MACCDC: Qualifiers – How to prepare

The regional CCDC qualifying round for the Mid-Atlantic region is dubbed ‘Virtual Qualifiers’, because it is held on virtual servers in Amazon’s EC2 cloud infrastructure.

In order to properly prepare for such an even its best to know a little bit about it. The best source for information is from people who have participated in years past. The second best source is of-course, this site. Familiarize yourself with the historical data I have gathered from the past competitions.

Registration & Scoring:

Registration and scoring is done through threatspace: https://sb2.threatspace.net

Don’t let the day of competition be the first day you’ve looked at threatspace. Make yourself as familiar with it as you can, it will help you to feel comfortable and confident, and can shave time off from trying to figure out their site during the competition.

Scoring is done by something we call ‘scorebot’. It is the name we have given the scoring engine for the MACCDC region because it often uses the username ‘scorebot’ to log into systems. It is an automated system that checks for services that are up. ‘Scorebot’ reports this and displays it in pretty graphs and colors on threatspace’s website. You can change ‘scorebot’s password and I recommend doing so as it is often set to “chiapet1” and has been for years.  [A future post might discuss the necessity for open sourcing the scorebot]

How many systems and which:

Typically you are given 4 systems, 2 windows & 2 *nix. Again, check the resources I have provided, this will help you figure out which systems they like to bring back year after year.

Team Structure:

This has been gone over before in other posts from other sites and I’m sure each school or region will have their own twist on it but, make sure you have the best man/woman for the job. Some members on your team will be good at everything and some will have only a specialty or two. Make sure you put the best person on the keys that needs to be there. In qualifiers there is only 4 systems but there are 8 team members. Naturally we split up into teams of 2 for each system. One person on the keys and the other person as researcher. Unlike MACCDC regionals, you have full-blown internet access, there is no air-gap. The person in the ‘researcher’ role is there to look things up and provide support to the person on the keys. They should not be looking up things like “how to turn on your firewall” or “adding a user in AD” those are things you should already know how to do. Instead they would be most useful looking up how to administer or harden the web-app and back-end for the software that you’ve never seen before.

What to prepare for:

Don’t stand up 12 VMs and base your practice environment off of one of the topologies from the regional competition, until you get there.

Don’t spend your whole time practicing for regionals if you haven’t gotten past qualifiers. Remember you must get past qualifiers first. With that said, you will need to rehearse for regionals in-addition to qualifiers.

How to prepare:

Since qualifiers are held in Amazon’s EC2 cloud infrastructure, so should your practice environment for qualifiers. Go, sign up for the cloud service and stand up 4 VM’s. They have pre-made images for the systems that you will likely see. A couple hundred dollars worth of Amazon credits should get you enough for your team to get plenty of practice. If your school has a cyber security club maybe you can approach them about the possibility of funding such a thing. If not have each person put in $20. It’s not a huge investment and it will get you started.

Schedule:

The MACCDC qualifer is only 4 hours long. Time is of the essence. There is something like 32 schools in the MACCDC region. Generally qualifiers are held ~8 teams per day over 4 days. As a school you have the option of choosing which day you would like to compete on. You don’t always get the day you choose. Some theories range from:

  • Choosing day 1 means this will be a new environment to red team so they won’t be familiar with it, but this means if there is anything wrong with the infrastructure you will be the test dummies to figure it out.
  • Choosing a later day means the infrastructure should be fully tested but the red team will already know all the in’s and out’s of all the systems.
Things I’ve seen go wrong:
  • People getting locked out of their own boxes. (guilty)
  • Overly complex passwords don’t play nice. I’m not sure if it is threatspace’s website, or their database or input sanitization. Passwords with alot of symbols will cause ‘scorebot’ to incorrectly identify a service as being down. Instead choose a long alpha-numeric string.
A word of advice:
  • Do continuous pings to each of your scored systems so you’ll know when they go down. Don’t rely on ‘scorebot’.
  • Do nmap scans of your scored boxes, make sure the services you need up are up and responding. Check them from an outside computer. Do this constantly as things will change often in 4 hours.
  • You only have 4 hours: Keep It Simple Stupid!
  • Eat and go to the bathroom before competition starts. If allowed at your facility have a bottle of water with you.
Red Team activity:

2013: I didn’t participate in competition but friends did and did not remember any particular red team activity in the qualifiers.

2014: We didn’t see any red team activity, that is, we didn’t see any red team activity.

2015: There was a lot of red team activity. I have made blog posts about it, and so have others. Also, on one of our windows boxes they kept standing up a telnet server.

Feedback:

How do you prepare for the qualifiers? What are the qualifiers like in your region? Leave a comment below.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s