I had the opportunity to participate in the Mid-Atlantic Collegiate Cyber Defense Competition (CCDC) over the past weekend as the back-up captain and Linux admin for GWU. It was a great learning experience and I'm sad that it's my last year in school and won't be competing next year. You can read more about the competition here, but it's basically a weekend where students (the blue team) are given a network of insecure machines and services that need to be protected and are relentlessly attacked and exploited by a group of professional penetration testers (the red team). CCDC could be more accurately titled "A weekend of crying for security newbs." For those of you that competed on the blue team, you know what it's like to celebrate when more than 50% of your services are running and you still have control (or at least think you do) over the majority of your machines.
This year's GWU team was very new to CCDC. Two of our members had competed before, but the rest had never been a part of a hacking competition before. On top of that, we had people (including myself) who are very new to security and IT as a whole, plus a couple of freshmen that were new to computer science and the idea of security. Our team worked really hard preparing to secure the services that these operating systems were supporting and many late nights were spent in the lab writing up guides.
The first day of competing was especially painful. Lots of hours had been put in to learning how to secure services, what passwords would be used, and what firewall rules were the best to use. I had written up some great rules for iptables and our firewall guy was feeling good. The second we got on our machines, we felt overwhelmed. Too many processes were running on our machines, we had trouble accessing our Nagios and kiosk boxes, the DNS Window's box was already not resolving requests, and none of the Linux boxes allowed as to scroll upward through our command history so typing commands was more tedious than expected. At some point, we lost control of our firewall and had to reset it. This really hurt our score right away as we weren't prepared to reset the machine or knew how to find rules that red team had placed there. By the end of the first day, our team looked pretty discouraged and morale was low.
The second day was much more enjoyable. After a great speech by our team captain, Michelle Monsees, we walked down into the pit with a new attitude: we were going to have fun today regardless of the outcome. And we did! The night before, as we were leaving our network, one of our team members captured video of red team member Georgia Weidman putting a CD into our machines. We decided to call over "law enforcement" and file a report on the physical break-in. To our delight, an arrest was made (a first in CCDC history) and red team had to sit out for 30 minutes. While our firewall guy removed all the scripts that red team had placed in his start-up config, I got to do what I love: incidence response! I found a phone home script on one of our Windows boxes that was hidden with a Notepad.exe file on the Desktop. I also got Wireshark and nmap running and was able to file a couple of incidence response forms as well as better monitor what was happening in our subnet.
My favorite attack by the red team was Georgia's attack on the power. To my knowledge, every team failed to realize that our Ethernet came from a power strip that had an IP address. Georgia was able to log into them with the default password and turn the power on and off at her discretion. This should serve as a reminder to everyone working in security: it's not just desktops and servers that have IP addresses that can be used to attack your network!
Another attack vector our team lost numerous times was our kiosk that sat outside our network and were more susceptible to physical attacks. Red team installed Deep Freeze on all the blue team's kiosks, keeping us from making any permanent fixes to them. Here we see Red Team hacker Jesse Varsalone hanging around our kiosk who quickly slips his USB drive into his hand:
Another interesting activity was the “CEO” interview. Each school had to send their captain into a meeting with the “CEO” of our company with three memos. A lot of teams weren't prepared for this and either sent other members to act as the captain or couldn't take the heat of the angry CEO. Our team did really well at this and had the second highest score for this event. The “CEO” made the important point at the end of the day saying that “it's the business, stupid,” and that's really what our IT infrastructure is working to support. It's not the mission of IT, it's the mission of the business that our decisions need to be based on.
The final day was long, but much more enjoyable with our new attitude. As the last 5 minutes of the competition were counted down, our team loudly sang the chorus to Chumbawamba's Tubthumping: "I get knocked down, but I get up again.."
Congratulations to the University of Maryland for winning the Mid-Atlantic CCDC! Take down the competition at Nationals!