 Okay, if you're all ready, I'd like to go ahead and introduce the next set of speakers. This is the National Collegiate Cyber Defense Competition with Dr. Gregory White and Mr. Kevin Archer. Good afternoon or evening or whatever it is at this point. We appreciate the opportunity to be here this afternoon. As mentioned, I'm Greg White, Kevin Archer. We're going to be going ahead and talking to you a little bit about the National Collegiate Cyber Defense Competition. What we're going to be doing here is we're going to divide it up. Basically, I'm going to do the pointy hair manager, high level overview, what was the competition all about, what format somewhat, and Kevin's going to get to talk about how it was implemented, how it was conducted, a little bit more about the technology behind it and how we put the thing together. So we'll go ahead and...objectives, okay? This was, if you'd noticed the title, it said National Collegiate Cyber Defense Competition. This is a collegiate event. This was conducted to bring together a bunch of different teams from colleges and universities to compete in a competition, a computer security cyber defense competition. As such, you know, we had to have, okay, we're an academic institution, we have to have the objectives for the competition and so on and so forth. So you can see some of the objectives here, meaningful mechanism for institutions of higher education to come together. Part of the problem here that we look at is a lot of times, and if anybody out there has taken courses or teaching courses, students don't have a lot of opportunity outside of a normal lab environment to really play with some of the things. You don't have the...it's kind of hard to simulate that attacking red team or the hostile internet, which is what students are going to be faced with once they graduate. It's hard to simulate that in a lab, a pristine lab environment. And at the same time that colleges and universities normally are very hesitant to open their labs up and allow their students to do a lot of activities that they might consider too close to the hacking environment. Please excuse the term there. So they, you know, they shy away from anything that might carry that label with it. So what we really wanted to do is to provide an opportunity for teams to come together and try some of the things that they have learned. We haven't given an opportunity to. You've had all these lessons. You've talked about securing systems. You've talked about the technologies, the processes, the procedures and so on and so forth. Here's an environment where you can go ahead and come together and try to do that somewhat. There are...I do want to draw attention. You see some of the other objectives. I do want to really draw attention to that last one down there. This was a competition. And from this competition, we were going to crown a national champion. And because of that, that actually influenced some of the actions, some of the activities, the format of how we did things. Some of the other...we were not the first by any sorts of imagination. As we all know, for heaven sakes, DEF CON has been doing the capture the flag kind of competition. We're not the first or the only cyber competition in the country. We knew that. But because of this national champion aspect to it, it drove certain decisions that were made. And you'll see that as we go along here. The history of the CDC, how the heck did that silly thing start? As I mentioned, we are not. We don't profess to be the first college that's conducting these competitions. We don't expect a professor to be the first organization that's conducting such a competition or anything similar to that. We mentioned, for example, here at DEF CON, the capture the flag and all its many different formats has been going on for a long time here. And at a number of different universities across the country, there have been competitions. Different universities have conducted different types of competitions. Most of these, and some of them are attack DEF CON types where you have the teams have to protect their own system and to attack the other team systems. Some of them are defensive only. Some of them are capture the flag. There are a lot of different formats. So we weren't the only ones. Now back in 19, or excuse me, 2004, there were two individuals specifically. One from George Washington University, Lance Hoffman, another individual, Colonel Dan Ragsdale from the West Point, the Military Academy, who actually obtained a National Science Foundation, an NSF grant to bring together academics from across the country and to talk about the possibility of putting together a national competition for colleges. That was the whole point of this workshop. And I was fortunate to be, to invite it to be, it was one of the individuals that was invited to attend that competition, or excuse me, that workshop. And we had a lot of people from all over, a lot of people who have been conducting these types of things. Well, you get all these academics together. Everybody, we talked about it for a couple of days, and everybody agreed this is a good idea. We ought to have some sort of national competition. We ought to have some sort of mechanism to, you know, regional or whatever districts to bring winners from those to a national level, so on and so forth. But the problem is, and anybody who's ever dealt with academia, whether you're a student or a professor or whatever, you know, as soon as you get a bunch of academics together, the first thing I want to do is form a committee. And once you form a committee, nothing ever happens. And basically that, to be quite honest, that's exactly what happened at this workshop. Everybody was not in their head in agreement. All the professors were not in their head and saying, yes, this is something great. We ought to do it. We ought to push on. Let's form a committee and let's get this going. So they formed a committee and nothing happened. There was a group of us, actually three individuals representing three different schools in the state of Texas, that were participating in that, and, you know, we'd all dealt with academia before, and we kind of like had a little sidebar discussion and said, let's just do it. You know, we're not going to wait for the committee to decide anything. We're just going to go ahead and hold a competition. We'll hold one here in Texas, and that's what we did. We held the first regional, in essence, competition in 2005, and we had different universities, you know, Texas A&M, UT Austin and UT San Antonio where the three schools represented the workshop that came together. We had Del Mar Community College that also participated at University of North Texas. We had a number of schools in Texas, in other words, that participated in that first event in 2005. After that, it was