lessons from a cyberdefense competition red team part 1

This is a 3-part account of my experience on the red team for the ISU CyberDefense Competition. Part 1, Part 2, Part 3

This weekend Iowa State University held its annual CyberDefense Competition in Ames, Iowa. The event is hosted by students and faculty from the Information Assurance Student Group and the Electrical and Computer Engineering department. In the event, teams of students attempt to deploy and manage various services representative of normal business applications. During the 20 hours the event covers, the teams are scored on their service uptimes as tracked by network monitoring (Nagios) and other neutral teams acting as normal users of the services. In addition, much like the real world, there is another team of students, faculty, and area professionals acting as attackers, intent on owning and bringing down those offered services. The services the teams were required to offer were web services (with pre-packaged web content), mail (smtp and imap), a telnet shell, ftp, wireless access for normal users, and dns to get it all working.

The teams are made up of regular students, I believe mostly for class requirements in a couple classes. There were 15 teams ranging from what looked like 4 members up to maybe a dozen. The students have had time in advance to plan and implement their services. To illustrate the aptitude of the teams, at the start of the event only about half the teams had their services up and running. Even through the course of the night, not every team was having success getting services up, while other teams were more advanced and running ipcop, pf, iptables firewalls, and hosting services on Linux or even MS Exchange on down to SquirrelMail or IIS mail. This illustrates the widely varied skill levels in these teams. Some teams had everything choked down behind a firewall while others had disparate boxes sitting on public IPs and others were having problems with DNS configs.

The “world” for this event is a bit interesting in itself. The teams were allowed to use publicly routable IP addresses because the event was hosted in the Iowa State ISEAGE system. ISEAGE (Internet-Scale Event and Attack Generation Environment) is a mostly closed network that simulates the Internet on a small scale to model attacks and other research activities.

At the end of the event, teams were scored and a winner announced, but more important are the lessons learned from the event itself. How difficult or easy is it to put up and manage services for a business, attent to the needed systems, and react to security events. What works and what didn’t work. Hopefully everyone went away feeling at least a bit more enlightened about the world of professional IT, no matter what their end performance in the event itself.

On a more personal note, I certainly wish I not only had more interest in the field of networking and security when I was in college, but I also wish we had these kinds of groups. I graduated in 2001 with a degree in MIS from ISU, but I never had any security courses (and almost no security emphasis in programming or other classes) and my only networking exposure came in my last semester. I graduated having never really installed an operating system or upgraded one, nor knowing much of anything about normal business services and technology. I’m amazed where I’ve come since then, and I’m amazed that college studies are starting to catch up to the real world of IT and out of the academic “let’s just teach everyone C and theory” practices. A competition like this where students install and work on these services is downright invaluable, even to those who didn’t successfully get services running. IT is so much about doing things, not about sitting in a classroom and listening to a lecture about the theories.