Home > Articles > Cisco Network Technology > General Networking > CCDC and the Tale of the Insider Threat

CCDC and the Tale of the Insider Threat

Article Description

Lately the Mid-Atlantic Collegiate Cyber Defense Competition (CCDC) has begun testing students' defense against a serious threat that is too often ignored: the danger of insider attacks. Brad Bowers discusses the value of including this challenge in CCDC events.
Invisible Intruder

Invisible Intruder

To set up the training exercise for the CCDC event, a member of the Red Cell Hacker Team posed as a college student working on a research project. The idea was for this hacker to take on the persona of someone with whom college students could empathize, to avoid raising suspicion. Dressed as a student, the hacker was able to enter the defending team's room by simply shadowing other students as they walked in. At no time was the hacker challenged to display a blue badge, the identification mechanism used to indicate a person's authorization to be in the room. Once in the room, the hacker was able to blend into the background, perceived as just another student on one of the teams, or perhaps a faculty member trolling the event.

After spending some time observing the students and learning who the team leaders were for each defending team, the hacker preceded to the next stage of the ploy. In this stage, the hacker asked members of the defending teams if he could interview them and take some pictures. He stated that the interviews would assist him with a research paper—a topic that resonated with the students. None of the students who were asked to be interviewed refused, and none objected to their pictures being taken. The hacker proceeded to ask questions that, on the surface, seemed benign in nature: "What school are you from?" and "What year of college are you in?" The questions were delivered with a smile, meant to be disarming and to help build a rapport with each student. As the conversations continued, more revealing questions were injected into the mix: "Have you identified any compromised systems on your network? What attacking IP addresses have you caught on your network? What is your team's strategy for defending your network?" As the hacker interviewed various team members, he altered the questions, using them to build on the information that he already had gathered from other interviews. A total of 13 students were interviewed from the five defending teams.

The interviews were a success! The amount and sensitivity of information disclosed was shocking; in a real organization, it could have been devastating to the security of the business. Students provided details about the strategy for defending their systems, including the types of defensive tools they were using and their successes and failures with those tools. They described areas of their networks where security was lacking, or where no logical security was configured at all. They disclosed detailed information about attacker IP addresses that they were able to identify. The students considered these IP addresses a coveted trophy, as they could use that information to create an incident report and block the attacker from their network. No individual divulged a significant amount of information, but the aggregate details from the interviews provided the hacker with critical data about how the Red Cell Hacker Team could alter its attack strategy to avoid being caught by the defending teams.

Although the students were all bright, tenacious, and ready to combat the technical aspects of the competition, they didn't have a comprehensive security strategy. They didn't consider the importance of protecting their informational assets, or the possibility that an insider might be sitting next to them, siphoning details.

3. Sealing the Gap Between Physical and Logical Security | Next Section Previous Section