successful. Everybody liked it. We played around with the format a little bit. We came up with a format that we liked somewhat, and I need to emphasize something here once again. If you notice the name of that, this competition, National Collegiate Cyber Defense, Big Stomp underlined that, highlighted, put it in bold. It's a defensive competition. Teams and individuals will be disqualified for conducting any sort of offensive or hostile activity against any of the other teams. There's a reason for that. The reason is we're trying to get the buy-in from organizations, from industry, for example. And as soon as we made this a attack-defense type exercise, all the industry types were shy away from that, don't want to sponsor it. When you make it defensive only, you get a lot more people interested. In other words, and we actually had this kind of question in the early days, you know, are you training the next generation of hackers? No, no, no, no. We're training the next generation of cyber defenders. It's cyber defense competition. And everybody buys that. The media buys that. Everybody loves it. We're all happy we press on. After that 2000 event, five event, it was very successful. Everybody liked what we were doing, the format. We had a lot of good feedback from the participants, the instructors. We had, actually we had professors that told me they went back and changed their programs at their universities as a result of what they saw at the competition. They realized that there were holes that they saw, things that they were not teaching or teaching they could be doing differently to prepare their students, to motivate their students, to get them excited about this subject a little bit more. And they actually went back and started changing their programs as a result of the competition. So in 2005, we basically announced, okay, we're going to go ahead and hold a national. You know, once again, we're not waiting on the committee. By the way, the committee that was formed has never met. So, you know, if we'd been waiting on it, we'd still be waiting on that committee. So we just went ahead and said, we're going to go ahead and we're conducting a national this next year. And we raised our hand and said, we'll do it. If anybody's interested in participating, let us know. And what we were able to do is we were able to get four other universities to sponsor regional competitions in their area. And we also got, for anybody who knows the annual cyber defense exercise at the military academies have been connected. That's another example of one of those other competitions that's been going on for a while. The military academies for, I guess, the last six years have been holding an annual competition between the service academies alone. So you don't let anybody else participate. It's just the military that does that. But we actually got them to sign on board as one of our regionals. So the idea is, very logically here, that we had the regional competitions. The winners from each one of the regional competitions then came to the nationals, including a team from West Point. You see where the regional competitions were held this last year. And so, just here's a, you don't have to memorize this. There's no exam afterwards. But here's a list of some of the different universities that participated. If you will notice, take a look at that very first one. This competition is not limited to four-year institutions. It is also not limited to undergraduates. Basically, the only requirement is that the participants must be full-time students at their respective institution, college or university. So we're trying to make this as broad as possible to make it as open as possible so we can get as many people participating in it as possible. The 2006 event, which was held earlier this spring, very similar in format to the one in 2005. Now, let me just sort of explain it. Kevin is going to go into this in much greater detail in a second here. But the format of it, the premise is that it's kind of like congratulations. I'm talking to a team here. You know, congratulations. You and your buddies here, the team, has just been hired by some company to be the security team for our corporation. It's like you basically just graduated, you just got hired, welcome into our company, and we present you on day one. You walk into that competition on day one, and here is your network. It's fully functional. It's up and running. It's got a web server, e-commerce site. It's got all the different little things that you'd expect that you see at a company if you walked in. We guarantee it's working. We don't guarantee it's secure. As a matter of fact, you can probably pretty much guarantee there's going to be problems in it. And so it's your job, the team, it's your job to secure the network. And oh, by the way, you got to keep it operational. Because as soon as they walk into the room, we start the scoring engine. And we know that there's certain services that are supposed to be up and running, and we're going to check. And oh, by the way, at a certain point in the future here, we're going to unleash a red team on it to represent that hostile internet, that environment that exists out there. We're not going to tell you exactly when they're going to come. We're not going to tell you how they're going to come or what they're going to do, but they're going to start attacking here in the near future. So that's the basic premise. Now, throughout the rest, it's a two and a half day competition. We start Friday afternoon. Go to late in the evening. It is not 24 by three, because basically we want to go home at night. And also we do things like reviewing logs to make sure that we're checked to see what people are doing. And remember, we talked about no hostile activity by team members against others. So we check those kind of things. We have the opportunity in the evenings to go through stuff and make adjustments. But during that time period, another thing that you will also get is you'll see business injects. The kind of things that, okay, right? You have business. You've got to keep the network up and operational. It's got to be running. We've got to have the e-commerce servers got to be up. The mail's got to be going. And you've got to maintain that. And oh, by the way, I have these people who are trying to break in. I've got to keep them out. And oh, by the way, I've also got upper management who's levying these requirements on me. What kind of requirements? Okay, well, here's a list of our new employees and here's the folks who have been fired. You've got 30 minutes here to get the new accounts established new user IDs, passwords, accounts set up for these individuals and these people better agree out but you better back up the date and you know, you get the idea, those kind of things. They may also