The 2011 Collegiate Cyber Defense Competition (CCDC) has wrapped up, and this year's competition was more demanding and challenging than ever. I've had the distinct pleasure of facilitating the role of a "Red Cell Hacker" for the last four years, and I have been nothing short of amazed at the caliber and dedication of the competing teams in this two-day onslaught of attacks and defense against mock corporate networks. CCDC continues to raise the bar and complexity of challenges; whether it's taking on cutting-edge Power Grid systems or defending against internal-espionage threats, the CCDC students are in a constant struggle between security and managing corporate demands. In this article, we take an insider's look into the CCDC competition and the technology used to forge the next generation of cyber warriors.
What Is CCDC?
CCDC is a national cyber-defense competition that allows college students to test their IT security skills on mock corporate networks against attacks by professional hackers and security researchers. CCDC has grown considerably over the years, attracting new talent on both the attacker and defender sides. The CCDC event has a simple mission, says Casey O'Brien, Director of CyberWatch and six-year organizer of the Mid-Atlantic Regional CCDC event. "CCDC aims to develop the IT security professionals of tomorrow and prepare them for the realities of working in the field of information security." Higher education institutes that participate in this national competition are able to gauge their IT security program's effectiveness in developing the people and technical skills that organizations want for their employees. The CCDC events also have another goal: helping organizations to identify talent in the ever-growing field of information security.
The Mid-Atlantic Regional CCDC has always sent a strong team to the national competition and is known for integrating a wide range of cutting-edge technologies and security disciplines into the event. This year's Mid-Atlantic CCDC event was held March 10‒12 at the Applied Physics Laboratories (APL) at Johns Hopkins University in Laurel, Maryland.
Complexities of a High-Tech Corporate Network
CCDC aims to construct a challenging network that incorporates as many leading technologies as possible, while being intuitive enough to be managed by a small team. To pull off this feat, the Mid-Atlantic CCDC elicits the help of iSIGHT Partners, a leader in developing and running cyber exercises. "We strive to develop a network environment that rivals the reality of what students can expect in the real world," says Tim Rosenberg, Director of Cyber Exercises.
Each year, CyberWatch and iSIGHT develop a theme for the Mid-Atlantic CCDC event based on emerging technologies and trends in the security industry. In previous years, the event integrated technologies such as Supervisory Control and Data Acquisition (SCADA) systems and remote-management power control systems. In keeping with the emerging threat landscape in information security, this year's environment incorporated a "Smart Grid" power architecture that competing teams were required to defend and keep running, all while dealing with attacks from the Red Cell Hackers team.
Smart Grid technology has been a hot topic lately, as security experts continue to uncover the risks associated with attacks against the infrastructure and SCADA systems that run our nation's water, gas, and electrical delivery systems. Smart Grid technology is an emerging security field, and security researchers agree that it's a likely target for terrorism or state-sponsored cyber attacks. The integration of Smart Grid technology into the CCDC game play brings a realism that is unique to these events, demonstrating CCDC's commitment to keep up with cutting-edge technologies used by real organizations and governments.
Digging In
The first day of competition is always the most exciting for the Red Cell Hackers and the most stressful for the Blue Cell Defenders. Palms sweat and knees bounce in anticipation as both Attacks and Defenders wait for the clock to announce the start of the competition. The Red Cell Hackers silently grin at each other, as they know the first day almost always ends in their favor. This is where the hackers dig into poorly configured and vulnerable systems, using a barrage of tools and techniques including Metasploit, w3af, and custom scripts developed by the hackers specifically for this event. The primary goal of the attackers is to establish "persistence" on as many systems as possible before the defending teams are able to adapt and effectively defend their systems. The Red Cell Hackers use many techniques to obfuscate their presence in the systems they compromise. This technique requires the Blue Cell defenders to have a keen eye toward identifying abnormal accounts, behaviors, and files on their systems. Once they've identified an intrusion, the Blue Cell teams must figure out how to extract the malware and repair any backdoors embedded into their systems. These invaluable skills will be an asset to students as they pursue a career in information security.
High-Tech Badges and Equipment
Another unique twist to this year's Mid-Atlantic CCDC competition was the use of XBee 802.15.4-compliant radio-enabled badges. Each competitor was required to wear a badge during the competition, and each badge acted as a power meter, similar to those used in industries and consumer's homes to track and monitor power consumption. For the competition, the XBee badges represented power nodes, integrated into the Smart Grid power systems that each team was required to manage and protect. The badges were configured to emit a predetermined amount of power usage at regular intervals. The power usage was transmitted and collected by back-end infrastructure, and then tallied and scored for each team's environment. A team's power usage represented a critical element to its overall success. If a team's Smart Grid infrastructure reported that its system was utilizing too much power, the team's score would take a hit. The goal of these intelligent badges was to simulate some of the components that make up a Smart Grid infrastructure, immersing students into the game play of regulating power usage, as they must ensure that no abnormal activity existed.
