We held the 2 rounds of regional qualifiers at our facility January 17th and 24th. Interest in the competition has been steadily increasing over the last few years, so we've had to break the competition down into two 1-day competitions to accommodate the additional participating universities. Each 1-day event pitted the teams of four universities against one another, with the top two teams advancing to the next round (the national qualifier held in March).
The rules of the competition are fairly simple. Each team of students inherits a network to defend. The students are given a list of the operating systems and services they'll have to administer and defend during the competition. The teams are scored based on 4 criteria:
- the ability to defend themselves from the hackers (aka the Red Team)
- the ability to complete business injects
- the ability to gather information about, and respond to, known intrusions (incident response)
- the ability to maintain the availability and integrity of their business services
These criteria are scored in various ways: some manual, some automated and some a combination of both. In the end, the two teams that do best across all 4 scoring categories are invited back to participate in the next round.
The Infrastructure
The team's infrastructure was kept very similar to the regional competition of last year. Each time (of up to 8 students) was tasked with administrating and defending:
- A Cisco firewall
- A network-enabled security camera
- An Asterisk PBX Server and 2 VoIP phones
- A server running Nagios, as their out-of-band test system
- 6 servers (3 Windows, 3 Linux) running various versions of the operating system, comprising the fictional business's core infrastructure. This includes an Active Directory server, mail server, primary and secondary DNS, a web server, database server and a Human Resource management server
The Blue Teams
Because of the short length of the exercise (the competition ran from around 9AM to around 5PM) the teams weren't given any lead time ahead of the Red Team. At 9AM the teams were allowed onto the systems and had to move quickly to identify systems and services and begin working the plans that they had come up with in the weeks leading up to the competition.
In some cases plans were executed and worked well, in other cases plans changed on the fly based on the environment that the students found, and in all cases the Red Team's hacking activities made plans obsolete quickly. It's difficult to keep up the intensity required to defend a network that is consistently under attack for 8 hours, especially when you're aware that your network has been penetrated and you're still trying to do all the other things being asked of you, but the participating teams always manage admirably.
The goal of the Mid-Atlantic CCDC is not to present a true-to-life realistic scenario for the students, but to drop them right into the middle of a worst-case scenario, and see which teams can organize under pressure and rise to the top. Given those constraints: 8 hours is a long, long day.
During the After Action Review (AAR) the teams discussed the strategies they began the day with, and which ones were effective or not. Many teams started the day with strategies of immediately applying OS patches to defend against known vulnerabilities. This strategy frequently didn't work due to shared bandwidth issues (4 teams attempting to pull hundreds of megabytes of updates through one shared Internet pipe), which meant that often teams were waiting 60 minutes or more to get patches in place, while their systems were under attack.
One team came to play with only 2 members and did extremely well. One was a Linux expert, one a Windows expert, so they split the systems in half by OS and focused only on their area of expertise. Their strategy was to completely ignore business injects (the tasks given to teams to simulate everyday business requests, such as password changes and new account creation) and focus only on keeping their required services up and running correctly. This team did amazingly well. Sadly, the weighted nature of the scoring means that abandoning one part of the competition completely makes it unlikely to move on to the next round. If they had just one more person to handle administrative tasks, though...
The Red Team
As the size and number of the blue teams increases the red team is always there to match. This year had our largest number of hackers so far (17 hackers showed up for the January 17th date). Our hackers included professional government penetration testers, university professors and students, security professionals as well as just plain hobbyists and enthusiasts. This year also had a few blue team members from previous years that have since graduated, but decided to come back and join in on the fun from the other side.
The Red Team's lair can always be identified by the low overhead lighting, disproportionate number of LCD screens to people, War Games (or Hackers) being played on an overhead projector and, of course, the periodic laughter when something goes incredibly right. There were the usual fun pranks: cancelling patch installs and system reboots and remotely initiating Windows Vista installs. But there were also some new pranks tried out, like replacing the logo on VoIP phones, and the accidental destruction of a VMWare config file (oops).
These 1-day exercises are always fast-paced and usually have a few surprises throughout them, but they're always a lot of fun. Pictures from the event can be found on our website, and further information about the competition can be found on the National CCDC homepage.
Comments