like one competition one day. The beginning of the second day they walked in and there was a new piece of hardware that was sitting there waiting for them. It's kind of like congratulations, your predecessor had ordered this and it's just arrived. You've got two hours to get this piece of hardware up and running. So they have those kind of things that they have to face and oh, by the way, maintain the operational network and so on and so forth. So you get the idea. Get the idea about the format for the competition. You get points for services that are up and running. You lose points when you get broken into and just a comment, Kevin, I'm sure is going to go into this in more detail talking about the red team but the red team, that hostile attacking internet force there is actually we have a group of volunteers mostly coming from commercial environments. For example, San Antonio for those who may not know anything about San Antonio. We've got a lot of security companies down there and so we have a lot of volunteers that come in and help us perform that job. So that's our red team. Oh, we have a comment down there we have to thank. The CCDC has been sponsored in part by the Department of Homeland Security. They actually have signed on and it looks like we're going to become a line item in their budget here, one of their little budgets. I mean, DHS budget is huge and we're just a very small piece but it does look like they're going to be signing on. They liked what they saw and they're going to continue to sponsor us in the future. We had a number of other companies. Here's just some idea of some of the other folks who have sponsored, some people sponsored and for example, you see some security folks in there who gave us equipment or software or whatever and you can pretty much guess that if you see a sponsor's name and something like that then you're going to see some of their equipment in the competition at some point because it's nice to get that. And it's nice for the students because a lot of times the universities may not have access, especially some of the smaller ones, the community colleges, may not have the budget to go out and get the latest and greatest piece of hardware or software that's offered out there and if they've never seen it before they're going to get to see it during the competition. Anyway, so you see some of those things. I think Geek, love those folks, caffeinated soap, that's what they provided. Which is important. Kevin will talk a little bit more like I said about the specifics in terms of the network there. You can see sort of a little diagram he'll talk about. We do have a traveling trophy that was created. There's a picture of our wonderful little trophy, the idea of being here that we've got a lot of little places to stick names on it and that will be a traveling one that goes to the different universities. Very similar to what the Service Academy has with their trophy. Each of the universities also get a trophy, the winning university, receive the trophy that they get to keep and the participants did. By the way, I think I forgot to mention teams consist of eight members, up to eight team members. So, per team, the winning team from this first year to see a picture of them. In fact, we have some of those folks here at DEFCON. I saw this year the first place team was University of North Carolina Charlotte won it this year. So congratulations to those folks. If you see them, ask them about it. I don't know if there's anybody here from UNC. See anybody? Did they show up? Okay, ask those folks what they thought about the competition. If anybody wants to get a different opinion besides our opinion on it, if you want to get a participant's opinion on what they thought about it. One of the other things I probably ought to mention too in terms of the regionals and the nationals. We don't dictate to the regional competitions exactly how they need to run their competitions. We know how we are going to run the national. We have some ideas about it, but we're allowing the regionals for this year and next year to have a little bit more freedom and how they format because we figure there's other people out there with bright ideas and somebody may come up with some great ideas that we can all come together and to benefit from and maybe to adapt what we're doing or the other regionals can adapt what they're doing as we all learn these good war stories and good methods to conduct these competitions. Future of the CCDC just for information purposes. A big one there as far as we're concerned because all my people that work for me at the University of Texas San Antonio are all grant funded positions. So basically we got to have money coming in or they don't get paid and they like doing this. Kevin's basically doing this full time now is working on the national for this next year. But we want to increase it. Last year you saw we had four plus the Service Academy so in essence we had five regionals. We're shooting to have eight to 10 looks like I think from folks that I've heard we haven't locked that down yet. Kevin will be talking a little bit more about it but we should be able to get to that eight easily and then potentially hopefully cross our fingers maybe get to 10 this year. We're not sure exactly how big the competition is going to how many regionals we ultimately will have down the road because if you think about that format we talked about when those folks when you walk in with your team on that day one we have for example this year we had five exact copies of this network with multiple systems they all have exactly the same hardware they're all running the same software I mean you go from one system in one room to the next room and it's exact take a picture it looks the same if this is going to if we're going to be crowning a national champion you can't have any differences between the teams you can't have one team saying well we would have won too if we had that set up there that's not going to work you have to have exactly the same setup and that's going to drive certain things it's going to drive one of the things it's going to drive is how big this can get because how many people how many of those networks can we have how many different universities in the country have that many computer systems because you'll have 8, 10, 12 depending on how we're going to set things up computers you have all the different network devices that go with it the security devices there's a lot of equipment a lot of things to play around with here so we are going to crease but we think it probably will max out at 10 to 12 at the most which means that instantly if you know you can do the math there real quick if we're maxed out at 10 and each of the regionals can only do 10 that means there's only 100 universities and colleges that can compete no