Cracking the Badge
It didn't take long for the Red Cell Hackers to discover the inner workings of the XBee badges and start to manipulate not only the badges themselves, but the back-end infrastructure that was used to support the Smart Grid system. Like the competing students, each Red Cell Hacker was given an XBee 802.15.4 radio consisting of an Arduino Duemilanove clone microcontroller with an integrated XBee radio. The Hackers discovered that each radio was assigned a unique address, mimicking XBee radios commonly used in consumer applications.
The hackers were able to determine that the radios assigned to the competing teams were configured to use the same channel and network (known as a universal identification, or PAN ID). This design provided the hackers with a foothold to manipulate not only the Blue Cell's badges, but to craft attacks against the back-end infrastructure that each team depended on to assess its power usage. The hackers reconfigured their badges to mimic those owned by competing team members. With the badges cloned, the hackers had complete control over the power usage of those hacked badges and could dramatically increase the power usage of their competitors' badges.
As teams began to notice significant increases in their power consumption, they devised defense strategies for protecting their badges. In an example of a high-tech cat-and-mouse game, the Blue Cell teams changed their badges' addressing, and in some cases even started to send negative values to lower their power-consumption scores. In the exchange of attacks and defense, the hackers escalated the stakes by creating custom code that converted their badges into a denial-of-service (DoS) Smart Grid attack platform. The hackers changed the configuration of the XBee devices to cover all possible addressing combinations and then proceeded to send maximum power usages to their opponents. During this exchange, students learned a valuable lesson that often takes security professionals years to understand—that it's not always possible to defend against all vectors of attacks. Sometimes the best solution is simply to mitigate the risk, rolling with any attacks that might happen.
Things Get Physical
Another element that made the competition a rich learning experience was integrating the many different disciplines of information security. The CCDC competition prides itself on keeping game play as close as possible to what students can expect to encounter in the real corporate world—including incident response and physical security. Competing teams have a myriad of security tools and techniques at their disposal for identifying and pursuing their opposition. If a team believes that it has identified an attacking Red Cell member, the team can submit an incident report detailing the technical evidence that has been collected, and the Red Cell member will be temporarily banded—that is, arrested.
Competing team George Washington University was able to identify the source of system compromises and other malicious activity on its network. Using packet captures, photographs, and a bit of social engineering, the team was able to identify the Red Cell Hacker in its systems, and proceeded to have a mock police force perform an arrest. The hacker was taken to a temporary lockup, where he was questioned about his activity and even bribed with leniency should he divulge the names of other Red Cell Hackers. The inclusion of incident-response and forensics practices helped students to experience and understand the various components that comprise dealing with the collection, proper handling, and presentation of forensic evidence.
What's That Electronic Device Behind My Computer?
Another facet to the game play that makes the Mid-Atlantic CCDC unique is the incorporation of insider threats and physical access. Each year, a small amount of time is allotted to the Red Cell Hackers to have physical access to the competing teams' computing environment when those teams have gone home for the evening or are otherwise occupied. This is a coveted treat for the hackers, who spend time preparing rootkits, password crackers, and keylogging devices to be connected to the teams' systems, in hopes that compromised devices will "phone home" and provide the Red Cell Hackers with control. An addition this year was small eavesdropping devices that were planted under the teams' workspaces. These small listening devices, better known as "GSM bugs," work off the cellular networks, allowing someone to dial in remotely from anywhere in the world, eavesdropping on conversations and activities.
The physical access event is meant to teach students two very valuable lessons:
- In the event of physical access, most logical security controls such as passwords and network configurations will fail to protect systems. The simple truth is that all bets are off if an attacker can gain direct physical access to systems, even if only for a short time.
- The second lesson is the importance of considering all aspects of security. It's not enough to implement and consider only logical countermeasures and controls. Students must learn the importance of considering all attack vectors, including the possibility that someone on the inside may not be working in the team's best interest.
These lessons help to solidify the students' understanding of basic security traits such as securing documents that may contain sensitive information, and ensuring that systems are properly locked away before leaving them unwatched for extended periods of time.
The Wrap-Up
At the end of the second day of the Mid-Atlantic CCDC, it's plain to see the toll that two days of nearly constant attack-and-defense have taken on the teams, as they wait patiently to hear who the winner is and who will be moving forward to the national competition. Each team has had to deal with system compromises, incident response, physical security threats, and even attacks against cutting-edge wireless systems that were completely new to them. While many teams don't make it to the national competition, each participant has gained valuable skills and experience. Each student walks away with a better understanding and appreciation of the many facets of information security, along with the dedication it takes to succeed in this constantly changing field.