Red Team Volunteering Experiences From The Collegiate Cyber Defense Competitions
This blog post will shed light on the experiences of a few of our White Oak Security penetration testers that volunteer at the Minnesota CCDC event, which is part of the Midwest Regional CCDC Qualifying Events. This year, students across the midwest first compete at a state level, then move on to the CSSIA regional competition in Illinois for the chance to compete at the national event in Texas.
First, we will dive into a firsthand account of how this year’s event played out and then we will wrap up with a few notes from other pentesters from previous years.
What Is CCDC?
The Collegiate Cyber Defense Competition (CCDC) is a yearly competition where teams from all over the country break out into regionally divided Blue Teams (Cyber Defense). These Blue Teams not only go up against each other in terms of scoring, but against real-world Red Teams (Cyber Offensive) who will attack all the teams in a fair manner to gauge several aspects of their practical security and systems administration knowledge.
Welcome To The Thunderdome – 2023 IN/MN State CCDC
This year I was invited to work on the Red Team for the State Qualifiers (IN/MN) CCDC Red Team. I was excited to help out because not only have I participated on the Red Team before, but while in college (over a decade ago) I was also a co-leader for our school’s Blue Team!
The Blue Teams are made up of college students from Minnesota and Indiana. The Red Teams are made up mostly of experienced Offensive Security Professionals working in the industry.
The competition is set up as a real-world scenario, where the Blue Teams are given identical virtual networks in which they have the default passwords and IP addressing information. Think of this scenario as a group of Information Technology / Security employees acquiring a new company and its network, then having to bring its security practices up to par with the industry standards. Several of the systems are behind on patching and open to exploitation, firewalls are not properly configured, and vulnerable applications may be installed.
The Blue Teams will have to address all of these issues and more over a 7-hour challenge while the Red Teams will be trying to break in, steal information, and disrupt their services. It truly is a Thunderdome of excitement!
2023 CCDC Observations
The Blue Teams are given about an hour’s head start to start locking down systems, applying security patches, and changing passwords. The Red Team is given the same information docket that the Blue Teams received, so the Red Team understands which systems exist and which default passwords are available for them to use. While the Blue Teams get a head start, there is so much to be done that teams must prioritize and work together in order to keep the Red Team out of its systems. Once the Red Team establishes a foothold, it is much more difficult to evict them from the environment.
From a Red Team perspective, there were a couple of concepts that really stood out this year. Some teams did a better job addressing these 4 main areas:
- Firewall Policies:
- The firewall deployed in these environments did not have appropriate access control lists configured. While the Blue Teams need to make sure essential services remain online, such as DNS, Blue Teams should also make sure non-essential services, such as Server Message Block (SMB), are not allowed. There are several exploits which use the SMB protocol to trigger, such as MS06-040, MS08-067, and MS17-010 which can be effectively hidden from the Red Team if firewall access control lists were deployed. Additionally, closing this service can prevent remote access attacks such as WMIExec, PSExec, and password guessing.
- Security Patching:
- Even at the end of the competition, about half of the teams who participated were still missing a critical security patch MS17-010 which allowed direct exploitation of domain controllers without authentication. This vulnerability, known as Blue Keep, was a common exploit known to include worm-like spreading. While it may be difficult for teams to patch every vulnerability in the environment completely, it is important to gauge the risk of unauthenticated remote code execution vulnerabilities and apply those patches first, even if it’s a manual process.
- Default Passwords:
- Both Blue and Red Teams are given a list of all the default passwords in the environment. This ranges from service passwords, windows passwords, Linux passwords, and even firewall device passwords. It was not uncommon during the event to find that some default passwords remained. It should also be noted that in some cases teams reverted their systems back to default which would restore anything that might have gone wrong with the system, but also would restore the default passwords.
- As odd as it might sound, sometimes the paranoia of the Red Team coming for them can make the Blue Teams overreact. This year while the Red Team was attacking teams, we documented what actions were undertaken against all teams. One of the teams who had spent most of the day offline was not documented as having any Red Team activity against them. While we don’t exactly know what happened to that team and we agree it’s important to lock things down as tight as you can, there is a tipping point where a misconfiguration for hardening can cost you dearly in points.
