After months of practice in preparation for the big competition, the Syracuse University National Collegiate Cyber Defense Competition Team, as a subset of the Information Security Club, was finally ready for the Northeast CCDC (NECCDC).
Consisting of students from the School of Information Studies and the School of Engineering & Computer Science, the team members were Zohura Choudhury, Sam Green, Randy O’Neil (me), Kunal Sharma, Kyle Stofka, Christian Soto-Ortiz, Carter Yagemann, and Alexandra Zadrevec. We were advised by Assistant Professor of Practice Bahram Attaie.
Teams are scored by the number of services correctly functioning, and the number of injects they complete. Services are measured by a dashboard that tests the services and gives a gridded picture of the teams and services. The injects are supposed to simulate business tasks and objectives assigned by upper level management.
The first trial consisted of a long trip from Syracuse, NY, to Worcester, MA, to Orono, ME, and the team arrived after the 12-hour journey on Thursday night. The first night consisted of a lot of homework and research to ensure our preparation for the long weekend ahead of us.
Friday morning consisted of the general briefing where the White Team gives the overall guidelines, the Red Team is introduced, and teams are assigned to their rooms. The next mission was to navigate the UMaine campus and locate the dining hall. After fueling up, it was time to start the competition.
The first day of the competition is for teams to get an overall feeling of their network and perform what hardening they can. Hardening is when you shut down all unnecessary services, connections, etc. that hackers (the Red Team) can exploit.
Earlier in the year, each teammate was assigned a role and a laptop. In addition to the 8 laptops, each team had an ESXi server hosting virtual machines. Initially we were not given any passwords, so we had to hack our way in using common passwords and what we could discover in the room.
We were ‘hands off’ at 19:00 to simulate the end of the day. The day did not end there, however, because each team was assigned ‘injects’ by the White Team.
Saturday morning consisted of a short check-in, where the White Team showed the top 3 and bottom 3 teams, but not in order. At 09:00 we were back in the rooms for the longest day of them all.
Saturday is when the Red Team starts to attack and wreak havoc on teams. It is also the day where teams learn the most about each other and calmness starts to dissipate. Saturday is a 10-hour day, but teams could go get lunch, snacks, etc. throughout the day. There are no official breaks, so each teammate is busy the whole day. There were at least 20 injects throughout the day, and it creates controlled chaos when in combination of the Red Team offense.
By the end of the day on Saturday, the NECCDC Red Team had the first full disruption where the whole scoreboard was completely red.
The Red Scoreboard. Photo source: John Poulin, twitter.com/forced_request
Following the brutal chaos of the competition, Saturday is also the career fair gala where the sponsors of the competition recruit students from the teams. Usually there are a few government agencies, such as the National Security Administration or Federal Bureau of Investigations. The gala is a lot of fun, even if you are not looking for a job or internship or you’re exhausted from the grueling day. Even with the career fair gala going on, there was also a new overnight inject.
Sunday is the final day and it is pretty short compared to the lengthy Saturday. It gives time for teams to wrap up, for the Red Team to go all out, and gives a lot of injects for a lengthy point boost at the end.
At the end, there is a final luncheon and debriefing where the top 3 teams are revealed. All teams get awesome gift bags, but the winning team gets a special prize by the main sponsor.
This year, Northeastern University took the top place and is going to the 2016 National CCDC, which is April 22 – 24.
What did we learn this year? Our lessons learned from NECCDC 2016:
- Everyone on the team needs to listen to each other and consider all ideas.
- Read through the e-mails, because there are often useful tips or passwords.
- Remember that it is a game, so try to have fun and learn how to play the game. You should take an early points deduction if you think it will help you save time and gain more points later on.
- RTFM – Read The F****** Manual.
- Be aggressive in limiting who has access and what they need access to.
- Follow the chain of command.
Why compete in NECCDC?
Even after all the headaches and frustration, I would not trade the experience of attending the North East Collegiate Cyber Defense Competition for anything. It looks great on a resume, gives you invaluable skills when you transition into the real world, and it gives you a sports team bond even if you are not the most athletic person. Also, attending CCDC will give you special connections for careers at the special job fair and even by simply attending.
For students that have never been in a situation like this, it can be very overwhelming, but you will survive and you need to remember that you are part of a team and that team is what will carry you. After doing this for two years, I will definitely miss it, and hopefully I can come back with a sponsor company as Red or White Team.