The past month has gone so quickly as I've been helping Rapid7 open its new UK office,but I wanted to take some time to recap on National Collegiate Cyber Defense Competition (NCCDC) which took place in April as it was a really awesome experience for all involved (even for the blue teams!).
When I think back on NCCDC, the term “stacked deck” comes to mind. Let me set the stage: 9 college teams with ages ranging from 18 to 22 vs 15 of the best consultants the infosec industry has to offer. Here's the scenario: an entire network team has been fired for each blue team's environment and each team has to hop in blind, figure out what types of devices they have, and secure them. All the while, the veritable “Super Friends” red team is trying to pillage and destroy everything they build. Sound like fun? Depends on what team you're talking to…
I spent most of my time in the red team room so my perspective was that of the hackers rather than the hackees. Day one was mainly reconnaissance, trying to figure out what was there and setting up persistent attacks for days two and three. Dave (red team leader) told me the idea is to hold off on the actual attacks for the first day as this makes days two and three much more fun. If all the attacks are run on day one the blue teams will simply fix that problems and move on, leaving the red team to seek out other avenues. This proved raother difficult for the red team, them seeing these vulnerable networks is like dangling a juicy steak in front of a bear.
Day two was execution, which was probably the most fun to watch. All of the preparation, all of the backdoors, all of the setup done by the red team on day one was acted upon. Immediately there were shells flying from Metasploit Pro and mass defacement on six of the nine teams. The ultimate goal of the red team was to compromise, attain the “customer data”, deface the web page, and publish the credit card information on the page. The longer the blue teams' had devices that were down, or that websites were inadvertantly publishing credit card data, the more points they would lose. There were a few teams that were able to hold out and keep their networks up and functioning, but the majority of them were hit pretty hard. As the day progressed, the blue teams became better and better at thwarting the red teams' attacks and actually stumped a few of them for a period of time.
Day three was a half-day, and was by far the most challenging for the Red Team. Battle-hardened blue teams had grown wise to the red teams' methods, which prompted some interesting and sometimes extreme measures to break in. There were a few compromises, but not nearly as much as the second day. At the end, reports were gathered, scores were tallied, and the winner was announced.
There were many key takeaways from the competition, mainly the techniques from the red team and the adaptability of the Blue Teams. From where I sat I saw heads down concentration from the red team guys and unbridled resilience from the blue teams. One thing I was thoroughly impressed with though was no matter how bad things got for the blue teams they never gave up.
All in all,everything ran incredibly smooth; the management team and setup folks were amazing. The competition is in its 6th year and has never been better. A very successful event: big thanks to the NCCDC crew and congratulations to the University of Washington on their big win!