NSA gives military students lesson in cyberdefense
- By William Jackson
- Apr 27, 2007
ATTACK MODE: Members of NSA's Red Team do their best to get inside the millitary academies' networks.
National Security Agency photo
Deep within the bowels of a Lockheed Martin building in Hanover, Md., a group of trained security experts do their best to penetrate the networks of five military academies. And they don't mind being mocked.
Which is exactly what the Air Force Academy is doing at the moment. The network administrators have posted a taunting Web page from academy cadets: a photo of a crying baby along with a caption that accuses their attackers of being no more than script kiddies, an insult of no little weight to security professionals.
One of the administrators looks at the picture and laughs. 'What they don't know,' he says, 'is that we still have a back door in their system that they haven't found.'
Welcome to the seventh annual Cyber Defense Exercise (CDX), a National Security Agency event in which computer science students at the nation's service academies go head-to-head with a hand-picked group of malicious-minded security experts called the Red Team.
At stake was the coveted NSA Information Assurance Director's Trophy ' won last year for the second time by the Air Force Academy ' and a lot of pride.
'They are hungry to win,' said Maj. Damon Becknell, who teaches information assurance at the U.S. Military Academy at West Point, N.Y.
West Point issued the first CDX challenge in 2001 and won the contest the first two years but has not been able to regain the trophy since 2002. This year, 26 West Point cadets went all out to get back on top.
'We're treating this like an Army mission,' said Rock Stevens, cadet commander of the CDX team. 'We're soldiering on the Internet.'
There is more involved than bragging rights. The exercise is the capstone
for information assurance classes at West Point; the Air Force Academy in Boulder, Col.; the Naval Academy at Annapolis, Md.; the Coast Guard Academy at New London, Conn.; and the Merchant Marine Academy at Kings Point, N.Y. It provides a dose of real-world experience to go with their classroom training.
'Are they fully prepared for it? No,' said Lt. Joseph Benin, electrical engineering instructor at the Coast Guard Academy. 'But they learn that what they are learning in class has value.'
The exercise gives students a chance to practice what they have been learning during the first half of the year in classes on networking, security and electrical engineering.
'They are pretty much novices at computer security,' said Capt. Sean Butler, assistant professor of computer science at the Air Force Academy. The first half of the class is traditional classroom work, he said. 'After that, I turn them loose.'
Each academy had to build and maintain a virtual network that includes a Web server providing dynamic content from a back-end database, an e-mail server with public-key encryption, chat service, file sharing and a Domain Name System server for name resolution.
Once the networks were up and running, the NSA Red Team spent five days hammering away at them from a location near their Fort Meade, Md., headquarters. The teams are scored on their ability to detect, defend against and recover from attacks while keeping the required services up and running.
On the first day, Monday, the Red Team kept things simple, probing the virtual networks for open ports and services, looking for obvious points of entry.
Along each wall were laptop workstations and white boards filled with scribbles of IP numbers, router names and other pieces of possibly pertinent information.
None of the students should have been fazed by Monday's activities. The skill of the academy teams has improved during the seven years of the exercise to the point that the Red Team attackers were at a disadvantage.
In fact, NSA decided this was because the teams had too much control over their own networks. They did not have to deal with the real-world stupidity of users who unwittingly bring malicious code onto a network, Butler said. So last year, NSA began supplying virtual machines chock-full of malware that had to be included on the networks.
'Part of the problem was trying to analyze these things and account for them,' Butler said. They had several weeks to check over the machines. 'I'm sure they weren't able to find everything. The NSA is good at hiding things.'
So on Tuesday and Wednesday, the Trojan Horses started phoning back to the Red Team. The penetrators also started logging in to the systems, using any back doors and rootkits that went undiscovered.
'On a Windows 2000 box, they infected the file that boots the GUI,' Benin said. When the file was cleaned up, the box would not boot up. 'We found the hard way that you don't clean that file. It's kind of frustrating,' but it added to the realism of the exercise.
The Red Team abuse escalated until Friday, when they pulled out all the guns and tried to bring down the academies' networks any way they could.
'The learning experience we're trying to convey on Friday is how things will really go down' during a network attack, one Red Team member said.
Scoring is calculated by how long the academies can keep their networks up and running. Each team is given 50,000 points. The DNS, mail, Web server and file-sharing servers are pinged across a virtual private network every few seconds.
If any one of the servers is down for longer than 15 minutes, points are subtracted. During the week, the academies are also given exercises to complete, which may help add points to their overall score.Training hours
The academy teams typically are made up of all students in an information assurance or networking course. They usually are juniors and seniors, although underclassmen sometimes observe and lend a hand. Stevens is participating for his second year, moving up from forensics lead last year to team commander this year.
With 26 members, the West Point team had a numerical advantage over some of its competition this year. The Air Force had 17 members on its team, the Coast Guard just 14.
Benin said his Coast Guard team was at something of a disadvantage. 'I think 20 people fully engaged would be nice,' he said. But he also has about a half-dozen underclassmen lending a hand, and he's better off than he was in 2006. 'Last year, our team was nine.'
Teams began preparing for the exercise months ago. 'Some of us spend upward of 300 hours preparing for this,' Stevens said.
The Coast Guard team began working on it two months ago, Benin said. 'In spite of all the work and planning, we were still up all night Sunday,' the day before the contest began, he said.
Not every team can provide around-the-clock support for its network, but they put in long hours.
'At 2 in the morning they're excited and happy,' Benin said. 'This is a great motivator. They love it.'
'All of our preparation is paying off,' Stevens said in the third day of the exercise, when West Point cadets had not given up any points to attackers. But one of the primary lessons of the exercise is that, as in a real battle, students cannot anticipate and plan for everything that will happen, and the best-laid plans can quickly fall apart.
'They are teaching us how to learn,' Stevens said. 'It's not what we know, it's how we can adapt what we're learning.'
GCN Assistant Managing Editor Joab Jackson contributed to this story.
William Jackson is a Maryland-based freelance writer.