How to Win CCDC: Team Dynamics

CCDC Teams have a lot going on. This post covers useful role definitions, and division of work between a team to ensure a smooth competition day.

In the 2nd post of the How to Win CCDC Series, today is a high level overview of various roles on a CCDC Team, and I cover the basics of what each role should be doing in the competition. If you want to read the 1st post in the series, which was a general overview of the competition you can find that here.

Roles

Writer / Captain

I call this role the "Writer" because that's what we called it on my competition team, but realistically this person is much more like a Manager. I strongly suggest that teams make this person the Team Captain, for reasons that I hope will be clear as I continue defining this role. Your Writer is the single most important role on your team. If you have a bad Writer you are going to have an extremely rough time in the competition.

The most important thing that the Writer should be working on, is Injects. Remember that Injects are ~40% of your total score, and easily the part of the competition that causes teams to lose the most points with incomplete, or just plain bad submissions. For now what you need to know is that the Writer is in charge of making sure that Injects are completed, and completed on time. Remember that points are not given for late submission. This means that the Writer is essentially the team manager and therefore in charge of making sure that the team is aligned with priorities and for keeping interpersonal conflict within the team to a minimum. If you want to learn more about the duties of the Writer, Here is a post I wrote to serve as a guide on how to properly respond to Injects. Before Injects start dropping left and right, the Writer should initially focus the team on their First 30, to make sure that systems are appropriately hardened before Red Team gets to them. When we eventually do, work with the affected admin to remediate, write an incident report, and keep their morale up.

Since Writers handle most of the people management, the job of liaison between competition staff essentially falls to them too. Just like a manager in the real world would. They are the team member who will have access to the Inject Submission Panel, so this also puts them in charge of requesting a revert once they have worked with the admin that requested it to ensure it's required, and coordinating the competition staff communications to the rest of the team. As the liaison, they have 3 additional responsibilities. The 1st and 2nd of which are leading the audit response and customer service calls, if that's applicable within your competition. When you have outages within Regionals, it's not uncommon for Orange Team to start emailing and calling asking for help to get access restored. The 3rd additional responsibility is controlling physical entry into the competition room by requesting ID from competition staff and ensuring it matches their badge, then barring them from entry if it doesn't match. Yes, really.

Do you see why I suggest making this person the Team Captain? This person needs to be someone who is great at coordination, keeping people on task, and needs to excel in interpersonal communication alongside other people management skills. Just like a manager in the workplace. Technical skill here should not be a defining factor of who you choose to put in this role because this person needs to stay off a terminal. We had issues with Captains not being as effective as they could have been in both Regional competitions because they were too focused on what they were doing in a terminal, rather than leading a team.

I think merging the Captain role with the Writer role in our competitions would have significantly increased our chances of placing in Regionals. Otherwise the chain of command and more importantly, operational knowledge within the team can get messy. Both the Captain and the Writer end up missing critical pieces of information either that take too long, or are difficult to explain clearly and concisely under a high level of stress. With the roles merged you look to the front of the room for advice, and it's crystal clear that the person sitting there is who you need to talk to. I understand that there may be some hesitation from schools that have a more defined club. Making the Club President the Team Captain makes a lot of sense on paper, but please I urge you to reconsider this and choose a Captain once the competition season begins, even if that person is not within club leadership.

Firewall Admin

Your Firewall Admin is your Paladin with a tower shield. The primary job of the Firewall Admin is to ensure that the services in and out of your perimeter are only scored services. This can be done quickly via scripting, which allows the admin to start locking down other access areas of the firewall, change credentials, disable unneeded services, and patch if there are exploits available for your version of the firewall OS. If there are no exploits available, don't bother patching, as you are going to take down your whole network while the firewall reboots.

The Firewall Admin also needs to monitor outbound connections to see if there is anything outside what should be expected from the scoring engine. If you have traffic going to port 4444 or other weird ports, it's likely us. They'll also want to ensure IPv6 is shut down, because unless the scoring engine uses IPv6 for some reason, all the protections you put on IPv4 isn't going to help on IPv6. So if the call is to either double up on work, or just turn it off, it's probably best to turn it off.

The Firewall Admin should be the person who knows and understands networking best. Ideally going a little farther than understanding differences between TCP and UDP, common ports, and basic stateful firewall concepts. How routing and switching work, and network device hardening are also important to understand in the competition. I would argue that this person should have most of the domain knowledge of CCNA or Network+ in an ideal world, or at least working to get there.

Other Network Responsibilities

In Regional and National competitions, it's not uncommon to see a hardware switch, router, or other networking equipment in the environment. As the firewall admin is most likely to have the best grasp on networking, it makes sense that these should fall under the purview of the firewall admin. In the Regional competition I was in charge of a Cisco switch both years I participated because I had an active CCNA, but had I not held a CCNA this responsibility would have gone to the firewall admin. Remember too, that the environment is likely to be pre-seeded with vulnerabilities. Switches, APs and, Routers are going to be quite different from traditional servers with implementations and mitigations that you can put in place, so make sure that you study up the exact hardware and OS information that's in the competition before competition day. I might someday have a post coming up a later that should cover practice strategies where I think I am likely to expand on this a little more.

