Overview
I’ve been participating in the Collegiate Cyber Defense Competition for the past six years previously as a Blue Team competitor and more recently as Red Team member. I’ve participated as a red team member in the following regions: SECCDC, MWCCDC, and RMCCDC. I mainly help the Red Team in the MWCCDC region. I’ve been privileged to meet a lot smart, caring, and friendly people on both the Blue Team and Red Team side.
For those that aren’t familiar with the CCDC competition its a nation wide competition were college students are tasked with defending a mock company network. Then network is comprised of Active Directory, e-eommerce website(s), database(s), workstations, email server, DNS server, Firewall, and other network devices. A team of students have to defend and respond to “injects” that are tasks from the “CEO” (judges). The injects can range from as simple as running an network scan and logging systems versions and services to setting up VPN accounts or specific network configurations.
I’ve had a lot of Blue Teams recently asking for advice on how to improve. The goal of this blog post is to hopefully answer some of those questions and help provide some guidance to Blue Teams.
Team Structure
Before I get into how prep for CCDC its important to figure out a team structure. Each team structures their duties differently.
The most important team role is the Blue Team Leader. This should be the person that is keeping track of incoming injects either in an Excel sheet or other form. I recommend using Excel as its easy navigate for most people and can be passed down each year to the next person in that role. In Excel I recommend creating a Gantt Chart where you can input the inject due date, time, and team member working on it. That way the Blue Team Leader can easily filter and track task for each person and divy up task as new injects come in.
I also suggest to identify what each team member is knowledgable about. This is helpful to the Blue Team Leader to be able to easily hand out task to those that may not be working on an inject and place team members on injects that can be resolved fast and with little issues. It is good to know what other members are strong at so they can help when mot busy, but be careful because you don’t want to have random team members calling for help and pulling others away from their assigned tasks. As this will cause a confusion and will ultimately step on the Blue Team Leader’s toes.
Each team member should be assigned to a dedicated system such as the Mail Server. During the competition there are machines that don’t require as much attention so it’s possible for one team member to take care of more than one machine. For example if there is a system that only needs to be internal facing such as a database then all that needs to been done right way is to configure IPTABLES and block any external users from connecting and only allowing known internal IP addresses to connect to the database. The system that could be coupled with the database would be a website. The web site will add/query data to the database. In this case the only thing that needs to be externally facing is the website. So setting up the proper IPTABLES rules then changing the default passwords puts the team in a great position from the start. If you accidently block the scored service you can immediately attribute that with the IPTABLES rules that were published.
Training and Preparing for CCDC
Once you have an idea for the team structure I HIGHLY recommend to recreate your regions previous competition network or seaching only for previous mentions about network. The best way to go about setting up a lab is by letting each team member setup the machine as close as they remember to the system they used last year. The lab can be built on a shared hypervisor instance like Proxmox or VMware or it can be done on individual systems.
When team members setup the lab they not only learn what a clean system looks like during the setup, but they are also not pressed for time and can figure out how to fix common issues on their own system.You can also learn a lot by purposely misconfiguring the service or system and trying to figure out how to fix the system as this could occur. Then when it comes to competition time each team member will be able to quickly identify and fix the issue since they may have already encountered it.
If you’ve previously competed or plan to compete in CCDC I highly recommend you make note of all the injects. You can use the injects from previous years to practice solving as a team because its likely you may see it again. As the competition date gets closer you can use the injects to conduct a mock competion using the network lab or in a VM on your personal computer. You can create a tool or let your coach randomly choose which injects to provide the team to emulate the competition injects as this will help keep the team ready for just about anything when it comes to the competition day.
Injects
I can not repeat this enough … and I see it every year and from all the regions… SUBMIT INCIDENT RESPONSE REPORTS. Its not a matter of HOW the Red Team will get in, its a matter of WHEN the Red Team will get in the network. The Red Team is filled with a group of cyber security professionals and usually have a keen eye for identifying risks and breaching the network, system, and/or service.
When the Red Team does get access to your system they wont immediately start destroying things. They will enumerate their access on the system and network then begin to laterally move around the environment and place persistent malware payloads to get back in just in case their current access fails. Once the Red Team has dug their roots into your systems they will wait until its the right time to strike. If you find anything suspicious then report it!
The Red Team and judges review the Incident Response reports. I’ve seen Blue Teams claim that they knew they were “hacked” because their keybindings changed or when they click the ‘F’ key its wasn’t typing in the termainal. Trust me THATS NOT THE RED TEAM. Don’t waste you time submitting silly claims of Incident Response reports. You will not only waste your time, but also the Red Team/Judges time.
Its best to back your incident response reports with hard evidence. Its even better if you can identify what the payload is doing and how its interacting with the system. If you can attribute the malicious activity with the red team for sure then thats easy points for your team to win back. A good basis to check if your system or network has been breached is logs and common file locations.
Red Team
In the qualifiers the Red Team is testing tools and maybe running some light attacks. Usually you wont see the Red Team members pulling out their big hack or tricks until the Regional or National level. The Red Team is here to collect data or information on each of the teams systems. Like an attacker in the real world if you have a database dedicated to the Human Resources or Finance Department then of course they are gonna target those systems. So if your database has SSN, Passwords, Credit Card information easily available then they are gonna try to exfil that.
Points are deducted for the length or time the red team is in your systems. In addition if the teams haven’t changed default passwords 4 hours into the competition and the Red Team is able to get access to data or a shell on the system then points are also deducted.
The Red Team is here to not only to distract you, steal data, but also to disrupt services. So be careful when interacting with the Red Team. If you see malicious activity screen shot and submit the Incident Response report and at least earn some of your points back after the red team breached your systems.
ALWAYS have a backup plan! Like I said before the red team WILL disrupt your actions or services. What happens when your website is defaced and you your service displays as down? What do you do? Recover from a
Tools
I get asked these type of questions a lot. What tools should we (blue team) be using to catch the red team? What tools is the red team using? Is the red team using 0days?… First of all that would be silly to think that security professionals would burn a good 0day on a CCDC competiton.
The simple answer to the questions above is that there is no golden tool that either the blue or red team use to win… Each of the blue team need to focus on utilizing what is already on the system. For example in Linux its pretty common to see /bin/bash used. The blue teams can leverage this along with grep, ps, ss, ect. to spot the red team. Get creative! Create a script that monitors connections, create a script that performs file integrity checks on file paths. These are all very simple scripts that can be created to help the blue team automate threat hunting while responding to injects. Another great example is either running scripts in tmux, screens, or in the background using & and periodically checking the logs to identify the red team.
The same goes with Windows. You can leverage powershell directly on the system to change passwords in mass or perform file integrity checks on web hosted pages. There is no need to use extremely complicated open-source tools for a competition heavily deals with time management.
Extras
I also recommend checking out Forrest Fuqua talk at a previous DEFCON where he talks about some of the red teams shennanigans and his opinion on CCDC:
DEF CON Safe Mode Red Team Village - Forrest Fuqua - What College Kids Always Get Wrong
If youve made it this far into the blog post I commend you for taking the time to read this…. If you see me at your local competition then I hope you have some strong protections against ransomware and your dance moves are up to par 🐔🕺🐔🕺🐔🕺
Until then best of luck and may the odds be in your favor!