It's the end of March, which means the end to yet another season of the
Southwest Regional Collegiate Cyber Defense Competition. It was a great year.
The student teams and volunteer teams all did great. I'll try to do a series of
posts with more details about various aspects of the competition when I can,
but for now I wanted to do a quick overview while it's fresh in my mind.
What is CCDC?
In the Collegiate Cyber Defense Competition, teams of up to 8 college students
compete in a simulated business setting to maintain service uptime, respond to
business tasks, and defend their systems from attacks by a red team of
professional hackers. The student blue teams each work for an identical copy of
the same simulated business and do not interact directly with each other.
In the Southwest region, the season begins with an open virtual qualifier. Any
team that signs up is allowed to compete in the remote half-day event, where
the top 8 teams advance to the in-person regional competition, lasting two full
days on site at The University of Tulsa.
Our team
For this season, and likely into the future, I'm responsible for SWCCDC's
overall networking, game platform, and supporting infrastructure. My co-lead
for the black team, Peter, owned the technical aspects of game delivery. We
all do everything, though, and our awesome team does, too. We had several new
faces this year, and we're hoping to expand even more!
We build as much of the competition environment in advance, virtually, as
possible. Our event is always scheduled for the last weekend of TU's spring
break, so as soon as classes end the prior Friday, we take over most of
Helmerich Hall, the business college's main building, and start the physical
deployment of our networks and other equipment.
This year, all staff officed out of our very busy build lab on the second
floor. The network and infrastructure team deployed our supporting equipment
by the end of the day on Saturday, equipping the entire team with a useful
place to work. Our out-of-town volunteers arrived throughout the early part
of build week.
Our platform
In Southwest, we operate a private cloud environment where many of our
services run. The SWCCDC Cloud, powered by OpenNebula, serves as both the
cloud platform that we operate many services on ourselves and simulates a
public cloud like AWS for the competitors.
Scenario
For 2025, the scenario was based on a parody of the Pokémon franchise. The
students' teams initially worked for Oak Industries, maintaining the cloud
backend service powering the Pokédex, which records various information about
pokémon. Transitioning into the regional competition, Oak Industries was
acquired by the Devon Corporation, which manufactures pokéballs.
Technology
For qualifiers, our team built a custom web application for the "Pokédex,"
which was deployed to two cloud environments via a GitLab CI/CD workflow.
For regionals, the blue teams were also asked to expand that service into an
additional cloud region.
The company for regionals, Devon, was a Pokéball manufacturer. In the source
material, Pokéballs are made from a raw material called apricorns. So, the
regionals teams found their rooms had receipt printers in them that regularly
printed receiving manifests of tracked and inventoried apricorns. They had
to accept those shipments (or, ideally, write some glue code to automate
that acceptance), or their Pokéball orders couldn't be fulfilled.
They also had to operate a legacy internal app, a password reset service,
which used a compiled C program and CGI to reset office users' passwords.
It had some serious flaws that could be (and were) exploited by the red team.
We did plenty of other things, too, like dynamic routing that included a
mid-migration pair of routers, an old vulnerable Minecraft server, open Wi-Fi,
a log aggregator, HR system, and working email.
Fun stuff
Oh, and of course we got to have some fun, too. We found some oversized
stuffed Pikachu plushes at Costco and placed "visit from Pikachu!" in the
in-game store for a modest fake-money fee. It was well received, especially
since Pikachu was way larger than the teams expected!
The red team also decided to pose as "Team Rocket" and had some fun with
rhymes and wigs and rogue devices masquerading as Pokédexes.
More to come
I'll be writing about more specific aspects of the competition soon! So
there will be more photos, more technical design information, and likely
some source code, too.