This past weekend a few classmates and I competed in the North East CCDC regional at the University of Maine. First of all we live in New Jersey, driving to Maine was quite a trip, but never-the-less we had a great time. You can find a ton of information about the CCDC, but as a quick introduction: you, as a team of 6-8 students take over a small corporate network which is being attacked by a professional team of penetration testers, all the while your CEO is asking you to implement new technologies he saw at conferences or on TV. The CEO is fake, the company is fake, the attacks are real. Fun.
The competition is focused on team dynamics, network/system administration, and time management. It is the embodiment of all the practical experience you beg your university to include in their coursework.
Our team learned about the competition mid-January so we had little time to prepare. Fortunately, most of the team members were very enthusiastic and met twice a week, almost every week. The CyberSecurity faculty also donated time and equipment for us to use during practice. We used the college's CySec lab during off-hours to plan and exercise. We also found a diverse group with respect to knowledge and interest. We had two network savvy members, one with internship experience using Windows servers and Active Directory, one interested in policy, two graduate students with Unix system administration experience. During our preparation time, we familiarized ourselves with the technologies outlined in the team packet (found on the U-Maine website). We created "battle plans" for securing our systems and migrating services to make room for intrusion detection and centralized logging applications.
When we walked into our "team" room we were dazed and bewildered. Day 1 of the competition left us very frustrated and confused. Our first assignment was a realization that the network topology we practiced with was incorrect. Unfortunately for us, the real topology did not include an OpenSolaris machine which we planned to move all our critical infrastructure onto. This frustration combined with installation requests and continued attacks left us in 5th place out of 9 competitors, for the first day. After a half-night of re-planning we entered the 2nd day with a new battle plan. We remained calm, and by the end of the day we secured 4th. The last day was somewhat uneventful and did not allow us many chances to improve our score. We walked away 4/9, not bad for first timers. If you've read any literature about the competition, many warn about the learning curve for first time competitors; they are all right. Team dynamics and knowledge of new technologies are essential. The best plan for securing a CCDC network is not to have a plan for securing a CCDC network.
The name of the game is anecdotally: be ready for anything. The attackers will get into the systems, it took them under 2 minutes to compromise over 20 boxes. They started attacking the second the competition began, that means they all pressed enter and their pre-written scripts started working magic. (Their professional experience allows them to persist on a compromised machine, the actual exploitation was trivial.) As a defender and information security student, team members must make decisions about removing machines, reinstalling software, and uninstalling software. They must understand when machines are compromised, find out how they became compromised, and at least prevent other machines from enduing the same fate. The immediate balance was between securing machines, cleaning machines, and dealing with inject requests.
One guru cannot win the competition, two prodigies cannot win the competition, you really need a team. Don't plan for requests but plan on implementing requests. Keep an understanding of which team members are busy and which can help assist with time sensitive deadlines. During 90% of the competition every team member was busy. During 90% of the competition more than one request was outstanding. I've learned way too much from the competition and it's going to take a few weeks for me to digest and codify everything. I plan on writing a few papers about how universities can benefit from participating, what they can do to prepare their students, and how students can prepare for similar competitions and events.