Splunk at the NCCDC 2012

Fellow Splunkers,

Thus begins my first blog post as an employee of a publicly traded company.  Given that, I would like to let you all know that [REDACTED – lstein].  Now that I have cleared the air, let’s move on.

It has never been more true: the more things change, the more they stay the same.  While Splunkers around the globe were partying like it was 1999, I was on the way to my second straight National Collegiate Cyber Defense Competition in San Antonio, Texas (aka the Alamo City).


This Year's National Finalists

The event took place April 20th through April 22nd downtown at the St. Anthony’s RiverWalk Hotel, which I learned is one of three haunted hotels in the city.  Previously, the event was held at another hotel near the airport, but frankly the competition has grown by leaps and bounds and a new venue was required.

Splunk was once again a Silver Sponsor, and I was thus given the opportunity to participate in the competition; more on that later.

Before the morning’s keynote address by Lt. Gen. Harry D. Raduege, chairman of the Deliotte Center for Cyber Innovation, the scenario for this year’s competition was revealed:

  • Each team has just been hired to run IT services for an online web hosting company (
  • The previous IT team was just recently let go, and suffice it to say the breakup didn’t go so well
  • The current corporate infrastructure consists of a traditional data center with certain services that must maintain SLA as well as a cloud environment that must maintain similar SLA.

The Sponsor Badge

Sound familiar?  Here’s where the competition diverged from last year’s:

  • This year there were 17 members of Dave Cowen’s Red Team, as opposed to 10-12 in the previous years, guaranteeing that each team would get plenty of love and attention
  • For the first time this year, an Orange Team representing end users as well as customers of would be calling the teams when a site or service was unavailable or for various mundane tasks such as password resets.  Guess who got to be on the Orange team?

Just like last year, the students must take this inherited environment, assess their current service status and defense posture, and then maintain their SLA while defending their networks from the adversaries.

Teams can use only approved software (including Splunk, McAfee EPO, and others) on their systems, and have various other restrictions that keep the competition very true to a real life scenario.  For example, at a real corporation, the IT team can’t decide to reimage all the web servers during peak business hours; likewise, they can’t scan or probe their attackers.

Being on the Orange Team was good fun.  A lot of calls went like this:

Student: Hello, Blue Team Ni-  I mean, support, can I help you?

Orange: Hello, this is Jack Daniels calling.  I’m trying to but some viagra on, but it seems like the site is broken.

Student: I understand sir.  We are aware of the iss-


Orange: You don’t understand.  I NEED those pills…

Another typical call (on speaker phone, of course):

Student: Go Momma support, this is Josh, can I help you?

Orange: Yes, this is Marty McFly.  I was just trying to buy a new vest at, but when I got to the site I saw my username, password and credit card number on the front page, as well as a bunch of other ones and something about ‘1=1 OR SELECT…’.

Student: Well, sir, I can’t see that over here on my… oh.  There it is.  Just like you said.  That’s not good.

Orange: Whoa, man, this is heavy.  So what is going on with my data, doc?

Student: Ummm, I think we are getting hacked or DDOSed  or something, we really aren’t sure.  I’ll have to call you back.

I also performed solo booth duties at Saturday’s Recruiting and Networking mixer, where the students got to mingle with the sponsors and talk about opportunities for future internships and employment.  It was honestly really great to get a chance to meet 80+ college whiz kids and talk about what they aspire to do when they are old and crusty like me!

The Alamo Cup

One of the coolest stories I heard was from the young men and women of Towson University.  They enthusiastically explained that Splunk was part of their computer science cirriculum this semester, as they were tasked with installing and configuring Splunk to centralize data from multiple servers.  When I started at Splunk nearly 5 years ago, I couldn’t have even dreamed that someday professors would be incorporating our little software into their cirriculum.

On Sunday, I spoke to the students about Splunk deployments at a high level, including the topography of a typical enterprise deployment as well as the taxonomy of inputs available within Splunk.  There were several other presentations on the morning, including Dan Teal of CoreTrace demonstrating the use of Process Hacker to help identify reflective DLL injection.

Following the morning briefings, we adjourned to the awards luncheon.  Dwayne Williams from University of Texas San Antonio, the real heart and soul of the event, spoke very graciously and humbly about the competition.  Following Dwayne was his boss, Dr. Gregory White of UTSA, who took us through the history of the event as well as some plans for the future.

Dave Cowen

Let me be the first to tell you that there are some exciting additions and changes coming to the CCDC, and indeed to all collegiate cyber defense and ethical hacking competitions in 2013!  You won’t find any spoilers here, though, so stay tuned.

Then it was the aforementioned Dave Cowen’s turn to reveal the Red Team’s tactics this year as well as provide some humourous tips for the Blue Teams in case some of them made it to nationals next year.  Dave really gets a ton of enjoyment out of this event, which he and his team assist on a purely volunteer/pro bono basis, and the enjoyment really shows through in his combination Dr. Evil/Mr. Burns affectations.

We also heard from Mark Bienz of NAVY/SPAWAR, who was one of my accomplises on the Orange team and definately the funniest guy in the room.  The final words were delivered by Paul Nadeau of Deloitte, who spoke about the future of our connected society being squarely in the hands of these young men and women.

Finally, it was time for the awards!  The placing teams this year were as follows:

Because Ninjas Are Too Busy (Winning Trophies)

  1. University of Washington
  2. Air Force Academy
  3. Texas A&M

Congratulations to the Huskies for their close victory over Air Force.  One of the spoils of victory is an invitation to the DEFCON Catpure the Flag competition, which Dwayne likened to ‘sending a basketball team to a football game’.

All the teams that I interacted with throughout the weekend were spectactular, and on behalf of Splunk we are really looking forward to continuing and even increasing out sponsorship of the CCDC at both the regional and national levels.

Thanks again to Dwayne Williams and Jessica Archer for all the hard work in making this event possible.  Special thanks also goes to Joseph Mlodzianowski for help during the mixer (as well as being a great fellow Orange teamer).

But did you go to the Alamo Basement?

I did!  Well, I tried to anyway.  Turns out that Pee Wee wasn’t fooling, there really isn’t a basement after all. Not to worry though, as the historical site is very interesting despite its subterranian shortcomings.

The Alamo chapel

Maintaining Vigilance at the Alamo


I also took in the RiverWalk during Fiesta, which was interesting to say the least but probably not for everybody.  A little more off the beaten path was The Monterrey, a really nice gastropub on the south side with good food and a great wine and beer selection.  San Antonio is a great walking town: the city is well designed and most attractions are centrally located and very close together.

San Antonio RiverWalk

The RiverWalk

Until next time, fellow Splunkers, I bid you adieu.


Alex Raitz

Posted by