NCCDC from the outside: A white team perspective

The National Collegiate Cyber Defense Competition (NCCDC) is a ridiculous competition, in all the best ways. Over the past few competitions, students have earned the chance to administer networks resembling energy providers, video game publishers, and correctional facilities. These scenarios are built to emulate their real world counterparts partially. The networks they inherit are a grab bag of technology stacks and operating systems, often configured in extremely naive ways. A live red team is let lose on the blue teams at the start of the game, with the sole mission of making sure everyone gets a taste of punishment. The blue teams are scored on a mixture of service delivery, remediation of points lost from the red team, and completing business objectives that are given in game. As a white team member, our primary responsibilities are to sit with various blue teams and score business objectives and prevent cheating.

Time management is keyTeam rosters per NCCDC rules must be submitted before the competition. Forming a team make-up really depends on your stock of participants, and how much they can learn before the competition. Most teams this author has observed have a set of *nix and Windows administrators, and typically some kind of dedicated project manager. Some teams choose to have a set of cross-trained admins, instead of opting for specialists who learn specific operating systems and services. 

If you have a player that is a stellar MySQL admin, consider having them also learn other database technologies, like Postgres and/or MSSQL. While it's important to be fluent with the tasks you will be responsible for in game, consider learning a related OS or service, so that you have options in-game for task prioritization. Blue teams should expect to encounter strange services and obscure operating systems. Learning how to properly configure Exim or OpenVPN on the fly can be planned for, but only when a blue team leaves itself enough time for dealing with unknowns. 

Whatever a teams makeup looks like, performance speed always sets apart the good from the great. When team members complete their tasks quickly, they can then move to completing injects, fixing downed services, or performing incident detection and remediation. Time should not be wasted trying to figure out a password scheme or creating a naming convention. Anything that can be planned or performed outside of the competition should be. Utilize the amount of outside documents that can be brought into the competition. This white teamer has witnessed several teams in the hotel lobby late into the night, doing research and capitalizing on the hotel printer.

ScoringScoring seems to be one of the most misunderstood concepts in the game. This author has seen excellent teams with fantastic technical skills lose the game for not giving specific aspects of the final score enough love. The scoring is broken down into three categories, detailed below.

Most blue teams tend to focus on uptime as their primary metric of performance in game, which is an easy mistake to make. All participants in the game (players, sponsors, organizers, volunteers) are at least partially aware of the service scores while the competition progresses. The problem with this is that everyone judges the final standings based on the estimated service scores. Teams have come back from massive deficits in service scores and won the game. THIS IS BECAUSE THE GAME IS SCORED BY THREE OBJECTIVES. Never neglect easy points because you're afraid of a scored service going down.

While uptime may be partially visible to blue teams, another scoring metric that may be used is incident detection & response. The red team's sole responsibility is to completely annihilate the service score of the blue teams. To earn some of these points back, the blue teams may perform incident response and remediation to mitigate some of the point loss. Obviously, you can't earn back points through remediation if you don't get owned by red team.

Remember to report any malware or unauthorized activity you find on your network. Make sure that you have documentable evidence for any intrusion. This could be in nearly any form, but it is best to think in terms of "what can I email or present to the CEO (gold team)". Consider taking screenshots, pulling file system artifacts, collecting packet captures, system logs, or any other indicator of compromise (IOC).  Once indicators have been collected, develop a remediation strategy for the compromise and submit your report (compromises are always time sensitive).

Scoring injects is one of the primary responsibilities of the white team observer. The judge is given an unmistakable set of instructions on how to grade blue teams on injections. This judge's experience is that white team scored injects are designed to be binary answers. For example: "Log in to X system(s) as Y user(s) with Z password(s). Did your login succeed? Yes or No". Scoring injects is a completely objective action. These are easy points that can take a trivial amount of time to earn. Inside the game or out, it never hurts to handle low hanging fruit.

ConclusionYou're bound to encounter something that you never have before, whether it be loving from the red team, eclectic services, or weird business injects that make no sense to anyone but the CISO, if you play the game you're bound to pick something up. Even if it's just knowledge to pass onto green team members for next year, there is always something to take away that can further your team.

Having fun is the other aspect of the game is something you can't just 'pick up'. The sad truth of NCCDC is that at all of your highest stress moments, someone is watching your every move at all times. Cameras will be right next to your face, Recruiters will be taking notes, orange team is blowing up your phone, and white team is right behind your back at every stress-peaking moment. Raging over mistakes only lowers the morale in the room and raises stress levels. A competitive spirit wins championships, but negative attitudes tear teams apart. 

If you take nothing else away from the competition, know that it takes a tremendous amount of skill to participate in a competition like this, and that this is only the beginning of the road. Learn and have fun.

Analyst, FireEye as a Service Team
2014 IGNITE alum

Subscribe to our Newsletter

the experience

featured video

View more videos