NECCDC 2020: Red Team Review

This past Saturday, March 21, I had the opportunity to be a member of the Red Team for the Northeast Regional of the Collegiate Cyber Defense Competition (NECCDC). This year’s host was the University of Maine, but due to the ongoing world pandemic, the entire event was held remotely for both students and red teamers alike.

For those of you not familiar with CCDC, this yearly event is a cyber security competition where a variety of the top information security students face off against a red team of industry professionals. While the Red Team is attacking, students try to keep their systems secure while also maintaining business operations and completing various administration tasks (injects).

Highlights of the Fun!

Check out our video on Youtube.

This year’s setup was significantly different from previous events. Instead of a two-day, 16 hour competition, everything was compressed into a six hour event on Saturday. Rather than being in the same classroom, team members competed remotely, supervised by judges on a Zoom web conference. On the Red Team side of things, we did the same–working together while being physically separate.

Over the past several years, I’ve gained a bit of a reputation for weaponizing Splunk within the competition environment–I cover the approach I use in more detail here). Talking to a team from Pace University after the event, they noted having a significant degree of paranoia around deploying Splunk for their uses during the event due to some of the fun I’ve had in the past controlling the students’ Splunk installs. It was awesome to hear about students leveraging Splunk to successfully look out for attacks while also learning to look for potential compromises of their logging tools. As someone who has written a number of Splunk tutorials and online training courses, seeing students learning how to use the product I work with daily to their advantage is incredibly rewarding.

Instead of focusing on Splunk, I targeted a different system this year: the firewall. This is an area where we as a red team hadn’t focused as strongly over the past few years, but it’s a great way to persist access to the student environments. Only one problem–other than getting the logs into Splunk, I’ve never worked with Palo Alto in any significant capacity before. Fortunately, most of their documentation was publicly available and I had Google. Around 50 to 100 browser tabs later, I was ready.

My goal as Red Team firewall administrator was to maintain access and help other Red Team members with keeping their callbacks and implants working. This was accomplished mainly through modifying the firewall policy and introducing typos into the config, such as changing the IP addresses of objects, expanding or shrinking subnet masks, or flopping the action on rules from accept to deny or vice versa. Whenever other Red Team members would lose access to a team, I’d check the firewall config and make the necessary changes to allow for access to continue.

Overall, the shortened duration of the event was a real benefit to the Red Team, as we maintained persistence to every team–at least in some capacity–during the entire event. The ability to work remotely also made it easier for us to stage our tools and techniques prior to the event, which is admittedly much easier to do via remote administration versus running around to ten classrooms the night before the competition.

I’m also really glad we had the opportunity to do a debrief with each competing team after the event and answer questions. Since the goal of these competitions is education, being able to learn and improve based on this experience is one of the most valuable takeaways for the students.

One of my favorite aspects of the NECCDC Red Team continues to be how well we work together as a group to maintain and share access and persistence. It’s our responsibility to provide a fair and equal experience to each team; in order to do so effectively, we have to collaborate. We each have our specialties–and supporting the firewall side this year really helped our team to be effective.

Points of Advice for Future Competitors

In my summary of last year’s event, I offered some advice to teams, which is all still relevant.

Many of the Red Team members, including myself, don’t do offensive security or red-teaming work full time. Instead, we leverage our experience working with products and systems to maintain access to and control the systems in the competition environment. In many cases, this results in a lot more targeted and experienced attacker simulation for the students. While it’s rare to see such a high number of implants or issues per host in any environment, the end result is that students get to experience what it’s like to be on the receiving end of a cyberattack from a very focused and knowledgeable enemy.

Additionally, we’ve continued the collaboration between the competition organizers and the Red Team on reading incident reports, and worked to develop a template to guide the student teams into creating better reports. There are definitely some areas of improvement here as well–especially around the executive summary–but overall, the average incident report for the regional competition was significantly better than what we’ve been seeing up to this point. I plan on detailing incident reports more in a future blog post specifically on the topic.

Looking Forward to Next Year!

I’d like to thank Hurricane Labs for giving me the opportunity to participate in this event, and I am looking forward to the 2021 NECCDC event–hopefully the world will be back to normal by then.