absolutely we can't limit it to that so there's undoubtedly at some point in the future going to be a structure beneath the regional level in fact we have one of the regionals that's already exploring that looking at for example district competitions and then going to the region and then going to a national so you can see where this is eventually down the road may build into something big the competition University of Texas San Antonio the Center for Infrastructure Assurance and Security which is who we are where we come from we are going to conduct a competition again in 2007 we're going to conduct it again in 2008 not sure about the location yet possibly San Antonio possibly again or maybe someplace else who may explore looking at doing it someplace else but one of the goals for this coming year is we're going to be establishing a governing body right now we basically say we're setting the rules we're dictating how this is going to run we're putting it on we're going to dictate we're going to tell you how we're going to run it we're doing that just like I said back up to that remember that earlier conversation get a bunch of academics together nothing's ever going to happen because they're going to form a committee unless someone does something well we're doing that something but we recognize to get the buy in we really need to have some sort of governing body you know I think NCAA is kind of a structure here you know there's a there's a governing body for NCAA we're going to need some sort of governing body for this competition and that governing body is going to be set up this year to where we're going to announce those individuals who will be on that that board basically at the 2007 competition and their job then from 2007 to 2008 will be to develop the rules you know come up with the rules for the nationals and the regionals and this even competition here and then those will be announced in 2008 was there a question sorry I heard something else okay anyway at this point I'm going to turn it over to Kevin who's going to talk about a little bit more about the how things were put together and how things ran sorry hopefully you guys can see me they don't have any stool so my name's Kevin Archer one of the reasons I joined the CIS is exactly what Greg was talking about with the academics is I'm not an academic not part of the 10 year mafia so they brought us in to actually get the stuff done but as you mentioned the concept came from the NSF planning deal the they just could never get it off the ground so we decided well you know we've been going to DEF CON since forever and we've seen some of these competitions and this is how we can make it more corporate friendly but and it's similar to CDX exercises if anybody's ever been involved in those and again the big thing is the defensive only I've tried to convince individuals that we should let them go at each other at the end but unfortunately our sponsors are like no and so it's more of a it's not a capture of flag per se the red team red team does all the security type stuff so the overview of the event itself basically like Greg mentioned they come in here's your network and you have eventually 24 gaming hours to secure it one of the huge challenges is often as we've seen in many of us do day to day is dealing with management dealing with you know live internet activity trying to keep your services up your customers happy and in the meanwhile defending it from certain individuals so that's what we really try to mimic and we do the best we can we have traffic generators on the network that actually throw a ton of stuff at these guys so it basically real life traffic at that point it's really hard to identify where the red teamers are coming from and makes their job more difficult just like it is for ours in the everyday world so the concept again identical business networks business tasks are given so you know you have the big boss saying hey by the way I thought you know I was talking to my buddy at the golf course and this tool is really cool I want you to implement it and I want to see it by tomorrow because he's my best friend and I told him I'd buy it everything on down the line you know user changes password changes everything that you're going to have to deal with day-to-day admin stuff while still trying to change security and the reason we kind of go that point everyone's like well it's a security competition well more and more budgets are cut and admins these days are your security force so we make them do both to kind of say even if you end up on the admin side never forget about security because you might not necessarily have the $100,000 budget to hire you know your $80,000 security guy or a team for that matter so again the independent red team is a bunch of consultants I'll go a little bit more into that and the neutral white team which you know those guys are like auditors, ISSA type people if you're familiar with those organizations basically volunteers come in and more and more vendors are sending people that mostly want to be on the red team but with the overflow and the white team so and again the teams are scored based on their ability to defend their networks against attacks and keep your business up and running so the challenges of doing the network like you said is all the equipment must be identical regionals often times because like we said we don't try to dictate what to do and in order to save expenses you know go ahead and do virtual machines there's a really strong reason we don't do virtual machines because it's not too often you walk into the financial organizations of our world and they're running a bunch of VNC servers no it's going to be all independent platforms so we try to mimic corporate as much as we can with our small budget images, exact images are created of each platform we use a product called Acronis TrueImage to do that because they tend to do a lot better job than Ghost and I shouldn't say that since Symantec's thinking about it but Ghost just doesn't like things like Solaris and BSD at this point, not too reliable so we have to make sure they're identical identical all the way down to the processor, RAM, platform look, feel, everything so we have no contestants that are get kind of whiny on us and then one of the interesting things is once they get owned and then get RM'd because we do let them RMRF the red team if you get in you can do pretty much anything an attacker would we don't try to hold them back too much if a team's been RMRF like 12 times we might, you know, okay give them a break but we have a restore service so we'll run in, TrueImage and it works like a business, it costs them points instead of money in this case so if you get RMRF'd you're gonna lose points for that but you're gonna have to spend some points to get back up all the traffic is