This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red teams pretending to be bad actors.

Every year the students’ mission is to mitigate the risk of the red team attacks and ensure their business successfully transforms, all while continuing operations. This competition is unique as it lets the students get a feel for the chaos and stress that ensues when an organization is compromised, undergoing major transitions all while continuing to provide value to customers and report progress to their leadership team.

I’m lucky enough to have founded the National CCDC red team with my good friend Dave Cowen during the competition’s second year. Having participated as a core red team member for almost 20 years I’ve worked with many students and seen massive shifts in the technology, both offensive and defensive. Interestingly enough, while technology has changed dramatically, and exploits and vulnerabilities come and go, many of the core lessons remain the same. These are some key lessons that underpin the successful teams year after year.

Communication is key

The reality is, compromise happens, things break, mistakes are made, systems do not always operate as intended. The best way to navigate through these problems is clear, concise communication. Ensure your team knows the next steps to take, who is responsible for taking those actions, and that your leadership chain knows what to expect next. Having incident and crisis response plans baked and tested in advance can help in this effort.

Understand what is exposed

Put simply, you can’t defend what you don’t know about. On the red team, we are always looking for systems that are not supposed to be exposed, administration interfaces that should be locked down, that one user account with the default or an easily guessable password. The good news is, you can do the same thing. With the ever-changing and growing complexity of today’s networks, it is critical to look at your network the way the attackers do. Build a list of exposed infrastructure, keep that list up to date and audit those systems regularly to ensure they are working as intended.

Plan for failure

Be ready for something to break. Being able to detect, adapt and deal with those failures is a major differentiator. Review your plans with an eye for corner cases or assumptions to prepare for what could go wrong.

For instance, you have a punch-down list of steps to harden your Linux system. Great. Will you still have access to that list if your internet connection goes down? What happens if the Linux system has an apk based package manager instead of yum? Do you know how to fix the package manager if it is broken? While you can’t plan for every possibility, make sure your plan is robust enough to enable you to jump over hurdles as they are put in front of you.

Overall, NCCDC is a unique and respected competition format, enabling student teams to experience the chaos of realistic compromises while managing the pressures of running day-to-day business operations. All of this prepares them for what to expect as they graduate and move on to careers in cybersecurity.

Congratulations to this year’s winning team UCF and to the nearly 1,800 students competing in the qualifying and regional competitions which represented 198 colleges and universities. We’re excited to welcome the next generation of cybersecurity professionals and look forward to continuing to learn from you in the coming years.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today