By Splunk April 03, 2014
This blog post was jointly written by Tolga Tohumcu and Bert Hayes… Tolga mentored the student teams before the completion, Bert was on-site at the competition to help out in person, and Enoch Long was working behind the scenes to build relationships with folks running the competition.
The 2014 CyberPatriot National Finals http://www.digitaljournal.com/pr/1828452 took place recently at the Gaylord National Resort and Conference Center in National Harbor, Maryland with all of the spectator appeal of a competitive archeological dig. Two shifts of high school aged students made up a total of twenty eight different “Blue Teams” and tested their mettle by defending their networks from a pack of active, aggressive, and skilled attackers (the Red Team). The CyberPatriot program https://www.uscyberpatriot.org/ was created by the Air Force Association to inspire high school students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM) disciplines critical to our nation’s future. At the core of the CyberPatriot program is the National Youth Cyber Defense Competition, which challenges teams of students to resolve real-life cybersecurity situations in a virtual environment.
When the games began, students hunkered over their laptops in intense concentration as they began applying patches and locking down vulnerable systems. The morning progressed, and the competitors installed the Splunk Universal Forwarder on all of their servers to help shed light onto exactly what was happening on their network.
These soon-to-be Splunkers had already gotten some training on how to use Splunk, both from accessing free web-based Splunk training http://www.splunk.com/view/SP-CAAAH9U and online mentoring by dedicated Splunker Tolga Tohumcu, but today they were asked to put that training into practice under pressure. With the clock ticking and the Red Team poking, the Blue Teams began installing the Splunk Universal Forwarder on the systems they were to protect. (A Splunk server was already configured and running for each team.) Bert’s role on site was that of a Splunk subject matter expert, floating around the conference space and making myself available to answer the student’s questions.
Once the first hour and a half was over, students were graded on their Splunk installs; scores were based on the number of systems that were successfully reporting in and what data was being indexed. Since these monitored servers were under an active attack, they generated a treasure-trove of system level data. Some teams leveraged this data to help mitigate attacks. Others did not.
The Red Team started off light, but gradually increased the severity of their attacks as their shift wore on. Towards the end of the competition, the studious atmosphere gave way to shouts of “No! No! NO!” from one Blue Team, and “Why!?” from another. In a moment of frustration, one team member created a text file that read, “I hate you, Red Team!” and saved the file on the desktop of a defended server. Some time later, the attackers appended the file to say, “I know.”
Scores were based on the availability of systems and services, but by the end of the event, the only group that was unanimously smiling was the team that wasn’t being scored: the Red Team. Did we say smiling? We should have said, “swaggering”. Many teams did quite well, and kept many servers and services available. But even in defeat, everyone had a good time and learned a lot about network security. And if they want to learn more? All of that data is there for the Splunking.
(Full Disclosure: Bert has competed in similar Red Team / Blue Team competitions, where he’s had his [packets] handed to him by the attackers. These kids are the future of our network security, and they did a great job that day.)
----------------------------------------------------
Thanks!
Tolga Tohumcu