CCDC vs the Real World

After this year’s CCDC regionals, I wrote about “How to Win at CCDC.” With nationals at a close, I thought it would be good to compare the competition overall to the real world. For the student teams competing at the Southwest regional event, you heard a great deal of this from me during the red team debrief on that Sunday morning. The point I brought up then, and will do it again now, is that CCDC was created to better prepare and produce young information security professionals to protect enterprises from real threats, which CCDC does very well. This competition looks great on a student’s resume.

But let’s not forget it’s a game, and there are some subtle differences between the competition and the real world.

I can’t help but think of comparisons to martial arts. InfoSec is sort of self-defense for enterprises, which makes CCDC sort of like the martial arts competition version of InfoSec. Like CCDC, martial arts competitions are intended to test skills for self-defense in a safe and sporting way. It’s common for self-defense purists to call out how competitors use tactics and techniques that are completely irrelevant in real world self-defense. Look no further than “pulling guard” in Jiu Jitsu, which is not advisable in a dimly lit parking lot when approached by a mugger (you’ll likely hit your head on pavement), but it’s still fun to do — and obviously a winning strategy at Jiu Jitsu competitions. This tactic is fine within the context of the game as long as it doesn’t result in “training scars” (the idea that hours and hours of competition practice reinforces bad tactics which become ingrained as the default response even when they shouldn’t be).

So, let’s break down how the game differs from reality…

Timelines

In reality, a breach may last weeks, months, or years. A common misconception I see, even in InfoSec pros that have been in the field for years, is that an attacker just throws an exploit at an internet facing Apache Struts server and PII suddenly falls out. In reality, a breach involves lots of persistence, internal recon, and lateral movement towards the objective, which is where security gets really fun: detection and response of those steps (and evading it, if you’re on the red side training up a top notch blue team).

time is clicking…

CCDC is compressed into two approximately eight-hour sessions across a weekend. The compression of timelines results in trade offs for both offense (red) and defense (blue). An adversary can typically only choose speed or stealth. Given the compressed timelines, obviously a CCDC red team must choose speed over stealth — no matter how much stealth they may plan to use, by its definition, there will be some noise in exchange for the speed of the game.

Also, unlike the real world, the blue teams get to quit for dinner and to go back to their hotel rooms to sleep at night. In the real world, incident response often involves around the clock shifts to protect the organization — there is no agreed upon stop time with the adversary like in CCDC.

Vulnerability Discovery

CCDC is a game where each student team has an identically configured, intentionally vulnerable network to defend. Typically, that means if a software component that does not ship by default with the operating system is present, it’s put there by the event organizers, and therefore extremely likely to be vulnerable. Wordpress? Yep, probably a vulnerable plugin installed. Windows Server 2008? Yep, probably not patched at all, so it can be shelled with eternal blue. Some random mail server you’ve never heard of? Just Google “[product name] [version] exploit” and the first hit is probably on exploit-db.org. Pretty much everything is vulnerable. If it’s not missing patches to prevent code execution, then default passwords will work.

eternal blue

In real life, most red teams (and of course the attackers they model) rarely throw exploits at vulnerable services (probably less than 5% of the time), so that’s one difference. Also, because CCDC is a game, the sheer density of vulnerable systems is much higher than anything you’ll likely experience in real life. Managing software updates and default credentials is still a real problem, though, so student competitors definitely benefit from implementing good hygiene.

Phishing and other forms of social engineering is, unfortunately, hard to integrate into the CCDC game, but in real life, that is still the most likely way for an attacker to get into your organization’s network. Patching the human is hard, as it turns out.

Detection & Attribution

A common meme used on defaced webservers in CCDC competitions

In CCDC, the students defend networks that are intentionally vulnerable, but isolated from the outside world. The only adversaries and malicious traffic to enter those networks comes from a single source: the red team. There’s no question of who the attacker is, what their intentions are, or any of the finer points of threat intelligence and incident response. The students know who they are and know what they’re after, because they’re told on Day 1 during the morning briefing. Where a talented incident response team in the real world would want to be very careful to avoid making any premature containment steps that may tip off a stealthy adversary, in this game that doesn’t really matter and there are minimal consequences from partially containing the adversary, especially when the adversary plays music through the student competitors’ laptop speakers or defaces content with memes and GIFs as a form of self-attribution.

Scale

In the CCDC game context, the number of computers on the students’ networks compared to the number of students on the team is somewhere between 1 and 2 computers to students. It’s very small scale. At this scale, it’s entirely possible for successful teams to still use manual processes for system hardening, detection, and response. In the real world, the ratio is probably hundreds (if not thousands) of hosts per InfoSec professional. Using scalable tools is critical in real life. You can manually patch and manually rotate passwords in the game, but in real life that has to be automated. Some of the regional and national events have slowly started ramping up the use of enterprise tools to tie systems together, such as Active Directory, but in any given enterprise today, there are likely a dozen or more systems that do things like asset inventory, configuration management, package deployment, etc. These are very powerful tools in an adversary’s hands.

Where life imitates art…

CCDC is great at introducing pressure from executives, customers, and keeping services available. Real life is full of distractions and interruptions, so is CCDC. This is by far where the competition excels. So, yes, dear student, you will unfortunately very likely experience more of those “injects” in real life after you graduate.

Overall

The students who compete in CCDC have a huge leg up over their peers who don’t — there simply isn’t any better program for college students, and I frequently tell people I wish this program existed when I was in school. If you competed, just make sure you understand where the game stops and the real world begins, so that you don’t have any “training scars” yourself. Otherwise, the real world may condition them out of you.