Mark Mossberg's Blog

Hacker Nonsense

CCDC Regional Qualifiers 2014

Thoughts on the Collegiate Cyber Defense Competition 2014 regional qualifiers

Today, from approximately 10:00 am to 6:00 pm, I competed with 7 other students on Northeastern University’s Cyber Defense team in the Northeast Collegiate Cyber Defense Competition. It was a great experience, and although it wasn’t exactly what I expected, I still had a lot of fun.

Overview

Basically, the way this competition works is each team is given the IT infrastructure of a small business and it is their task to lock down the security of the infrastructure. They have to do this while under attack from a Red Team of hackers who are trying to break in and exfiltrate sensitive data (credit card info, PII, etc.), or just generally mess with and pwn you. In this case, we were managing an e-commerce website that included a web server running a CMS, a DNS (and MySQL, interestingly) server, a firewall, a mail server, and a FTP server.

Approach

Personally, myself and a teammate tag teamed securing the DNS/database server. This was an important box to secure because if it got pwnt, an attacker would be able to disrupt the DNS of the e-commerce site, disrupt email, and most importantly, potentially dump the database and exfiltrate sensitive information. Throughout the course of the competition, we implemented basic security measures such as changing default passwords for important system and database accounts, and killing unnecessary network services (such as ntpd, sshd, and apache in our case) as well as more involve measures such as skin-tight iptables rules that controlled specifically what traffic would be able to reach our box, and audit rules that would monitor directories/binaries that an attacker on the system would probably modify or execute.

Expectations

At the beginning of the competition, I had a bit of an adrenaline rush going because I was constantly waiting for the red team to come out of nowhere and own us in some place that we hadn’t thought of, or secured yet, or something. Over time that rush wore off because…the red team never seemed to show up. At no point in the competition did we see any signs of unauthorized access on our box, or even potentially malicious traffic reaching it. Although I do appreciate it, this was a bit of a letdown, given my expectations of getting totally wrecked by the red team.

Results

Ultimately, our team did well enough that we were able to place among the top teams competing and qualify for the Northeast regional competition to be held in March in New Hampshire. Definitely excited for that; I’ve learned a ton about cyber defense by getting involved with the team and I’m looking forward to putting it to use at the real event!

Comments