logged and monitored this is done for multiple reasons one, Greg mentioned was to make sure there's fairness and equability there if one team's pounding on another team which we actually had happen the first year that's not too fair then so everything we see goes across our IDASs and I'll go more in a little bit on the network in a minute and mostly it just keeps them honest it also lets us know how our network's performing what we need to upgrade change as far as our core infrastructure so basic layout of each team's room is the operating systems we choose are always changing we will give the students a list of OS flavors they might encounter but we never give them an exact spec they don't know what they're gonna get when they walk in the door and one of the reasons we do that is MIT is gonna have a lot more money than some of these community colleges so we don't wanna say you're gonna be running this version of Solaris and MIT's like oh we don't have that let's go buy it and the other guys are like well let's go buy a book I guess Linux, BSD, Windows and we try to mix it up enough with one weird OS like oh that some weird admin had on our systems and again it's more of a we say you're welcome to the company you're the new security team and everything else a lot of that's based on some of our past experiences in industry where consultants back through the dot bombs and walking in and with all the corporate buyouts that were happening taking over a system and the guy on the way out the door is rootkitting and going from there on often we'll leave them unpatched we'll specifically find older versions and we'll throw tricks in there like security through obscurity change the banner so they think they're running and this is kind of interesting story we had a one team who's begging us for this we provided them their core OS CDs too so they can restore themselves but we had one team begging us for I guess it was Fedora Core 2 at the time and they're like no we need to we need to we have to upgrade well just for fun that was actually a 4 to our core 4 system that we had just changed some banners on so we mess with them quite a bit you have to have quite a they just have to sit down and really think you know what am I dealing with you know do a u-name-a well okay that kernel is not 4 years old so that was kind of fun and a lot of the systems have been previously we'll do it usually from an admin perspective and that's kind of the fun part that I get to deal with a lot is throw on root kits leave them out there for the red team PHP backdoor shells on the e-com servers you know make sure all the credit cards are unencrypted in the databases all that kind of stuff and hope the red team finds it and often I'm disappointed but I'll go in that one some more the network itself is very minimally configured basically here's your switch it's a firewall which we purposely stick in bridging mode so it's not acting as a firewall you have two hours before the red team starts better get your access list up your rule state and go but that's it so they start really with nothing the services as you mentioned they have to have core services up we have an automated scoring engine that goes out and does this but you know you're a business you have to have mail you have to have pop you have to have e-com you have to have DNS you have to have HTTPS for your e-com site up all the time throughout the event the business might add more like oh you know your clients are begging you for an FTP site or SSH access for these consultants or whatever bring it up line do it securely and then we have people that judge that there's other services that are required but unmonitored such as SQL especially for the e-com site or Oracle whatever our backend database is at that time the app we also put applications on there on some of the client systems we'll put mail where file sharing unauthorized security tools mp3s whatever one of the injects might be hey you know I saw this the CEO might send them an inject hey I read this article in the RAA they're coming down hard on mp3s find them write me a report stuff like that and some tools are installed to help but they're put there to be a hindrance at the same time last year we had big brother on there and we had it completely secured just default install so the red team had a lot of fun with that because they thought the teams were like hey this is great we can see our whole network so can they unfire walled out in front so that was kind of fun OS commerce I don't know if anybody is familiar with that we deliberately put a very old version on there this is the kind of stuff we do to just kind of see where the students are at and get a good idea of and really challenge them we put a really old version of OS commerce on there which is great because the patches are available the bad thing is it doesn't work with that version my sql in this case so you have to upgrade that too and by the way it dumps all the tables during the upgrades I hope you made it back up lots of fun this is kind of an idea of what a typical team network would look like again you know we don't have the resources to throw out 2,000 client systems they have to manage and you know 1500 servers or whatever so this is basically what last years look like you got the firewall, the switch you'll have a PDC, DNS servers the client workstations which are really owned and at least one system we give to them that's kind of okay which is usually a laptop of some sorts and then the core services so you can see we had like my sql, bsd, 6.1 which at the time was beta so that was kind of fun so there'll be really new stuff on there where there's challenges too so try to find drivers for newer systems on a beta bsd box have fun and that's one other aspect of the challenges of dealing with newer technology and older technology and integrating them now behind the scenes our network operations is basically various OSes, mostly we run Linux we have redundant firewall switches ids we have rendering and scoring engines that's all protected through mostly ACLs multilevel firewalls so that they can't pound on us and if they do they are obviously disqualified originally our scoring engine which just goes out in checks for those services was just a tweaked out nasal script and it worked but no offense to my buddy Dwayne it kind of sucked so last year we had a new guy Leon Johnson come on board it was a whole thing in C much faster, more reliable since the red teams are allowed to change content it's not just enough to say my HTTPC site is up well is it really you is it really the site or is it a picture of the mullet crew which one of the red teams defaced with so he went through integrated some MD5 hashing on various spots you know aren't necessarily code we hit all sorts of stuff so we could go through and