CCDC - The Competition My Career Stands On: Year 2

A Quick Note

Like the year 1 post, I will not be using names in this since I do not have the consent from the members involved, but I remain good friends with many of them today and some of them may actually read this. It is encouraged to read my year 1 post here before reading this one to provide some context for some things discussed here.

Returning To Practice Stronger, and More Splunky

After a summer of an awesome internship which included Splunk training, I returned to the university ready to hit the ground running and come back far stronger this for my second year. I also had significantly more Linux experience under my belt due to the internship, and moving it to be my primary OS on my laptop for my last year of school. The Captain arranged for us to get in super early for practice this year, and wanted us to spin up a mock environment from the regional competition. He somehow managed to find a Palo Alto, and I donated a 2950 to the cause. We picked a new date to start hammering out weekly practice and we assembled a few new team members who participated with our teammates at a different community college, and got to work.

Lessons Learned

We took some of the experiences from the previous year and tried to incorporate them into the mock environment we built. We ensured that the new firewall guy learned proper backups and disaster recovery ops for the Palo Alto, I made copies of configs for the 2950, and noted the secrets down in a team notebook, I installed and configured Splunk and worked to take note on what config settings looked like at the outset. And heavily refined my “First 15”, and other important documentation. Essentially a list of the things we needed to get done ASAP, then other things that we should do as a “Nice to have”.

In my case, I took notes on a line by line basis of what I needed to do, which was extremely useful for setting up iptables on the Splunk and Phantom systems I was given. Each of us were overall better equipped to handle the systems we were given since we all had internships and were generally significantly stronger in our work over the previous year. We also had a new set of folks join from a local community college who had transferred to the university. These guys were all incredibly good and had a very solid understanding of what to do. I recruited a coworker of mine from the university helpdesk, and she took the bull by the horn and wound up growing a ton both in and out of work over the course of that year.

Of course like usual, the majority of my learning came from these weekly practice sessions rather than the useless information given in the classrooms. I also started tutoring other students and holding study sessions after class since I often had a better grasp on the concepts than what the curriculum taught. I even taught a lecture on firewall administration in the fall semester that year because the professor had never actually used a proper network firewall since pre-acquisition Pix, only host based ones.

Repeating the Invitational

Come November, we had the invitational competition. I was primed and ready to rock this year. No distractions, no life stuff getting in the way, just me, my Splunk server, and my Phantom server. We had one of the new guys be the Wireshark watcher. The invitational competitions were remote, so day of I stopped at a gas station on the way to campus for snacks and coffee, then we were ready to rock. We had a solid competition this time around, I was absolutely killing these Linux boxes. They were incredibly solid and we never saw a successful attempt to get in.

I got Splunk forwarders installed and pointed to my Splunk instance and forwarded logs to it, and spent most of the time threat hunting, albeit poorly. We did find some psexec abuse though, and when finding them we had the team writer get incident reports filed. Props to that writer too, he was an absolute dictator but in the best of ways. Kept us straight. We ended up winning that invitational, which was awesome. Especially after the disaster at regionals last year. On my way home I decided I was in for a treat, purchased some $8 vodka, sprite, grenadine, and $4 slice of cake and proceeded to get super drunk by myself at home. My roommates weren't sure what happened, I was too drunk to give them a proper explanation, but they were excited that I was happy and drunk for once.

Back to Back

2 months later, and we had continued to work on a weekly basis, some of us even through winter break. I took the time to review some network protocol attacks and defensive measures to put in place. I also tried to learn how to actually use Phantom, however since I was locked out of the practice room for the most part unless the Captain was there, I never really got to understand how exactly it works. I also couldn’t find reliably good documentation as this is right around the time that Splunk purchased Phantom.

We finished up training, and managed to have a much easier time renting the school van to take it to the state competition. After another round of presentation, sponsor worship, and an overview of the competition, we had a team picture taken, phones dropped off into a box, and assigned computers in rooms again. Before we knew it, the welcome inject flag was dropped and we were off to the races. I got iptables rules put into the Splunk and Phantom boxes, the firewall guy shut down the Palo Alto for updates, switched default creds and and then we patched devices, and started answering injects given to us by Our Dictator, The Writer.

This was probably the best we had ever done with inject responses and scoring, he was killing it. After we got the machines patched and hardened, I tried to figure out Phantom, and then after giving up I just changed the password to be super long nonsense and locked everyone out of the admin panel. I then installed universal forwarders and tried to threat hunt with Splunk once again, not really finding much of note outside a DDoS and a lot of port scans. I actually wound up being pretty bored since there were no real fires to put out, and spent most of my time after say 2pm helping with injects.

All Hail Dictator Writer

After missing only a single inject this whole competition, 5:30 came and we were released from our duties. We once again had dinner, and talked amongst ourselves and discussed improvement plans for regionals. We then sat through more sponsor worship, a presentation and then awards. We took first by what was said to be a large margin. We were also called out for having done so well in injects, which was cool to have happen. We were once again going to regionals and I was excited, and we were pushing incredibly hard for not having a repeat of last year.

