A few weeks ago, Champlain College hosted the regional chapter for the North East Collegiate Cyber Defense Competition (NECCDC), and I had the pleasure of being the Black Team Captain.
For those who are not familiar with NECCDC or CCDC for that means, CCDC is a cyber defense competition structured around building, maintaining and protecting a corporate environment built for 50-100 users. Student from around the region work together to stand up services like backup, mail or imaging solutions while defending off the external threat known as the “Red Team (Professional Penetration Testers).
This year the competition was centered around a company called Storm Surge Software who develops and maintains LMS solutions for the educational sector. Teams received challenges from the White Team (Judges) known as injects that helped prepare for the “Beavernado” (Champlain’s Mascot + Tornado). These injects consisted of creating a git server for backup or standing up secondary infrastructure servers on the in-room Hyper-V server.
This was my first year being a part of the competition staff for NECCDC. I have competed previously as a Blue Team (Students) and it was a ton of fun. All the teams did an exceptional job defending/securing their networks against some of the nasty things that Red Team had in place.
Thoughts and Recommendations:
Black team had a great perspective throughout the entire competition. We were in the competition rooms as tech support, managed the scoring engine, and watched team network traffic. Here are some recommendations based on those observations.
Branching from the Palo Alto firewall, each team had 3 network segments (LAN, WAN, DMZ). It is important to leverage all your resources (IP Sheets, Systems in Room, etc.) to have an understanding what is on your network. When I was on the blue team one of the first things the networking team did was scan the network with Nmap. That gave us a baseline of all the L2 and L3 addresses on the network and we could start to leverage those for firewall/host-based rules. You could even take that a step forward and run Nmap on an interval and compare results each time.
Host Based Firewall:
The environment was designed with HBFW in mind. We specifically placed multiple machines on the network that did not need to go through the firewall to communicate with everything else. You can read more about how the VMWare network was setup here. (There is a reason why the Switch was out of bounds…)
Black Team Wireless?
There was a moment where each team had a SSID named BlackTeamX (where X was the team number). Just because something says Black Team, does not mean that it was setup and supported by the Black Team. This was an example of Red Team trying to be sneaky.
Throughout the entire competition, communication channels were always available. Many teams would ask the in room judge or send an email to WTC. We saw tons of questions about injects and if a team could get a system rebuild from Black Professional Services. If you have a question, go through the proper channels to get it answered, if you don’t receive an answer ask again. Competition staff is here to make this an enjoyable experience for everyone. If the question can’t be answered, we will state that we can’t answer that.
NECCDC will be hosted at the University of Maine for 2020 and I am excited to be a part of it. Competition Staff have already been talking about what it could look like and how we can improve on 2019. If you are curious and want to see some behind the scenes action, check out the YouTube video made by the Red Team here. Also check out NECCDC 2019 from a Red Team Perspective written by Tom Kopchak here.