reliably say that's the site it's functional or in the Ecom site that's the product it's supposed to be there and we could go really deep there's just some pictures of the event again that's the operations room there on the right hand side it's a basically we run everything on that mobile switch I wish we could do that with everything but you know again we're sponsored so we have to make do about 400 systems over there over the hotel and set them all up and hopefully next year we'll see a lot more of these racks but there's a in the bottom left-hand corner there there's a team room I'm not sure who that is I think it's actually you but I think that's a UTSA team but and then we have just a shot of one of the students pulling their hair out the red team volunteers this is kind of interesting I'm from penetration testing background myself and so is most of our organization but you know we try to give them general guidance it's all industry volunteers your typical you know big five guys come in do their thing it's not even big five anymore it's probably big two but we give them general guidance you know there has to be a certain amount of fairness and equitability so if you compromise one system immediately go to all the other teams and try to pop them with the same exact thing it's the only way to keep it fair and we have a guy in there that says okay that's great you know you got rude or whatever go do it here here and here and here and and then we'll go from there it's for that for their purposes it's a playground I mean you can do anything no restrictions basically at this point you are a black hat have fun do whatever you want so it's a great place to try old and new explodes most and like I said most of the time anything goes sometimes we'll hold them back a little bit if you know people are crying which has happened and so but our MRF web device web to face and own messages to printers you know print on their printers if you can and whatever we had one guy just sitting there moving the printer all day and the team was constantly yelling at each other how can I print that's pretty good but um and some of the challenges though are and this is kind of where we're always looking for help so if you're interested in red team or whatever you know you can send me an email and my information is at the end getting quality people you would think with all these big organizations that these guys would come and do your typical assessment procedure scan everything you know all ports and not just go after low low hanging fruit and and they really got stuck in a warm hole and this has happened both years so this year we're going to try to invite some of some of the people we know personally from different states to come down and kind of take care of the back end like I said we put all sorts of stuff in there we had PHP back to our shells we had all sorts of stuff that was never found never patched by the students either because I guess they never ran Nick Doe or whatever but for some reason either the professionals which is somewhat disturbing so you know they'd find DCOM and have a great time on all the networks with DCOM and okay you found DCOM, why don't you try WMF which is newer if it's vulnerable to one go forward and there wasn't a lot of root which was really just really kind of disturbing so we'd like to see more and more balancing of those teams the business like I said it's basically just your typical CEO CTO hey are you doing you know my buddy has this install it this and that a lot of times it's just out of service perform a you know we need a vulnerability assessment give me a complete report you can use and we'll provide them with commercial and freeware tools a lot of the vendors have asked for feedback on their commercial tools or freeware so they're getting people that haven't touched their tools before most of these students have played with a retina or an ISS or anything like that so they go well how was it in compared to a NASA or something like that we make them do mass password changes incident response if they get owned they can actually get a few points back by just responding to the incident this is the attack this is what we got with and this is where it came from if you can write up a simple incident response report you might get some points back for that and then we also make them write security policies for their users implement system security and that kind of stuff the white team are a bunch of volunteers we have one in each room like I said as ISAC guys that make sure that A they're not going out to preloaded sites that's one of the rules because like you know we don't want the MIT's to go out to their own B site and say ok well this is publicly available and they're downloading their own personal copy of retina when no one else has it so they keep an eye out for stuff like that and they're responsible for scoring those business because obviously we can be in all the rooms at one time and vendor response vendors really play a lot of roles in our thing it's not just about the money or whatever a lot of them are just there to donate equipment and software that's really what we need to do with the zero day stuff last year we had the beta tipping point x505 before it even hit the market which is really cool so tipping point got to see what users were going to be calling them about beforehand they actually had set up a vendor tech support we gave the teams a tech support number said here's a box see what you can do with it and their tech support were pulling their out but tipping point got a really good idea what they needed to fix before they were rolled it from a user perspective and what people did and did not like about it that worked out really good so we get that type of stuff ISS donated scanners of course we have all the freeware available and open source because we're big open source promoters but that's what vendors really get a play out of now Cisco on the other hand donated basically our core infrastructure they're just you know hey this is neat here you go you guys can have it and that's worked out really well too certain limitations when it comes to the vendors a lot of them are like well you know you're running this enterprise this and that we want you to roll out enterprise level apps well I'm not going to ask a bunch of you know students to roll out Tivoli in a 24 hour period while they're trying to deal with all this other stuff so we kind of have to limit on what we do accept but of course cash we always take cash but it's expensive to pull it off I think the first year it cost us a quarter a million dollars and that was out of pocket we're grant funded so that's six months less salary or whatever for half of us but um so that's one way these vendors are playing a role and then they we also ask them you know these students