Last Saturday marked the beginning of the 2014 Western Regional Collegiate Cyber Defense Competition Season with the successful completion of qualifiers. Over the past four years, I have watched this competition expand and grow so much that there are now fourteen universities and colleges across California, Nevada and Arizona vying for a chance to compete at the National Collegiate Cyber Defense Competition with several more schools looking to assemble teams in coming months to compete in the 2015 season.

For the schools that advanced, congratulations. See you at the end of March where you will face off against some members of our own Net Force Red Team.

For those who were unable advanced, and walked away disappointed, don’t. This is just merely the beginning of your journey.

I encourage you to continue pursuing this field, this challenge and don’t give up! Failure only happens if you walked away and gave up. No one becomes good in this field or any other field without hard work, and practice, practice, practice. There is no secret to success.

Furthermore, WRCCDC itself has increased in challenge, difficulty, and it will continue to be that way. It’s not meant to kick you out of the competition because we don’t want you there. We honestly do. Rather, the adversary is getting better every day and we need to get the good guys to be stronger, faster, better, in terms of being to do analytics, analysis, triage, and incident response. Truthfully, we are far behind where we should be. The adversary is becoming stronger each and every day and we are too. We simply have not overtaken them yet.

Lessons Learned:

wrccdc-2014-qualifers-topologyHere are some notes that you most likely experienced and areas to work out. Note not everything will apply, however after watching four seasons of teams compete, there are always a few items that will always stand out that affects all teams.

  • Know your environment. Know your network. We always provide a topology as a snapshot and a baseline reference. It always gives you an idea of what is possible to expect. It is also like real life. Network topologies are highly inaccurate and always inconsistent, especially in real life. But moreover, the network topology is also an indicator of where there may be potential single points of failure. For example, in the qualifiers, the central point of failure was the PFSense Box. If it went offline, it took everything offline.
  • Know where the low hanging fruit is. It’s important to know that what hurts the most in long term is going to be the low hanging fruit. It’s always the easiest fruit and tree branch that an adversary will grab onto first. If they successfully pluck the tree of its fruit or grab onto a tree branch, it’s hard to shake them off. Low hanging fruit consists of the most CRITICAL patches, as well as those pesky user credentials, among other things.
  • Know your game plan. Five minutes of planning is better than spending fifty minutes running around like a chicken without a head. The first five minutes should quite literally be all muscle memory to the point where you can come in running and know what to do without asking what needs to be done. Constantly strive to optimize your processes, and find ways to shave off a few seconds. There is always someway, a method, a technique, something that allows you to do things faster, quicker, better, smarter and expend less energy. Saving a few seconds here, and there will add up to minutes and possibly hours of savings when keeping the red team out.
  • Know the services, and know what makes them tick. Every service, whether it be web, mail, FTP, Active Directory, DNS, all have a certain combination of ports and components that make them function and tick. For example, you can always assume that Active Directory box is also a DNS box. Or that if there is an eCommerce box, it’s likely powered by some sort of database. Know what ports each service use too.
  • Know your role. Know where your single point of failure is. It’s important to be able to spread the workload and be able to know when someone is being overwhelmed. Everyone should have their specialty, but everyone should have some of the basic knowledge of how to do some of the basics or get a subject matter expert to the place where they need to be where they can do what needs to be done. Too often teams have a single expert in one area, and unfortunately teams underestimate where their single point of failure is. When it does happen and something fails, things tend to go horribly wrong.
  • Know more than simply technical skills. Brush up and polish up your soft skills. WRCCDC is simply more than a technical competition. It is a business competition. It is about people, processes, and technology.

    At WRCCDC, and any other CCDC, it is a test of your ability to manage stress, your project management skills, your leadership skills (remember everyone can lead, not everyone has the authority), your skills as a team member, investigator, communicator (with each other and with management), a writer, and your wisdom to know when you need to ask for help when you’re simply overwhelmed. There are simply so many soft skills that leads to a successful team. Yes I know you may disagree with me on this, however, successful teams know their limits, and identify weaknesses. They work together to overcome those weaknesses or ensure they cover the weaknesses with their strengths. They work together to find compensating controls and processes. Leaders are encouraging and they help build their team members up.

WRCCDC is an interplay of people, processes and technology. It tests the dynamics and personalities between people. It tests your processes. It tests your technical skills and know-how.

I look forward to seeing each and every one of you compete in the coming months. Remember, this is only the beginning of an amazing journey, not the end.