Students participating in this year’s CPTC events faced the following challenge: each team of up to six members was representing a pentesting firm that was tasked to perform an assessment of the Wheelz infrastructure.
For the first round (regionals), teams proved their abilities by performing an assessment and writing a report for the Wheelz corporate network. The top teams across the nation (two from each region, as well as four at-large winners) were invited to perform a follow-up test on a larger infrastructure. This is the second year we’ve operated regional competitions (a feat within itself, since all of them occur simultaneously on the same weekend). We’re potentially looking to expand this model in the coming years as interest develops.
Our main priority is to make the simulated environment as real as possible
There were several elements we chose to emphasize for this year’s event in order to enhance the realism and educational value of the event:
- Expose students to the interdepartmental/internal company politics that are (sadly) all too common within larger corporations.
- Integrate data into the environment (such as internal emails, chat messages, and publicly available social media posts) to support the storyline of the company and event.
- Emphasize real-time use of email communication during the course of an engagement.
- Give every team the opportunity to present material at both the regional and national events.
- Integrate the team coaches into the event, and give them the knowledge and experience to drive them to make their teams better in the future.
From my perspective, the addition of data supporting the storyline was one of the best parts of this year’s national event. Fellow CPTC advisory board member Dan Borges did an amazing job leading the team who made all this happen.
This data included a bunch of chat history and e-mail messages to support the narrative of a potential insider threat, along with other findings (e.g. user credentials and information about internal systems).