Cyber Defense Red, White, and Blue?
- January 4th, 2010
- Posted in Uncategorized
- By Georgia
- Write comment
This will come out all wrong if I don’t begin with “I love Cyber Defense.” There it is; I said it. My one true love is not David Foster Wallace after all but an obscure excuse to get assassinated by a bunch of professionals on a Saturday morning. I blame this notion of the collegiate Cyber Defense Competition for single-handedly launching my career, getting me into famous-people parties at conferences, and the fact that it is debatable whether I am 22 or 24. If I was the director of the Viteman foundation for the advancement of education, I would invest a good deal of my doubloons to see that there will always be a Red Team at the Mid-Atlantic qualifier. However, being as I am instead just another recent college graduate who thinks maybe just maybe she can make it in security, I can’t do much more than whine about it. It being Rachel waking me up before my alarm on a Thursday in a panic to tell me that the world we have come to depend on has ceased to exist. No one who has ever been Cyber Defense captain would dare refute her. That’s not to say that anything can prepare a team for cyber defense, but back when I was captain I used to chant, “It isn’t qualifier if the Red Team doesn’t have root before you start.” Everyone knows a captain’s word is law. So what then is a qualifier-esque scenario in which the student teams connect to the competition VPN from home, spend 3 hours hardening 3-4 systems with some services, and then are scored by Core Impact and some other penetration testing tools not to include a Red Team?
The rationale for this decision includes allowing more teams and smaller teams with smaller budgets to compete and saving money for everyone involved. I am all for saving JMU money so they can budget more for my filet mignon, though filet mignon is part of the JMU Cyber Defense Team tradition in Lancaster, PA at qualifier while we are all a little too nervous to enjoy it properly. In the spirit of all fairness, I believe everyone, read everyone, should have a chance to compete in Cyber Defense. I’m not even precluding non-security-type majors. Cyber Defense can be a good way to know if you want to do this for your whole life. I suppose by nature you have to be in college to compete, but I’m looking forward to competition going international with a top showing from the Uganda Christian University where beneficiaries of Hackers for Charity will be further honing their skills. The press release also notes that this system has been used by other regions such as the Midwest. “Why does it matter what the Midwest is doing?” I ask flippantly before realizing that the winner of past two national competitions Baker College hails from the Midwest region. Fair enough. They are no doubt doing something right out there, but I seriously doubt having an offsite qualifier without a Red Team has much to do with it.
As previously stated I think everyone on the face of the planet should have a chance to participate in the Collegiate Cyber Defense Competition; however, I suppose I don’t see competing in this setup quite the same thing as actually competing. You can never be ready for regionals. Every year White Wolf has managed to throw some righteous challenges our way. Even as a Red Team member it will be an opportunity to get some experience with cutting edge technologies that are coming to the forefront of information security. Having been through the Collegiate Cyber Defense Competition and even having taken gold at the qualifier, I still knew I was in for trouble that no amount of preparation could absolve the moment I saw the final team packet the morning of the regional competition. I remember Tim Rosenberg of White Wolf Security commented, “Think you have enough USBs?” upon seeing ten around my neck. The answer: “no, not even close.” It’s just a given that the real winner is always the Red Team. The most a Blue Team can hope for is not to cry and vomit, learn more than you will learn in any classroom, and maybe, just maybe, knock out and keep out a few Red Team exploits along the way. My question is how can teams that have never done this before ever hope to have a good experience at Cyber Defense regionals? Without getting their feet wet in the one day qualifier where the Red Team is in before it even begins, how will they know how to hit the ground running and come home from regionals proud? I once heard it from a friend who did Cyber Defense before there was a qualifier that, “one team decided to walk out in the middle of the competition.” In my personal opinion a team that goes through only the form of qualifying round suggested above will not get the most out their experience.
Cyber Defense has already tried to make it extra difficult with no internet, purposefully bogged down network, etc. (Pronounced etcetera for the win). I just think maybe the newly instated rules for the qualifier might be taking it to a whole new extreme. An additional information release stated that again machines will have no access to the internet, and no tools may be uploaded to the systems. Though not specifically stated, this probably means no patches as well, especially considering past waltzes around the legality of patches. But let’s face it, why not just run “Core Impact and other penetration testing tools,” against the systems and do your best to fix what it finds in the time allotted, that is if your school is rich enough to have a Core Impact license. I’m sure we all know how much that costs, which kind of goes full circle back to the idea that this setup will allow programs with smaller budgets to compete. Compete, sure, but at a disadvantage to say the least.