Windows Admins

The thing to keep in mind with Windows, is that Windows is really two parts. The individual Windows devices and Active Directory. I am going to assume that you have previous experience with Active Directory. If not, then I highly recommend learning how it works. Windows Admins are mostly going to be working on user account and authentication hardening. However, like any other role, the first priority is changing default credentials, and throwing up a host-based firewall. Windows Firewall sucks, but it's what you have, and what you are stuck with. You can download a 3rd party one if you want, but you potentially open up a whole new can of worms full of outages if you don't completely understand how it works. Granted you can do that with Windows Firewall just as easily.

Once you get those tasks done, next is to disable all anonymous access to system resources for things like SMB shares and Security Account Manager (SAM). Disable Link Local Multicast Name Resolution (LLMNR), you can probably disable NTLM authentication all together, but if not then enforce NTLMv2. Enable SMB Signing. You will also want to disable all accounts that are not being used, since it can drastically slow Red Team down. Also, ensure that you are not vulnerable to something like ZeroLogon or other easily exploitable, high impact vulnerabilities. If you are, patch that as soon as you can. If not, skip patching because it's time (and more importantly, bandwidth) consuming. Run a credentialed Nessus scan when you have access to the environment before the competition begins to help figure out your attack surface.

When you are confident that you have things locked down, you can install Sysmon and Process Explorer to start threat hunting. Start looking for anomalous relationships between processes, and network traffic. For instance, if you see an admin user running PowerShell, then some binary, then Notepad, and Notepad is reaching out to the internet, you probably have a compromise on your hands. You can also look at process creation events in Event Viewer if you have Sysmon installed to look at historical data. Both of these can be used on incident reports, which can help you get some points back. If you have time to do that, you can also ship the logs out to your logging server. If you feel like you have lot of free time and are bored, implement WDAC or AppLocker.

Linux Admins

Linux within the environment is usually much simpler than Windows, but they tend to have more complicated applications on them. Regardless, basic security concepts apply regardless of system. First thing's first, change your default credentials in your OS, applications and databases. Next, harden your host firewall. Once again, only scored services or applications the the box runs that you need to use should be exposed outside your box. Install and configure fail2ban to keep us out of SSH, or disable it entirely and remove any needless users. Know your Systemd services and which binaries have SUID applied to them. Watch for changes. Patch your system if needed, especially if there is a kernel exploit. Again, run Nessus against the environment if you have access beforehand to determine the attack surface. Afterwards, look into some file integrity monitoring. Since everything on Linux is a file, knowing what's changing in your system can be simpler than Windows if you have a good idea of how your file integrity monitoring tool works. Then get logs shipped off to the logging server and start threat hunting.

Application Admins

This one is harder than the rest to give a general overview for, because it varies so much. Hardening an application hosted in Docker or Kubernetes is different than a website running on Apache, which is different than a BIND server, which is different than a DB engine. Really, the best advice I can give for applications is the same as any other security process. Change passwords, lock down needless interfaces with application settings or firewall rules, update if you can, etc. It can be incredibly diverse, and I could probably write a series of blogs on just that, but since the applications change it would be of limited use. Exact security settings are application specific, so you will need to dive into documentation before competition day to ensure that you understand how to secure your apps.

ESXi

In some environments, you may see a physical VMWare ESXi box. You will want to ensure that this box is well protected as if it's compromised it can easily lead to the compromise of the VMs that it hosts. It's usually not scored, so restrict the interfaces to web or SSH interface to a specific server, if any at all. Then change passwords, and patch if needed. ESXi contains a firewall, like most other OSes. ESXi comes reasonably hardened out of the box, so you essentially just want to check the config to see what the competition organizers changed and revert it if possible, assuming that reverting changes doesn't bring it down.

How to mix these together?

Now, these are mostly ideas that are packaged in a manner that I find convenient. In the competition however, you are likely to take some of these approaches and blend them together. With the teams I competed with, we had unilateral authority over the devices we were in charge of, which allowed us greater flexibility for getting specific things done on specific servers. Now this comes with some drawbacks, such as having some team members overworked, or unable to respond in a reasonable amount of time. It should be the responsibility of the Team Captain to ensure that workload is distributed sensibly and reassign server ownership, even temporarily if required. This can definitely cause some issues when admins get territorial, but generally most teams don't tend to have issues letting someone else into their servers (provided it isn't Red Team).

Of course, this is not the only way to run a CCDC team. Each individual team should discuss leadership and administrative structure, preferably early into the season to determine what works best for your specific team. Then you'll want to figure out potential roles and responsibilities, and start coming up with a practice plan. This post is to give some ideas to explain what I think works and not, but please make any tweaks that you and your team feel are necessary.

If you found this post useful, please consider reading the rest of the series! If you want to discuss the competition, meet with fellow and former competitors, please feel free to join this Discord server.

Changelog

2024-11-20: Cleaned up some grammar

2024-06-05: Added a link to Red Team article

2024-05-03: Added a link to Injects article

2024-07-16: Reworded a few sentences, and removed references to a cancelled blog post