A cyberexercise with real-world lessons

Air Force cadets win 6th annual CDX competition

HEAD TO HEAD: Students from the Air Force, Coast Guard, Merchant Marine and Naval academies, and the Military Academy at West Point, competed at CDX.

Students from the military academies recently came under cyberattack.

Fortunately, it was from a network attack team composed of National Security Agency and Defense personnel during an intense, four-day competition'the sixth annual Cyber Defense Exercise.

CDX, held April 10-13, pitted the five military academies against each other. Students had to keep networks they had set up running while defending them against rogue attacks.

Exercise director Maj. Tom Augustine described it as 'very specifically a defensive assurance program.'

This year's winning team, despite having only nine members, was from the Air Force Academy.

'I thought we did well,' said Capt. Sean Butler, the coach and an instructor in the academy's department of computer science. 'We had a solid design, so I thought we had a chance all the way through.'

Augustine said 50 percent of the score is based on keeping the network operational and 50 percent on the security of the network and how well it is maintained.

Established in 2001 by West Point in collaboration with the National Security Agency, CDX provides teams from the Air Force, Coast Guard, Merchant Marine and Naval academies, and from the Military Academy at West Point the opportunity to venture beyond academic concepts to design, build and configure a computer network, and then defend it.

Each team was given a preconfigured but nonsecure network consisting of a Microsoft Windows 2003 Active Directory Domain Controller, Microsoft Exchange 2003 Mail Server, Fedora Core 2 Web server, Fedora Core 2 with Samba, and client workstations using Windows XP. Each team had nine mandatory computer components, but with backups, routers and firewalls, Augustine said, the teams could easily have had 20 components each.

Although the competition was officially held last month, with the commencement of attacks from the aggressor 'red cells,' Augustine said, 'they'll have spent all semester designing their network. This year, we gave them the network components about two weeks prior so they can then actually build it out. What we gave them was technically a working network, but a very insecure network.'

In past years, the teams were given completely clean machines, said Navy Lt. Pablo Breuer, chief of the red cells. This year, in accordance with the tradition of adding a unique twist to the scenario, the teams were given preconfigured networks with malicious elements in them. In the two weeks leading up to the competition, the students had to identify things such as user accounts with weak or easily guessed passwords, software holes, viruses and Trojan horses. 'All they knew was that two of nine boxes had vulnerabilities,' Breuer said.

A bonus element to the competition was solving a cybercrime.

'They were handed a laptop used for a 'crime' and they had to go through the logs to identify clues,' said Augustine. 'It's an extremely popular item. But as fun as this is, the exercise continues. So if you spend too much time on that, it would be a poor security decision.'

In fact, the cybercrime exercise is one of the most interesting and exciting for the cadets at West Point, according to its CDX coach, Lt. Col. Ken Fritzsche. 'We teach a course on digital forensics, so this was a great way to put what the students learn to use.' And, with a large team of 29 students, West Point was able to dedicate six students to the exercise. 'They pretty much nailed every answer key,' said Fritzsche.

But when it came down to the basics of the competition, the Air Force Academy's nine cadets earned the highest praise from the red cell.

Butler said the students had designed a simple but effective network.

'From the beginning, I really emphasized the fundamentals of security rather than specific techniques,' he said. 'They came up with a classic design. It was easier to keep track of, and the red cells weren't able to get into our network.'

While the immediate goal is to win, the exercise provides the students with an opportunity to address real-life network issues they could find on the job once they graduate, or even while working on their home computers.

'Every organization has computers, so the lessons they learn, they can teach their soldiers and their units,' Fritzsche said.

However, the competition is also of national security interest, Breuer said. 'DOD leadership is very interested in the results from lessons learned, [to] make them into best practices.'

inside gcn

  • cloud migration (deepadesigns/Shutterstock.com)

    DISA eyes moving some cyber awareness monitoring to the cloud

Reader Comments

Sat, Mar 27, 2010 F Dost DC

This contest focuses on specific techniques are furthermore, specific tools. Very little of this exercise is geared toward foundational information security topics. The largest "real world" skill is policy and procedure based where teams must follow appropriate procedures, fill out incident reports, etc. Pablo Breuer had very little to do with this exercise, why is he being quoted? Misinformation as presented here only causes confusion about the exercise.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group