An Experience Of A Lifetime
Overall, regardless of whether the Blue Teams won or lost or how they placed, the CCDC provided a valuable experience for them. This simulated event can truly replicate some of the tremendous stress that everyday security and systems administrators go through, either during the acquisition of a new network or an Incident Response emergency.
For me, participating in the CCDC Blue Team as a student over a decade ago was a game changer. Not only did I gain real-world experience defending a network from active threats, but I also had the opportunity to leverage this experience to obtain further training, invitations to additional competitions, and even an invitation to a SANS cyber security camp. Through CCDC, I made valuable connections with people who ultimately helped me find my first job in the security industry. If I hadn’t competed in CCDC, I may not have met some of the people who were (and still are) instrumental to the success of my career. I continue to participate in CCDC in hopes that others are able to find a similar path into information security or the security testing industry.
What’s Next For CCDC 2023?
With the State Qualifiers still going on, eventually, states will converge into a regional challenge, and the regional winners will go head-to-head at a national level. This process takes a couple of months to occur, but the National Championship will occur on April 28th, 2023, in Texas.
For those who didn’t make it to the next round though, I have one bit of advice for you – Start Preparing for Next Year! Take what you have learned from this experience and come back for another round.
Previous CCDC Experiences
CCDC is a pretty fun time!
Learning Experience For Everyone
The event had a few groups of students acting as Blue Teams, and then we had our “Red Team” room where we just kind of randomly attacked them while they tried to patch/defend their environments. It was a blast… I had a lot of fun because we get to hack stuff and have actual people trying to defend in real-time, also very fun for the students because they get to actually try to defend against real “attackers” with experience. I’ve only been able to participate once, but I think it’s a great opportunity! I volunteered because I thought it’d be an opportunity to give back to the pentesting community and I thought it would be a good learning experience for the students to have a hands-on, realistic experience. There’s something you can’t get from “set up” scenarios in terms of realism. It’s very different having a real person on the other side of the scenario, having to change plans on the fly and come up with novel approaches as the situation changes – it’s a big thing that’s hard to simulate otherwise. I get a little jealous, it would have been cool to have something like this when I was going through school!
Red Team Learning
I really enjoyed the aspects that I feel passionate about, like network pentesting and having fun while hacking. One thing I also noticed at the CCDC event, was that I had some wiggle room for improvement too! In this industry, you’re always learning. Even a ‘professional penetration testing expert’ needs to research and improve their Red Team skills. I spent some time looking into certain techniques and dipping my toes into more experienced Red Team tactics, which made me feel a couple of ways – a little behind (hard not to compare yourself to other awesome experts in the field) and humbled, but also so grateful for being apart of this educational, fun, and diversifying experience.
Memorable Experience – Shoe Ransomware
I’ve been to multiple CCDC events in the past… although I have never participated as a student – only on the offensive (hacker) side of things. It’s great to see many of the colleges get excited about cyber security and having the opportunity to hear the students talk about their passions and the directions they want to take for a career path is awesome, like music to my pentesting ears. One great memory I had at a recent CCDC event was creating a ransomware that I deployed to many computer systems within the different teams. This ransomware would request the teams to bring me their left shoe – if the request was denied the team would be locked out of their computer and forced to rebuild. Being able to do some fun or silly things you wouldn’t normally do really makes this learning event exciting and memorable.
Advice For Students In Cyber Defense
Take advantage of the new events and opportunities in the information security/cyber security/pentesting communities. There are many educational events, groups, free resources, and learning experiences out there these days! The penetration testing or “hacking” community is very open to networking, discussing career paths, helping answer questions, and more – so don’t be shy or hesitate to utilize experienced or professional experiences and the platforms like social media, discord, twitch, youtube, etc. to grow your passion. There’s a lot of training and learning that goes into penetration testing or Red Teaming – trials and errors will humble you. Just don’t give up!
More From White Oak Security
White Oak Security is a highly skilled and knowledgeable cyber security and penetration testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.