No Lack of Hack Attacks
For eight hours, you’re constantly doing something. You know you’re being attacked, so you’ve got to try to figure out how they’re doing it, or they’re attacking your teammates and you have to help them, trying to fix whatever you’ve found that’s broken, then all of a sudden they throw in this inject that says, ‘add a Web server,’ and now you have to go do that…
Imagine this: a company has just been hacked so badly that it has shut down its information system and replaced its IT team. The new crew has 30 minutes to analyze the previous team’s errors and get the system back online. After that, the hacking begins again.
Welcome to the alternate universe of cyber defense competitions, where teams spend an entire day competing against one another while fighting viruses, hacks, and building their network. These competitions represent eight crucial but typical hours in the Information Technology field, and they give students a chance to test classroom theory against real-world, real-time obstacles.
University Lecturer Steve Hyzny from Governors State University (GSU) brought an eight-student team to the Midwest Regional Collegiate Cyber Defense Competition held at Moraine Valley Community College (MVCC) on February 18, and although the Jaguars didn’t place—only the top three teams are ranked—the experience was invaluable.
Here's how it works:
The teams—15 in all—gather for a morning briefing. Then the groups are dispatched to their own separate rooms with papered-over windows, full of laptops and other gear. The competition starts with the “flag drop,” when each team is simultaneously given control of its own network. They all have the same network to start with, and each competition event during the day happens at the same time for everyone.
The opening half-hour is when the new network crews try to figure out what the previous “fired” department did wrong. They analyze what security flaws are still open on the system and lock the network down.
After that, the Red Team of hackers starts attacking the networks. Composed of volunteers who work in information security, the Red Team presents a formidable challenge—they designed the network that the teams are trying to protect.
While the hackers hack, teams also start receiving assignments from the corporate managers, the White Team, whose assignments are called “injects.” An inject could be anything from Build an email server to Create a password policy. And these business problems from management have to be resolved securely, otherwise the Red Team has another vulnerability to exploit. The White Team judges the competition, adding points for successes—creating something new, keeping something running—and subtracting them for failures.
All of this is performed in isolation. The teams work alone. They don’t see the hackers or corporate bosses, which mirrors the reality of IT work. Even their coaches are in another room. The competition starts early in the day and there are no rounds or heats. The whole day is one long contest.
Hyzny has been coaching at cyber defense competitions for nine years, the last six at GSU.
“I don’t care if they win or lose,” he said. “It’s nice to win, but what counts is the experience they’re going to get in one day that will help them for the rest of their careers. A lot of the Red Team members are past competitors who have been hired by companies, based on the competition. Companies recognize this as valid training and a true demonstration of skills. I’ve seen students get job offers from the Red Team. You can’t get this experience in a classroom. That’s why we build the idea of competition into the IT curriculum.”
This year’s team was led by Captain Omar Alsalah. Other team members are Clinton MacQueen, Alex Medina, Fransico Nava, Gattineni Rajyalakshmi, Jerry Rodgers, William Roman, and Andrew Russell: five undergrad IT majors, two undergrad Computer Science majors, and one Master’s student in Computer Science.
At the end of the day, the teams came together again for the awards ceremony. As in the real world of IT, there are no accolades just for trying. It’s win or lose. Although they didn’t place, the Jaguars emerged eager for the next competition on April 1 at Argonne National Labs.