haven't been to the RSAs or even black cats of the of their time yet so you know whatever you have left over from RSAs and us won't give out you know do-dads and other you know ninja type stuff that they walk away with like this handbag just full of goodies from the security world and the ROI for the vendors is really simple they get a lot of good press out of it they get their product reviews which a lot of companies pay a ton of money to organizations just to you know review their product and tell them what they think from a usability standpoint so they're like hey this is free this is great and of course access to upcoming students that are in the job market I know we have at least one competitor here who is now employed based on one of the based on the connection through his own regional so that was kind of cool current regional competitions we have a pretty small footprint right now there's a couple areas in here this is an older map that are coming the Colorado, Nebraska, Omaha and Wyoming and New Mexico areas is going to be filled in and then we've got some interest a lot of interest from MIT this year so hopefully that right hand side goes up but if you're in a school and you have a professor think hey we might want to sponsor this or you know hold our own regional for your local neighboring states give us a call and we'll give you the basic guidance on how to do it and get your teams there so they're still coming I know Dr. White mentioned possibly one in Hawaii which that's one I'd go to so future National CDC 2007 again it's going to be held in San Antonio I believe it's going to be held in the airport we're currently building a couple going to be launching a few new websites portal for regional organizers and then a really thorough site on the event itself the one that's out there right now is kind of hokey because we're more busy building networks for identical networks than worrying about HTML but and then working on an NSF grant to reconvene those people and like you said start this NCAA type thing which hopefully will just snowball a lot of fun we have a lot of international interest this year across the pond they're starting, we want to do one too we can have an international competition so you never know it's already grown so much started with five teams last year somewhere in the neighborhood of 70 something like that and this year it's going to be a heck of a lot more so a lot of those regionals have so much interest from their local universities that I know at least two of them now have state qualifiers before you can you have to win your state before you can get to the regional that's going, it's going basically down the road of NCAA type stuff which is really cool and really interesting to see there's actually a lot of commercial interest security guys love it like I said they get their product out and they can basically walk in these rooms as a vendor if you support us you're welcome to come you walk in this room and say hey man that kid's really sharp and hey you want an internship or whatever which works out good and there's also some commercial side of it in the regionals the regionals don't have a lot of money we don't have a lot of money but we managed to get this equipment through our vendors like I said they use virtual machines so there's actually white wolf securities out there and they have a virtual machine product which is helping these regionals pull it off which is really nice to see and basically that's all we have if there's any questions for Dr. Wyden I shoot them or just meet us on the side Greg do you have something else just a couple things that I recognize that I neglected to mention or something like that and you might have caught it from Kevin's discussion if you notice his discussion of the red team there the red team has no advanced knowledge of what the networks look like if you probably caught that from his statements there basically the purpose of that is that they're supposed to be simulating that hostile internet environment whereas someone's banging away on the system or banging away on your network they don't necessarily know what's going on the individual out there in the real world would be going through in order to attack your corporate network so red teams don't get any advantage this actually is kind of interesting because it actually provides us with some information I actually put my research side hat on my academic hat we're doing some research in intrusion detection and it's interesting to take a look at the network traffic that we have we have a competition to see the kind of things that occur to be able to do things like test intrusion detection systems with some different data that's a little bit more up to date than the DARPA data from 98 and 99 so there's some other side benefits that may come out of this competition Kevin mentioned the international interest I forgot to mention one of our other key sponsors ISSA their names were up here but for those folks hopefully everybody knows who ISSA is Information Systems Security Association that's actually a professional organization professional information system security types but it's an international organization and they are pushing big time for us to try to go international with this so by the 2008 competition you may see schools from there they're pushing for something a little bit more local like you said there's some across the pond there's some interest but there's also some interest up in Canada so we may have some colleges, universities coming from Canada to participate in the competition as well one of the other things I mentioned we're not the only folks that have great ideas there's a lot of you that have great ideas out there and we would love to hear from you I think I had a bullet up on one of the slides I didn't mention it or highlighted but we're hoping to announce in 2007 for the 2008 competition some additional competitions at the national so that there's other things going on not just this event that we described here but for example we're hoping to have things like maybe a forensics challenge so you think of a track meet where there's a team competition but the team competition may consist of a number of different individual competitions as well that play into that team competition so we're looking at some other things we might be able to expand into to add other aspects you mentioned the incident response but wouldn't it be need to be able to do some forensics analysis as well because that's a whole other area in the security arena here that we would love that there's a lot of students studying in that arena a lot of schools that have programs computer forensics let's see if we can't get them involved in that as well and so I think those are a couple little comments I wrote down that I had neglected to mention