This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red teams pretending to be bad actors.
Every year the students’ mission is to mitigate the risk of the red team attacks and ensure their business successfully transforms, all while continuing operations. This competition is unique as it lets the students get a feel for the chaos and stress that ensues when an organization is compromised, undergoing major transitions all while continuing to provide value to customers and report progress to their leadership team.
I’m lucky enough to have founded the National CCDC red team with my good friend Dave Cowen during the competition’s second year. Having participated as a core red team member for almost 20 years I’ve worked with many students and seen massive shifts in the technology, both offensive and defensive. Interestingly enough, while technology has changed dramatically, and exploits and vulnerabilities come and go, many of the core lessons remain the same. These are some key lessons that underpin the successful teams year after year.
Communication is key
The reality is, compromise happens, things break, mistakes are made, systems do not always operate as intended. The best way to navigate through these problems is clear, concise communication. Ensure your team knows the next steps to take, who is responsible for taking those actions, and that your leadership chain knows what to expect next. Having incident and crisis response plans baked and tested in advance can help in this effort.
Understand what is exposed
Put simply, you can’t defend what you don’t know about. On the red team, we are always looking for systems that are not supposed to be exposed, administration interfaces that should be locked down, that one user account with the default or an easily guessable password. The good news is, you can do the same thing. With the ever-changing and growing complexity of today’s networks, it is critical to look at your network the way the attackers do. Build a list of exposed infrastructure, keep that list up to date and audit those systems regularly to ensure they are working as intended.
Plan for failure
Be ready for something to break. Being able to detect, adapt and deal with those failures is a major differentiator. Review your plans with an eye for corner cases or assumptions to prepare for what could go wrong.
For instance, you have a punch-down list of steps to harden your Linux system. Great. Will you still have access to that list if your internet connection goes down? What happens if the Linux system has an apk based package manager instead of yum? Do you know how to fix the package manager if it is broken? While you can’t plan for every possibility, make sure your plan is robust enough to enable you to jump over hurdles as they are put in front of you.
Overall, NCCDC is a unique and respected competition format, enabling student teams to experience the chaos of realistic compromises while managing the pressures of running day-to-day business operations. All of this prepares them for what to expect as they graduate and move on to careers in cybersecurity.
Congratulations to this year’s winning team UCF and to the nearly 1,800 students competing in the qualifying and regional competitions which represented 198 colleges and universities. We’re excited to welcome the next generation of cybersecurity professionals and look forward to continuing to learn from you in the coming years.
Chief Offensive Strategist — Randori, an IBM Company