The Evolution of CCDC

Me setting up the Red Team Room at NCCDC 2022.

It’s been a while (ok too long) since I took the time to talk about CCDC, but after getting back in person for the 2022 National Collegiate Cyber Defense Competition, it seemed timely. This past Thursday, Friday, and Saturday, NCCDC resumed in person competition, returning to its roots in San Antonio. In some ways, it was the same old NCCDC, but there were a number of surprises that left myself and the rest of the Red Team leadership reflecting.

Some Things Never Change

Effort & Determination

My working desk for the 6 days leading up to NCCDC 2022 (with Dan Borges and Joe DeMesy)

All teams – Blue, Red, Black, White, Orange, etc. – demonstrated that this constant is what truly sets everyone at CCDC apart. I know I’m not alone when I say the spirit of Winston Churchill’s quote “I have nothing to offer but blood, toil, tears and sweat.” is alive and well. Just as when I was a competitor, results be damned. The countless hours and relentless pursuit of something is what defines a champion’s spirit. To everyone who showed up, I congratulate you. 

The Thirst For Knowledge

MORIA code composition by language and line count.

It’s hard for me to look back at a NCCDC event and not think about a detailed list of something I learned. Whether researching ways to make the Red Team more effective, ways to infect and persist, or learning how some cool system the Black team has cooked into the environment, one of the nicest things I take home each year (besides a cool backpack!) is some sweet, sweet knowledge about something I didn’t know before. This year, for me, it was modern Linux persistence. (Shoutouts to MORIA – my new Linux kit). This is a huge reason why I put the effort I do into CCDC – I believe this informational growth is best achieved in a hands-on, pressure-fueled environment.

Team Purpose

2022 NCCDC Red Team hard at work.

Regardless of in person or virtual, the purpose of the CCDC Red Team remains. We are there to provide the competitors a taste of a highly sophisticated, determined, and “adversarial” attacker. You can read all you want on Unit42, Talos, or any one of the numerous Threat Research Group’s blogs about sophisticated actors and their illicit actions across the internet all day, but only at events such as NCCDC will you actually get a chance to go up against one. This is an incredibly unique opportunity for college students to learn through experience. Once you get out into the real world, you’re likely to face the real version of this threat. Thankfully, you’ll be prepared.

Some things Do Change

Blue Team Efficiency

NCCDC 2022 Bracket of Blue Teams

After doing this now at dozens of CCDC events, (this year being my 11th year Red Teaming NCCDC), I can say unequivocally that Blue Team’s, as a whole, are getting better. It used to be very clear and obvious the difference between a first year and a returning Blue Team in their tactics. Returning teams have that experience of knowing how fast we move, how silent we tend to be, and how ruthless we’ll be about exploiting small weaknesses. It’s simply hard to get that knowledge without going through it. This is especially true because every Blue Team has their strengths and weaknesses – you have to understand those, then layer that experience of NCCDC over it to formulate a strong strategy.

This is changing. I don’t know why, but it’s a good thing. This year we saw first year teams demonstrate a level of threat hunting and incident response that you typically don’t see. They were ready given the limited tooling at hand to weed out and remediate Red Team persistence beyond any previous year. When you combine that returning teams’ automation and blazingly fast gamework, it’s clear the bar has been raised – and in a way I don’t think there’s any going back either. I used to believe that part of what made NCCDC challenging was the “scale” – the competitor to host ratio (teams of 8, 24 hosts per team, means roughly 3 hosts per person) seemed to be a high water mark. I think we’re starting to find this ratio to be more digestible to today’s script happy Blue Teams.

System Stability

I think part of what makes this reasonable is as we advance forward in time, operating systems, services, and software just generally are:

  1. More capable than previous iterations and versions
  2. More stable than previous versions
  3. The evolution of #1 and #2 are better documented, leading to better knowledge of how to utilize these recent version’s featureset. 

The radical difference in Linux kernel major releases just don’t have the effect they once did on compatibility. I think this helps many teams – Blue, Black, Red – be able to make broader assumptions about a system’s capabilities, allowing the operator to plan with expectations set. We used to have fun on Day #2 with things like Slowloris attacks – but sincerely gone are those days. Combine that with an ever decreasing amount of local privilege escalation, and the days of getting root on *nix systems are slowly becoming more and more elusive. Even technologies like AppArmor or SELinux were present on a majority of systems. Hell, one box had auditd on it by default, out of the gate. 

As Red Team, we’re used to planning for the worst – a crazy mix of 32bit and 64bit, strange operating systems, outdated kernels, no package manager, etc. With all of those requirements, our systems, processes, and kits expect a frankly hostile environment – one that we’re seeing less and less of as years go by.

Red Team Identity

Dave Cowen giving his signature Red Team Debrief at the Closing Ceremonies.

So after all that, where does that leave the NCCDC Red Team? It’s no secret this year was unique for us. Our roster, for various reasons, was significantly different compared to previous years’ relatively stable composition of Core and Volunteer members. That pushed us to improvise more, but at the same time, consider what it means to deliver on our mission. As I sat with Dave after the event, I thought about this. What if the same Red Team we’d been accustomed to for the better part of 10 years showed up? Would anything have changed? 

To be honest, I don’t think so. The definition of insanity is doing the same thing over and over again, expecting different results. Our previous rosters relied on tools and kits that were showing their age, even last year. I think it would be against our nature to ignore the reality I’ve outlined above. We’re a team that puts it all out there in order to make the game what it is – and to do that moving forward likely requires a bit of soul searching. I’m in no way saying we don’t have incredibly talented folks – we do – but our game has to evolve to continue to serve its purpose. We have to recognize that technologies like Windows Defender are really good – and just like the blackhats we’re emulating – we too have to be ready to overcome such defensive technologies. Just as Blue Teams, and the systems they’re securing have evolved, so too must the Red Team. Our previous standards and expectations are simply insufficient for the future of CCDC. This evolution will level up our tools, personnel, and strategy. A challenge for sure, but one that we must tackle to continue our legacy. 

Wrapping Up

In conclusion, 2022 was a masterful year all around. Huge congrats to the ever impressive University of Central Florida for another victory, but shoutouts to everyone who came. I know coming back after two pandemic years carried a lot of uncertainty, but the magic that makes CCDC was back in full swing. To Dwayne, Kevin, Keith, Brandy, and the rest of the CIAS staff – chefs kiss. None of us would be here without you and I’m so grateful you give us the opportunity to participate year in and year out.

A fun easter egg screenshot of some of the code for my MORIA Linux Persistence Kit.

It felt so good to get back to and do early prep with Joe DeMesy, my Red Team partner, and Dan Borges, who is now on the Core Red Team. We spent days leading up to the event getting ready and building some amazing stuff. When it was all said and done though, the lessons learned were profound. This year taught the Red Team as much about itself as any year I can remember and I have the amazing Blue Teams to thank for that. I took more notes this year than in the last 3-4 years combined. I made tools like GRID, BORG, and Traphouse to keep up with evolving Blue Team tactics. The need for those tools hasn’t stopped – in fact they’re showing their age and need a fresh coat of paint, along with new tools to meet the challenges of tomorrow. The “builder” culture within the Red Team is now fundamental to our ability to operate successfully.

I’m looking forward to a renewed, retooled, and reinvigorated Red Team that ultimately continues to provide that unique experience only NCCDC can.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.