when we were going through so I wanted to make sure I got that now back to questions any questions on things are we yes sir typically test for physical security but there's a funny story one of the regionals a couple of them broken I guess I've just heard the story from Ron Dodge Colonel Ron Dodge but so it's happened but it's not part of the competition we don't let the red team in at night we lock the doors keep them out basically once you have physical access to a machine it's over we all know that so at that point what happened from my understanding they snuck in some of the red team members took it upon themselves to sneak in at night and put things on systems in the regional and they got talked to about it that's all I know I wasn't there so okay so there you go they didn't touch the system so we got that wrong but like I said I wasn't there I don't know but okay they they went in wrote on some boards and left them alone harassed them that's always fun they're in a stressed out area anyway so okay unfortunately as a red team I'm not allowed to we don't these guys these guys keep me out because I know too much you know so I can't go in I can't do the hacking and this and that we really leave it up to the industry professionals basically whatever toolkits they bring we provide a couple of things but whatever toolkits they bring like he said it's all discoverable so and those systems are open enough that could you oh yeah I mean it's there if you wanted like I said the clients are pre-owned and some of them you know have root root access you do whatever you want it if you're creative basically you're going creativity is your is your limit as a red team oh no students are originally we let them bring in their own machine we limited the number of nicks and stuff like that so but as the competition grew we want to make sure that you know the community colleges could beat against the MIT you know we don't want someone you know rolling in an s400 or anything insane but not at this time they're not allowed to download their own software they can bring in a lot of printed anything they want printed so if they want to come in and they've created their own for some reason you know custom IM solution that they're going to use to communicate or whatever they can't bring it in electronically they can bring in the code on paper and re-created if they're fast diapers so that's basically bring in the paper leave the electronics at home kind of thing at the high school level I'll let Greg address that one I'm not really sure where that one's going we actually this last year also conducted a local high school competition just to sort of put some feelers out about that it went fairly well it was a little slightly different format well actually there's quite a bit different format than what we're doing here but to be honest we're backing off a little bit on that Iowa State also has been conducting a high school competition so what we're trying to do is to coordinate with them and allow them to take the lead on that we'll take the lead on the collegiate they can take the lead on the high school so we don't we're not competing against each other for you know competitions or something like that so we're trying to be supportive of them and help them build that as we build the collegiate side yeah you want to yeah we recognize it's a huge challenge especially for universities that might not have access to you know technical teams like the CIS is kind of a different organization different entity a lot of us have industry backgrounds so what we do for the regional coordinators are people that want to put one on or even people that are just interested our codes all open source we will release it we have actually some guidelines not rules per se not you have to follow this format but you know here's the challenges we've faced there's a lot of pitfalls and how to get past them to get people a good idea of you know how to pull one of these off A without going broke like we did the first year and B just you know making it all work so yeah yeah if you have somebody who's interested or you are then you know by all means email us and soon enough it will be all available publicly for download anyway but yeah we'll go ahead and email that stuff out the network traffic as well the network traffic the IDS logs you have IDS researchers at your organization or you're an IDS company and you want to run through it that'll be available too open source if it's freely available for download so I mean if it's basically if you know of a tool that exists and they don't their own loss right and that's basically it is as long as it's publicly accessible and free like you can download freeware you can download you can even download shareware but you can't register it and keep them away from commercial tools and but yeah if you know of a tool that's out there and you just happen to know of it and nobody else does as long as it's on a public site that they would have been able to get to the other teams had they known yeah that's pretty much where we lay the line and there's a fine line there and we have to go through a lot of logs to make sure but generally if we think we would have found it with Google yeah it's good the internal threat stuff is the stuff we have placed just because it's such a during the event itself we've never gone I think the closest we've done is as as a white team not the black team in this case the ops team instead of going in and letting the red team out their systems we've gone in and pulled like a network card and said you had a failure stuff like that and they have to deal with that more you know no the malicious insider stuff is usually there before they take over the network and it's the threats usually they're the entire time because they don't find it but it's typically your last admin was real disgruntled and that's what's left over but not like one of your team members has gone astray although that's a cool concept and the CEOs are often their own more insider stuff after the competition for like forensics types up or see what they did we haven't it's an interesting notion after the competition we sleep but we have not done anything with the actual what they've done with their hard drives generally with since we have white team volunteers and they're reporting the whole time and a lot of it's directed we've seen it and we've seen the different approaches we've done no research papers or anything that on that will note it and then move on but generally we're more interested in the traffic at this point but that's a really interesting point and I'm sure you'll have Greg talking to me now about mirroring more hard drives haha yeah very good yeah it's a great idea sure yeah alright any further questions we'll just step to the side and let the next guys come up thank you