CPTC Review Part 1: The Setup

This competitive event provides an avenue for teaching responsible penetration testing and consulting skills through the creation of a mock organization. The setup is complete with custom applications, a corporate structure, and realistic “customer” characters that students work with to perform a pentest. Over the past five years, I’ve had a key role in helping to build the National CPTC, and I must say, it gets more interesting every year.

This year, we built DinoBank. Due to the increase of hackers going after financial institutions, we decided it would be a good idea to focus on banking applications, hardware, and business processes.

For Part 1 of our CPTC series, let’s dive into how the event was structured a bit more:

Building a Bank: DinoBank

A Realistic Experience

The company we build as part of each year’s competition is the foundation for the realism of the event. Over the past year, we’ve built DinoBank: a fictitious financial institution with some significant failures in security that is undergoing a memorandum of understanding (MoU) and at risk of a shutdown.

As part of this framework, we also create over 40 character roles for the participants to interact with. These roles represent numerous DinoBank personalities, both technical and non-technical, who are stakeholders in the pentesting engagement.

Engagement and Scope

The pentest engagement for DinoBank was conducted in two phases: our regional events provided the initial assessment, with a remediation period in between the regional and national events. Then, the national event provided the final assessment.

In previous CPTC events, we presented teams with a smaller sample of the environment for the regional event; this year, however, we decided to provide nearly the entire scope for both events. This presented teams with as many opportunities as possible to dig into and investigate the various custom applications we’d developed.

Vulnerability Findings

DinoBank definitely had its issues: in the final environment, there ended up being over 170 known vulnerabilities, ranging from insecure passwords available on Twitter to fundamental logical flaws in the banking core application and implementation of business processes.

Findings are scored on a matrix of severity and difficulty, with the most difficult to locate and the most significant vulnerabilities scoring the most points.

Tech + Business FTW!

Historically, we’ve found that teams with an understanding of their client’s business processes as well as a solid technical footing perform the best.

This means a team that finds a large number of vulnerabilities–and thus has a higher number of scored findings–can actually be outclassed by a team that locates only a few vulnerabilities, provided those vulnerabilities have a defined business impact.

In other words, chaining technical and business process issues together often results in findings that yield the highest amount of points. In the context of DinoBank, this means that findings such as “the ATM will accept any PIN as valid” or “the notary service allows for remote code execution” are worth more points than “the domain admin password is easily derived based on information disclosed on Twitter.”

2018 vs. 2019

International Expansion

The 2019 event brought a number of new additions to the competition. For the first time, we expanded to an international footprint; we are excited to include a region in Dubai, which was hosted at RIT’s campus.

The winning team from RIT Dubai joined the other top 9 teams from around the United States in Rochester for the International CPTC finals on November 22-24th.

Different Series of Events

Teams were given 2.5 hours to access the environment on Friday night. This time allowed them the opportunity to validate remediation on previous findings, set up scans, and prepare for overnight work on reporting.

After the participants completed their work on Saturday, we ended the finals with our first-ever DinoBanquet. This “client” dinner, which was held on Saturday night, permitted competitors to interact with sponsors–including myself and Meredith Kasper from Hurricane Labs!

The weekend’s event culminated with team presentations, an in-depth session with the competition organizers reviewing the work involved in environment creation, and the awards presentation on Sunday.

Congratulations and Thank You’s

Congratulations to the following teams for winning the 2019 National Collegiate Penetration Testing Competition:

• First Place: Stanford University
• Second Place: Rochester Institute of Technology
• Third Place: California State Polytechnic University, Pomona

Also, sending out a huge thanks to all of the sponsors, organizers, and participants involved in National CPTC. If you haven’t already, follow @NationalCPTC on Twitter to stay up-to-date with the 2020 event, and reach out to us if you want to get involved! Also, make sure to check out Part 2!