The cyber-security community is a wide spread and ever evolving community. While at times people might not understand as to why it is a good idea to teach people how to crack passwords, or how to preform SQL injection. There is infact a great reason behind it. I take it close to heart with the old saying of keep you friend close and your enemies closer. If you want to surpass your opponits the best way to do so is to understand how they manuver, what could there next step be.
With out teaching the attackers methodology, how are we to understand exactly what it is that these people are doing? If we spend all of our time trying to secure systems, then how are we going to get ahead of the people that spend all of there time trying to get past it.
CyberSecurity compeititions are a good way to to teach some of these concepts and to push students to want to learn and to see all of these new intuitive concepts or recently discovered tactics that both Red and Blue teams are using in there professsional career's.
This semester was a first for me. I had competed in multiple Capture the flag competitions in the past. These compeitions are structured in a way that you are given a bunch of different scenerios covering a wide variaty of topics and your task is to find something that is intentionlly hard to find. Such as; the Threat Actors Location, the Password of someone who Loves Harry Potter, or to recover the picture off of a deleted hard drive. What ever it might be there is never a time where I leave one of those compeititions and haven't learned something new.
While CTF style compeititions are deffenitly there for the betterment of the next generations of cybersecurity professional. After competing in both the CCDC and the NCAE competitoins this year I left feeling like There is so much more to learn. These competitions are set up completly different then CTF compeititions and it is in the best way possible. Both of these compeititions featured a full cyber range to try and mimic what you might see in the realworld when faced with an incident.
While both of the environemnts were completly different they oddly enough felt the same. Your mission once you were granted accesss to your environment was to secure and protect. Find any major flaws in your systems try to path, harden, and get rid of as many vulnerabilities as you could before Red Team came in and tried to take your services down.
Now in the time I have spent in class and training we are always told that it is important to harden your enviroment and to understand your attack surface. Now what good is it to know that you are supposed to do soething if you don't know or haven't ever done it.
Both of these compeitions have showed me that how importatnt that really is, and how conceptually different it is to learn that you are supposed to do that versus how and why you are supposed to do that. I left both of these compeitions wondering what it was that our team could have done to have obtained better placement on the leaderboard, as I believe a lot of teams probably felt.
I know that one thing that we could have done as a team was to be more organized. Now, that itsn't to say that we were organized, as during the compeititions both of the teams that I had the pleasure of competing with were both incredably organized. Especially considering that it was the majority of our first times competing in a compeitition like this or even a cybersecurity compeitition at all.
By Organized I mean, what if as a team we all took a step back and spent time enumerating out envirnment first. If we could have just spent a little bit of time at the begining to fully understand what the roles of the devices on our network played... Deeper then surface level names i fell there could have been a large improvment.
We all knew that we had a Domain Controller, a Web Server, an Email Server, a Database Server but that is not what I am talking about. Did we know that the Web Server was talking to the Database server or that the Email Server was being served by the Web Server. Did we understand that all devices in the CyberRange including the Linux ones were Authenticating to the Domain Controller.
While this might have been easier said then done especially from a Post-Mortem perspective. I believe it is still very much worth talking about. Those Linux Machines Serving the Public Applications, Spoke directly to the Email Server. The Email Server that was now compromised was talking Directly to the domain controller compromised. The Domain Controller Served DNS, now nobody can login.
Sometimes it is more benifical to have more people working on a single task systematically then it is to have every one person working on individual tasks, After all the phrase is to heads are better then one. Every single person on your team is going to think differently and will bring ideas to light that you or someone else might have never thought to take into consideration.
One of the other big take aways from these compeititions is that, there is always going to be cureballs. Not everything that you find is of the upmost importance. I for one spent a decnet amount of time hardening IIS on the Domain Controller... Even though it wasnt even one of our protected services, the web server was, but the Web Server serving our public applications / intranet is not that same as the misconfiguration of installing the web server role in server manager.
During these competitions I felt we had spent a lot of time being reactive. Its kind of hard not to be now that you have lost the only way into your domain controller that you are familiar with and now everyone is complaning that they cant login anymore because DNS is down. One of the things that was mentioned by the Red Team during the debrief of the CCDC was that if you only have one way into to your system then you really only have zeero and if you have two ways into your system you might as well only have one. This couldn't have hit the nail any better. While i was able to get back into the Domain Controller by re-configuring RDP though SSH, I deffenitly was not comforatble with it.
All and all I really loved the structure of these competitions and had a blast competing with my collegues. I walked away leanring far more then I do when participating in a regular CTF style competition and I can not wait to compete again next season. All I know is that I have got a lot of studding to do.