify how malware communicates over the network for its command and control
• Learn how enterprise networks can be compromised using pass-the-hash techniques

For those not familiar with this training: Tracer FIRE (Forensic and Incident Response Exercise) is a program developed by Sandia National Laboratories to educate and train cyber security incident responders and analysts. Using Tracer FIRE as a framework, participants form into teams and compete against each other to solve technical puzzles using the skills learned in the tutorials.  It’s very engaging and fun to learn about cyber security in this manner.  Each team will have the opportunity to play the role of a professional incident response team that is called in to respond to a major cyber attack against a large organization using a scenario developed by Sandia’s subject matter experts.

Both days of this professional development course are split into two sections. The morning will consist of both lecture and hands-on training with forensic analysis tools. The training will focus on defensive forensics analysis by training the participants using adversarial based scenarios. The goal of approaching forensic analysis from the mind of an adversary is to improve the situational awareness of the incident responder.

In the afternoon sessions, participants will form into teams and will participate in a competition that will require them to apply what they have learned during the classroom training. During this competition, the teams will solve cyber security challenges involving a range of forensic analysis techniques. This exercise allows attendees to practice maintaining network situational awareness, use of forensic tools, and hone their teaming and communication skills. In addition, students will be required to present their understanding of the overall scenario, identifying key actors, events and actions to demonstrate their ability to understand the attacker's actions.

Day 1 Outline

1.     Rapid Response Cyber Forensics. The need for "cyber triage". Tools and protocols used by CSIRTs to discover suspicious events. Methods to prioritize actionable events and the importance of updating defensive systems.

2.     PDF Analysis: Overview of the PDF file format and analysis of malicious PDF files.

3.     Network Monitoring and Analysis for Incident Responders. Using Wireshark to quickly organize views of network events and to help reassemble the actual sequence of events that an attacker used to infect a network.

Day 2 Outline

1.     Introduction to Host Forensics. Use of the Autopsy open source forensic tool to analyze disk images of malicious code running on infected computers.

2.     Memory Analysis: Layout of memory in Windows and how virtual memory management works. Examination of memory contents. Use of Volatility open source framework to analysis various memory images of malware infected systems.

3.     Attack Situational Awareness. Introduction to tools used for helping analysts piece the puzzle together and understand how a specific attack was conducted.   Creative techniques for situational awareness from both an attacker and defender's perspective.

Prerequisites:

Attendees will require a basic understanding of computer systems, networks and general cyber security concepts. It is strongly recommended that students view the training materials that will be provided prior to the exercise.

Laptops with all required software will be provided for the class – no personal hardware or software is required. Students that wish to utilize other software may do so, as long as they are properly licensed to use the software.