Skip to main content

TracerFIRE

Abstract

TracerFIRE (Forensic and Incident Response Exercise) for the U.S. Department of Energy (DOE) is a program developed by Sandia National Laboratories to educate and train cyber security incident responders (CSIRs) and analysts in critical skill areas. The program also aims to improve collaboration and teamwork among staff members. Under this program, several hundred CSIRs from the DOE, other U.S. government agencies, and critical infrastructure organizations have been trained.

Tracer FIRE 10 is being offered this year and is a new scenario that involves multiple cyber-attacks on a fictional state government named VeriXikon. Attackers have infiltrated the government network and are causing power outages and tampering with an election. There are also some indications of cryptocurrency mining. Participants will investigate these attacks using open-source hunting tools and determine exactly what occurred and make recommendations to the government on how to remediate these attacks.

photos of students in prior TracerFIRE

This is the tenth TracerFIRE to be offered at ACSAC. Discussion topics in the workshop include incident response, forensic investigation, and live analysis on file system, memory, and malware. Attendees will be introduced to a number of forensic tools and techniques that can later be used to solve forensic challenges on the second half of the workshop each day. Attendees will be able to:

  • Familiarize themselves with the Cyber Kill Chain
  • Perform forensic analysis on infected machines and memory images
  • Analyze traffic on how malware communicates over its command and control (C2) using Arkime and Security Onion
  • Reverse Engineer malicious binaries using Ghidra
  • Utilize a SIEM (Security Information and Event Management) and IDS (Intrusion Detection System).

Outline

Day 1:

  • Introduction and demo of the tools (7 hours)
  • Begin the competition (remainder of the day)

Day 2:

  • Continue the competition
  • Final Debrief and awards (last hour)

Prerequisites

Attendees will require a basic understanding of computer systems, networks and general cyber security concepts.

Student Equipment requirements:

Laptop with network access.

Instructors

SeanMichael Galvin has been a senior Cybersecurity researcher at Sandia National Laboratories since 2015. At Sandia, SeanMichael works on the incident response team coordinating investigations of incidents at Sandia and abroad. He has worked with the Tracer FIRE team since 2013 using Tracer FIRE environments to help advance new incident responders and emulate APT attacks to better the defensive cyber posture at Sandia.

Shadron Gudmunson is a security researcher at Sandia National Laboratories and a recent graduate from New Mexico Transdisciplinary Cybersecurity program. At Sandia Shad works on developing infrastructure for Tracer FIRE and improving enterprise security.

James Gallagher is a security research at Sandia National Labs. He holds a Master’s of Science in Cybersecurity from Northeastern University. At Sandia, his primary research focus is network and host analysis of Operation Technology (OT) / Industrial Control Systems. He has also gotten the opportunity to assist with Tracer FIRE to help develop security scenarios.