How "adversarial engineering" of red teams is strengthening security practitioners
(Image: file photo)
Last month, several competing students from universities across the US descended upon San Antonio for the National Collegiate Cyber Defense Competition (CCDC).
CCDC, which originated in 2005, is a defensive security competition that puts students in a real-world commercial IT environment and tests their ability to defend, detect, and respond to outside threats, including maintain availability of existing services like mail servers and web servers, respond to business requests such as the addition or removal of additional services, and balance security needs against business needs.
These student teams comprise the competition's "blue team."
This year's National CCDC blue team winner was the University of Maryland, Baltimore County. CCDC is a bracketed competition system, with 10 US regions involved. Qualifying events are held to select the regional competitors, and the winners of each regional event compete in the National Championship. The school itself must register with the appropriate region.
"CCDC is popular with academics, government, and industry because it fosters teamwork, helps students develop technical and soft skills, and complements academic programs," said Dwayne Williams, director, National CCDC. "Students preparing for and participating in CCDC events tend to be better trained, more motivated, and more capable when entering the workforce than their peers with no competition experience."
With so much attention on the challenge of recruiting qualified security practitioners and encouraging more students to pursue careers in security, these competitions have become paramount to the future of the industry. Competitors in CCDC events study and train for the same tasks they'll do on the job after they graduate. According to Williams, while CCDC is definitely a competition, it's also an excellent workforce development program.
"We've been told by a number of organizations and professional recruiters that an applicant with CCDC experience in their resume automatically passes through their first round of applicant screening," he said.
However, in order to conduct these real-world competitions that harness and accelerate the students' desires to become defenders, there must be an adversary. In the case of the CCDC, the adversary is presented in the form of a "red team" -- a team that simulates threats and emulates threat actors to create barriers for the blue team. In the commercial sense, red teams are well known for simulating threats in a corporate environment to challenge the organization's security, so that its security teams can then improve the overall infrastructure and operations.
Red teams must strike a delicate balance between full-on adversary and hands-on educator, with the intention not to make the students stumble, but to understand and learn real-world mitigation practices when faced with, or when failing in the face of, a threat actor.
"The most important tasks for a red team at a CCDC event is to provide a realistic attacker experience for the students and to treat every student team as equally as possible," Williams said. "Red teams are there to help exercise the competitors skills and provide 'learning moments' for those competitors. We look for people with professional experience and matching professional attitudes."
Alex Levinson, senior security engineer at Uber, has been working with professional red teams for nearly a decade, both as a consultant and in-house. He has now red teamed six times for the National Championship, and he writes in his blog about his dedication to the CCDC.
"I've used this opportunity over the years to improve my capabilities, regardless of my day job. While the blue teams spend the months leading up to the competition practicing security hardening and vulnerability management, I take the opportunity to improve my skills by studying cutting edge offensive security techniques," explained Levinson. "These skills are invaluable, for both the competition and my day job."
Read also: Rich? This ransomware will charge you more to unlock your encrypted files | Why malware is still the beating heart of cybercrime | Fake Google Docs phishing deluge hits Gmail | Hundreds of privacy-invading apps are using ultrasonic sounds to track you | IoT, encryption, and AI lead top security trends for 2017 (TechRepublic)
Levinson was one example that Williams used as CCDC alumni who are accelerating in their careers; the alumni list also includes practitioners from Amazon, Microsoft, Walmart, Accenture, Twitter, and even The White House,
It's true, in security the industry offense can be the best defense, and learning how to tackle the offense is critical for career growth and success, from students to those already in real-world trenches. In a follow-up interview to his blog post, Levinson said that, for him, the appeal of red teaming is knowing that what he's doing -- assuming the role of a live adversary -- is helping other security professionals get better at defense.
"I often refer to red teaming as 'adversarial engineering' because it simulates the realistic conditions of an attack by a live adversary," Levinson said. "To be effective against a real attacker, you need practice defending against someone who doesn't play by any rules."
Andy Green, lecturer of information security and assurance at Kennesaw State University, where CCDC began in the southeast region in 2006.
"In my opinion, the most important attribute of a red team is to have an educational mindset, as well as to understand the primary purpose of the CCDC, which is to help students improve and learn," Green said. "It's never a question of whether or not student teams will get compromised -- they always will. This event isn't about 'burning boxes' for the red team, it's about training and development for the students."
But not just anyone is suited for a red team, whether for an enterprise environment or a student competition. According to Levinson, a good candidate for red teams has a deep knowledge and understanding of computer fundamentals including databases, networking, operating systems, and enterprise applications.
"As valuable as it is to able to channel the attacker's mindset, it is incredibly beneficial to be able to develop your tools," Levinson wrote. "No effective outcome has ever occurred from leveraging only offensive tactics before developing more basic, albeit seemingly mundane in comparison, skillsets. Writing effective software takes both strong muscle memory and lots of practice."
Overtime, as internal security teams and students learn more from the feedback they receive from red teams, their systems become harder to penetrate.
"It's an exciting, yet daunting challenge to go up against the same teams over and over again knowing they're going to get stronger each time," Levinson said.
Russian hackers are stealing up to $5M a day from US companies