Fear the stalking red

Ethical hackers test the skills of college cyber teams at NCCDC

The Red Team is coming.

Everyone on the 10 student teams competing in the National Collegiate Cyber Defense Competition know they will face this adversary. The Red Team will attack, crack and hack their systems. The students can't stop them. Their only hope is to contain them.

In the cybersecurity world, a Red Team is a group of ethical hackers that simulates hostile attacks against an organization’s computer systems, using the same tactics, techniques and procedures as real-world bad actors. Only these hackers are here to help. They search for gaps – exploits, vulnerabilities and misconfigurations – to help the organization fix them.

“The only difference at NCCDC is, (the student teams) know they’re going to be attacked; they know they’re going to get hammered, so they should walk in prepped, knowing they’re probably under attack or already compromised,” said David Cowen, NCCDC Red Team co-captain along with Alex Levinson. “The other advantage is that they don’t have a full enterprise network, just a modest-sized network to defend, with a full map of all the assets that they have to worry about. In the real world, defenders have neither of those advantages.”

NCCDC is the nation’s largest cybersecurity event of its kind. It gives college students from across the country a chance to compete in a test of skills. The event stages a simulated cyberattack against a fictional business network. The country’s top 10 teams from a field of 235 colleges and universities must keep the day-to-day operations of the organization going, performing everyday tasks, while fending off constant attacks.

Because the college teams, known as the Blue Teams, already know they’re being stalked by Red Teams composed of some of the best white-hat hackers in the U.S., the students come into the competition with a game plan and a defensive strategy.

“It’s not a question of, ‘Will they will get in?’ but more of a question of, ‘What are we going to do when they get in?’” said Mariah Kenny, 2018 and 2019 captain of the University of Virginia team, which won the NCCDC championship both those years as well as in 2020. “Obviously, we want to build up the defenses in our system to secure them as best we can, kind of plug all the holes that we think the Red Team will come through, or plug them so that even if they did get in, they can’t necessarily get back out of our environment.”

The NCCDC Championships span two days. On Day 1, as soon as the competition begins, the Red Team begins looking for holes and credentials that will get them into the Blue Team systems.

In 2017, “we were able to log into accounts in about 30 seconds,” Cowen said. “After that, we spread like wildfire throughout their systems, racing through their network, and just living, persisting and hiding.’”

While the Blue Teams scramble to lock down their digital infrastructure even as they conduct the normal operations of their mock business, the Red Team has already built a foothold in their networks, quietly spreading their tentacles throughout the system and stealing their intellectual property.

“We’re pulling databases out that are important and valuable to the business, like customer information, credit card numbers, financial records, things like that,” said Earl Tipton, a veteran NCCDC red team member and senior cyber engineer at Raytheon Intelligence & Space, a Raytheon Technologies business. “It’s on Day 2 when the fun starts to happen. That’s when the gloves come off.”

In past competitions, the Red Team released inmates from a mock prison, shut down power plants run by a mock electric company and stole “top secret” technology from a mock military research company.

“Yeah, they’re pummeling us for two days, but they’re giving us the opportunity to practice defending those systems against attacks that would happen in the real world,” Kenny said. “You’re getting hands-on keyboard experience, but more importantly, you get debriefed by your red team afterwards. You get their perspective and learn how you can do it better, then make those improvements. So it’s incredible, and it’s a great learning experience.”

The 2021 NCCDC championship, like the 2020 championship, will be held virtually because of the COVID-19 pandemic; in past years, the 10 teams were separated in private rooms, meaning they didn't know how the other competitors were faring against their Red Team. 

“They all assume that everything is going great, and they’re the only ones in trouble,” Cowen said. “Then the competition ends and I explain how they all did in the debrief, and they’re like, ‘Oh my gosh, it wasn’t just us.’”

NCCDC competitors have entered an unspoken fraternity with other past contestants, who are highly sought after, many receiving job offers before the winning team is even announced, Cowen said.

“We’ve prepared them for the worst, prepared them for the day when that glass gets shattered and someone pulls the alarm and says, ‘This is the real thing; we have a real attack going on; and we need to figure out what happened,’” he said. “And then our alumni are able to say, ‘I know what to do; I’ve lived through this before.”