Sweet Victory, Bad Tastes

We went home, and the following week actually had a discussion with the Dean of the college our program was part of. We told him about the victory, and that we were going to regionals, however we wanted to fly this time around because the drive was long, and it sucked. After an argument over how it would be paid for, in which the Dean was saying we may not even be able to go even without the flights, he eventually gave in and authorized a flight to and from the competition. The following week we had a conversation with the University President. The Dean told her about the victory and of how proud he was of us. This left a sour taste in my mouth as he just a few days prior was trying to screw us out of funding to go to the regional competition. The discussion with the President was cool otherwise. We hadn’t really even been acknowledged before so having recognition from the top was nice. Anyways, we continued the weekly meetings and started getting a firm plan into place for the regional competition.

To Redemption

The flight was far too early. I had to wake up at 2:10 to make it to the airport by 3:30. We had 2 cars with groups of us carpooling. I met the rest of the team at a park and ride near my apartment with backpack in hand. They slowly trickled into the lot, we left most of the cars there, then took off to the airport. We had 1 guy drive because it was the very beginning of COVID, and he didn’t want to deal with the airports in case we got locked in the state. We arrived, the Captain was stopped by the TSA for a keyboard they thought was something else, we made fun of him for it, it was a good time, 4:30 hit and I found a Starbucks, got some egg bites and coffee, and browsed reddit until we could board. We got into the air, and had to divert to another airport in Detroit about an hour (by flight time) away due to fog. Landed there, stayed for all of 40 minutes, then took off again to go where we actually needed to go. When we arrived to the hotel, the driving guy was the car in front of us. So much for the flight taking up less time. We booked the conference room at the hotel for a pep talk, pizza, and final preparations. We then went to bed early because we had been up since far too early.

Redemption?

We arrived at the regional competition location. We watched a few presentations and sponsor worship, then had a meet and greet with sponsors and employers. Same as the previous year. I had the Army show some significant interest in hiring me as a civvy, so got the contact information for the recruiter. Eventually we were shuffled into our rooms. I sat in front of the Splunk, Phantom, and Cisco Switch. We started with some pretty nasty MAC address poisoning that I had to clear, harden the CAM table, and then start hardening the Linux boxes. This regional competition was a slog, we had tons of DNS issues, and the firewall guy accidentally took some things down for far longer than he intended. There was not much of note from the first day, other than some instability in the firewalls. Those were remediated in the second morning pretty quickly though. Injects to stand up new gear went fairly smoothly however. The funniest thing however, was the audit.

This regional competition decided that this year we needed to be audited mid competition. We had a service down, I don't remember which one exactly that was due to be audited. The auditor came to our door and we made her show ID to let her in. Dictator Writer also gave extremely brief answers that went directly to the point. When the auditor wanted to collect evidence, we would take a screenshot of it and show her, rather than letting her see it live. She tried to pry a little more, but we wouldn’t let up. After about 20 minutes of probing services, while we had an active incident going on and hoping that she didn’t see us trying to unfuck things, we managed to be the only team that actually handled the audit in a reasonable manner and was awarded full points.

Passable

The end of day 2 came and with it, the awards. We knew we were not going to win, but we had done a very solid job by our standards and came in the middle of the pack. This isn't too bad given that we were going up against universities who were leagues ahead of ours in curriculum and funding, while we floundered and struggled with even getting basic needs handled. We went to the award dinner, spoke to sponsors again, received our participation certificates, and eventually went back to the hotel bar. Had a few beers, ordered some pizza, and relaxed for the rest of the evening before flying home just after lunch the next day.

Aftermath

When we returned home, we had one final meeting where we reviewed how the competition went, another meeting with the University President, and the Dean. Glad we left when we did too, because the state we traveled to shut down their airports 2 days after we left. In our last meeting as a group, we elected next year’s Captain, my coworker. I handed off my notes into a new Teams channel we used. We then had an extended spring break due to COVID starting to break out in my area, and wrapped up the semester, where most of us graduated. 4 of us still had time left in the university, however only 2 of us were eligible to compete the next year. My university went on to compete the following year and finished in the middle of the pack on the state competition. Unfortunately, the golden era of my university’s CCDC team was over, and it was a bed of their own making. With their incompetence. Hopefully some team in the future from there is able to get the attitudes of the university to change on how important this competition is, but that remains to be seen.

Why CCDC Matters to me

I hope this gives a glimpse into why I love this competition so much. There is really nothing like it and its probably the best way for students interested in cybersecurity to get hardened by a meatgrinder. It still lives on my resume today. All the best memories I have had in my time in University come from these people. It gave me invaluable skills I use today, and I genuinely believe that CCDC is the rock my career stands on. Not my Associates degree, certainly not my joke of a Bachelor’s degree, this one program is where I was tempered and forged. If your school offers this competition, please, sign up. It’s a critical formative experience for me and I sincerely hope it can be for you too. I intend to give back to the competition as a Red Teamer on a yearly basis from here on out. I did this year and it was an excellent time where I had a ton of fun.