One might could say that the bulk of my argument is stemmed from the fact that I want yet another excuse to see how my old team is doing these days, hang with all the famous people I’ve met through Cyber Defense, and hack some stuff. While all that would be grand, and you’d better believe Scott plus Georgia equals social engineering trouble, my real concern is that some students won’t get the opportunity to be coerced into crying and vomiting by the Red Team. The Red Team is what makes this article so tragically unfinished. The Red Team is what makes Cyber Defense, Cyber Defense. Here’s a joke: a Blue Team captain just recently 21 walks into a hotel bar. Not long after that a small group of Red Team and White Team members also enter the bar. Later that year she’s at arguably the biggest hacker show of the year and walking through the press room she hears, “Hey, I know you!” from a very important table. A small crowd of people around her all looks on in disbelief, “Who are you and what have you done that’s so awesome that famous person knows you?” The punch line is she’s arguably 22 by morning, but that’s another story with a video evidence to prove it.
What’s really getting me down here is that a whole set of teams are not going to get to meet real live hackers with spouses and children and sometimes stable jobs and even mortgages. I suppose it’s in that instant that a computer hacker ceases to be this esoteric Zarathustra on the mountaintop, the geeky equivalent to Don Mafioso, and turns into exactly what I’ve wanted to be my whole life. It’s kind of like some really important type telling you, you really can be a rock star except instead of saving rock and roll you are going to save, well, everything.
Georgia
Wow beat me to it. Though good perspective from the student side. I will be writing up my thoughts on this at my blog from the red cell side. My fear is that it is no longer a cyber security exercise it is who ever did not patch all systems in 3 hours with all the needed patches that automated attack systems like core impact, immunity, metasploit know of looses. Were is the social engineering, where is the web attacks, where is the tormenting? It is is just a patch race I feel.
I appreciate the options this approach will provide for smaller teams and really all the teams that may not have the funding for travel costs, etc. It also helps to increase the scale of how many teams can compete. However, a valuable component that you can’t produce over a VPN is Incident Response. I’ve always been impressed with how heavily IR was stressed at the Quals as well as Regionals. It’s an area that doesn’t get enough attention in normal IT security as it is. The fact that upcoming professionals will have been exposed to IR in a live fire training exercise adds significant value to the CCDC experience as well as makes the students more valuable in the job market. Hands on experience is hard enough to come by in a collegiate environment. The more realistic (also read not outlandishly farfetched) we can make the experience for the student teams the better off they will be when they enter the workforce. They will at least have been through an IR process and can ramp up more quickly within an IT Security team.
I’ll admit some selfishness here too. It’s a great opportunity for the red team members to experiment with fully authorized, live hacking of systems and we want as many chances to do this as we can get. Selfishness aside though, the missing components of live attackers, having to deal with a situation on the fly, managing team organization under stress, and having to fix problems are a great loss to the student teams in my opinion.
Hardening and patching systems, then having them attacked once at the end is more akin to a cooking competition where you spend 3 hours creating the meal then wait to see what the judges think.
I really did call Georgia in a panic as soon as I left the Cyber Defense meeting in which we found out the major changes to Cyber Defense Qualifiers. Granted I understand the reasoning for making these changes to allow more schools to participate in the challenge, but is it really worth the cost? There will always be some schools that do not make it past the qualifying round, but by structuring that competition as a 1 day version of the regionals, it gives those schools a taste of the experience they were hoping to get and thus gives them the incentive to come back and try again the next year. Not all of the schools are going to be able to get this experience now that it’s being taken away, so will they keep coming back?
We have all come to look forward to the excitement/stress of being attacked in real time while frantically trying to harden our systems and tell the tales of our experiences to recruit new members to our team. How are we going to instill our excitement to potential members if all we have to tell them about is sitting at a computer for 3 hours to lock it down and then maybe, just maybe we secured it well enough to move on to the next round where the real excitement is. It’s hard work preparing for a Cyber Defense Competition where the only reward is getting the experience of competing and of course meeting real live hackers (aka security professionals). If, by chance, we do not make it to the CCDC Regionals, where is our reward?