Saturday, February 28, 2015


This weekend I was invited to participate in the 2015 RMCCDC (Rocky Mountain Regional Collegiate Cyber Defense Competition) held at Regis University in the Denver Tech Center area.

I was a volunteer for the Red Team and had a great time! I have participated in numerous CTF style competitions, most notably SANS NetWars, and this was my first time with the RMCCDC. It was all in fun but surprisingly intense, the focus of the program is to educate college students on how to deal with cyber attacks in a setting that mimics what happens in the real-world. The Red Team tries to breach the systems, Gold and Black Teams monitor traffic/services and provide oversight while the Blue Teams defend against all of the attacks. The scope is large and consisted of everything from printers and webcams to web applications, Linux/Windows servers, wireless, social engineering (to an extent) and everything in between.

Several student comprised Blue Teams, each with an identical infrastructure to protect, and had to stand up to a barrage of attacks. Personally I found myself less focused, (much less focused than during a typical penetration test) than I normally am due to several factors: Lack of adequate preparation, large scope and being new to the format.

Just to do something different, I was running the Windows 10 Technical Preview and only had my professional version of Burp installed along with a couple other non-standard applications. The issues with this choice (not testing thoroughly) manifested themselves in myriad ways: Nmap wouldn't run, my VM instance of Kali (that I had installed the night before) needed significant updates and tweaks to get the GUI to work, not to mention all of the issues inherent to a Beta OS (think basic things no audio). I thought I would be fine with just Burp, maybe ZAP and a couple of browsers. Wow was I wrong.

The scope was vast as previously mentioned, so I found myself spending about 10% of my time on web applications and the rest split between trying to get my box and tools running effectively, metasploit, panning and zooming webcams aimed at Blue Team white boards and an outrageously slow network (at times) due to saturation. But it was an awesome experience!

Each team had their own room, ours was a piping 80 degrees; perhaps on purpose at to fatigue us in order to slow down the attacks. After the first hour or so Social Engineering attacks were called off and I was challenged a couple of times by Blue Team members intent on keeping their assets secure, all part of the exercise and well received. The local news was shooting footage, organizations from all over the area were invited to check out the action for first hand and I was able to speak with curios observers and share insight on how a Red Team operates.

Thanks to all the teams, students, sponsors and folks behind the scenes that made this possible. Richer for the experience, and a firm believer in the spirit of the competition, I would be glad to participate in the future.