The 2022 NCCDC season has come to an end. As a founding member of the NCCDC Red Team, I have been volunteering at this event since its second year. During the competition, my role is to play the bad actor. The goal is to give the competing teams a realistic depiction of what they will be facing when defending against adversaries in the real world.
The National Collegiate Cyber Defense Competition (NCCDC) is a business-oriented cyber defense competition for college students designed to provide a realistic opportunity to understand the challenges and trade-offs that real information security professionals face. Focused on the management and protection of commercial networks and infrastructure, student teams spend a weekend making decisions on how best to defend their networks against emerging threats while balancing the constraints and goals of a real business.
After red teaming at this year’s NCCDC, here are my red team lessons to keep in mind in 2022 and beyond.
Make room for COVID-related issues.
The obvious elephant in the room, COVID-19 has played an interesting role in the advancement of cybersecurity in the last few years. This year the red team was in person again for the first time since 2019. Interestingly, this brought about some unintended complications. While some red team members were still unable to travel, those of us fortunate enough to make the trip still felt out of sorts. Travel created similar issues for some of the blue teams I spoke with. For many of the student teams this was their first experience traveling to an event, even if they had competed in years past. A clear lesson for companies, as the world begins to open back up, assume the move to “de-virtual” will be as complicated as the chaotic move to go virtual when the pandemic began. Expect issues and confusion around the logistics of being in person and be on alert for those trying to take advantage of the confusion.
Prioritize and execute.
Just as in any company, the teams have limited resources, looming deadlines and a chain of command that needs to be kept in the loop. It is not possible to complete every task at the same time. Clear concise communication between team members and management should be a number one priority. Keeping out the bad actors isn’t worth anything to an organization if you fail to properly report and track what has happened. Such failures often end up with changes being reverted or lost leading to worse problems in the future.
Compromise is inevitable; breach is not.
There will always be a guessable password, a misconfigured service or exploitable software out there lurking. Myopically focusing on finding every possible vulnerability before the bad actor is a losing battle. Prioritize categorical fixes and work backwards. Network segmentation, minimizing exposed services and identifying and managing admin accounts will go a long way in preventing a majority of situations.
The adversary often has ulterior motives. Maybe you are doing really well at rotating passwords and avoiding reuse… Defacing a website with a funny meme is a quick way to get an administrator to login and checkout a system. Remember a system that has been compromised is inherently untrusted and treat them accordingly.
Automation allows focus.
Ruthlessly automate the boring, repetitive, error prone tasks. Password rotation, log analysis, file system and permission checks can all be easily handled by scripts or other automation.
That being said, human innovation is still critical. While automation continues to grow in importance it hasn’t surpassed human innovation. Fundamentally, IT security is about making computers do something unexpected. Automation that focuses on repeating the creative things people discover is critical.
The red team will take down a service by any means available, that could include deleting all of the associated files, filling up the filesystem, causing port conflicts inside the network. What is worse, they will do the same over and over and over until they get stopped. Reverting a system or restoring a backup introduces the original flaw or worse, restores the red team’s malicious software. It is not enough to figure out how to restore the system to a running state, it is equally or more important to figure out how the system was broken and if that same flaw is elsewhere.
Year over year, there are many lessons to be learned from this competition. Prioritize and do the work that matters. Prioritization, communication and visibility are wildly important when protecting a network. Do not get stuck in find and fix, categorical fixes will win the day. The fundamentals work.
The National Collegiate Cyber Defense Competition continues to provide a unique competition that challenges competitors with problems they will face in the real world.
This is the end of another awesome CCDC season culminating in a truly impressive NCCDC finals. Thank you to @NationalCCDC for hosting the competition. Finally congratulations to @HackUCF and to all of the teams that qualified and competed at the highest level.
Evan Anderson is the Director of Offensive Security at Randori. Visit our platform page to learn more.
For more information on how to get involved with the CCDC competition to help foster the next generation of defenders, visit their registration page here.