CCDC Tips and Video links

CCDC Nationals 2010 (part1)
CCDC Nationals 2010 (part2)
CCDC Nationals 2010 (part3)

Here are some tips and thoughts on preparing a blue team defense in the CCDC:


  1. Know yourself – Know what your skills and limitations are, know who is good at what, know who wants to do what, know what your weaknesses are, know what makes your team work well together and stay calm under pressure, know what you can do fast and what you do slowly.
  2. Know your enemy – The red team is an irritant but is not really your enemy. You can’t “beat” the red team, but you must beat the other blue teams to win. You may not be able to stop the red team completely, but you can force them to take the most difficult and longest path to compromising your systems. You do need to have at least a basic understanding of the red team methodology: recon, penetrate, entrench, pivot (repeat from internal base), disrupt. It’s important to understand (ahead of time) that the CCDC gaming environment is designed to stress your team to the breaking point and it is designed to allow the red team to penetrate your systems. You win the game by being able to function in that environment more successfully than the other teams. Know what you’re up against, know how the scoring works, know how much time it takes to do things that you know you will have to do, know what kinds of business injects you will face.
  3. Plan your strategy – Make a plan for how to best use your people, make an plan for how to best use your equipment, make an OS plan, make a firewall and networking plan, make an applications plan, make a plan for how you will keep your services running (you can’t win without keeping your services up most of the time), make a defensive plan, make a business inject plan, make a plan for sharing information across the team, make any other plans you find you need
  4. Practice your strategy – Coach K at Duke teaches that “practice doesn’t make perfect, perfect practice makes perfect”, don’t practice sloppy or you will compete sloppy, practice all the elements of your strategy individually, then try putting them together and doing them at the same time.
  5. Refine your strategy and practice again – Lather rinse repeat. If possible, get into a live game environment with a red team and business injects for your practice. If not possible, move as far in that direction as you can. Look for ways to double up tasks that work well together and shave minutes off your response times. Try to anticipate what is coming.


  1. Change passwords – Prioritize most important passwords first, use long passphrases (>20 chars) and use unique ones for each system or application. The red team will either know the default passwords ahead of time or will discover them very quickly. The red team will assume you will re-use the same passwords across many systems (because most blue teams and real organizations do that) and they will try them everywhere. The red team will be working hard to grab password hashes for cracking. Short passwords only take minutes to crack, longer ones take hours. Password hashes that can’t be cracked can still be used immediately with “pass the hash” attacks that allow authentication. The red team wants your passwords and hashes because then they have *authorized* access to your systems, which is much harder for you to detect.
  2. Close the holes – Your firewall is actually your frontline of defense and if your firewall strategy includes a first step of stopping all traffic flow while it is reconfigured, that small part should also be considered TOP PRIORITY and concurrent with the step above. Implement the rest of your firewall strategy quickly while others are changing passwords. Once your firewall is configured to only allow the traffic you want, turn your attention to the other systems. Close ports that shouldn’t be open, stop services that shouldn’t be running or are not needed, patch and update to close vulnerability holes. Delete strange new accounts that should not be there (assume the red team will add accounts and upgrade them to admin/root status if possible).
  3. Monitor yourself – Monitor service status, network traffic, important logs. If you decide that you have the time and resources to do IDS, log correlation, integrity checking, that’s great. If you decide that you can’t do all those things, you must at least do some basic version of monitoring that keeps you aware of your network status and any anomalies.
  4. Clean up the mess after a penetration – After detecting a penetration, assess how far the penetration went. Identify any configuration changes that were made and correct them, find any malware left behind and eradicate it. The red team will be trying to install keyloggers and sniffers to gain more valuable information. The red team will be trying to install devices that give them legitimate access, back doors, trojaned services and executables, or even rootkits. Write up an incident response if possible to reduce the negative points.
  5. Change passwords again – After every compromise, change any password that was exposed, change all critical passwords if you have time. After every overnight period, assume the red team has either cracked all your passwords or obtained them in some other way and change all the critical passwords again.


  1. Develop a methodology – Track all injects as they come in, are assigned, are in progress, are completed or abandoned. Post this stuff on a wall, write it down on paper, set up a monitor page on your network – any of these techniques can work, but make sure the team has a good way of communicating knowledge. Figure out what information is most important to share across the team.
  2. Triage/prioritize – Decide which injects are most important for the network and for scoring points, prioritize according to time and ability and personnel available. You should know ahead of time how to balance scoring points from keeping services up against scoring points from injects against being assessed negative points for penetrations.
  3. Delegate – Each task must be assigned to one or more team members and progress tracked. Some teams prefer a casual process (volunteering?) and others like a more formal structure. Either form can work according to your team personality, but task progress must be tracked.
  4. Communicate – the best teams seem to work quietly and quickly but chatter when they need to share information. If you have strong information sharing processes in place, there may not need to be much audible communication at all. Noisy or quiet may be personal style, but whatever works to put points on the board is what you should be doing.
  5. Help each other – Nobody should be sitting around doing nothing. Anybody who has slack time should be helping with monitoring tasks or trying to do preparation work for some task that you know is coming.

other CCDC topics
Attack Methodology

National CCDC – []
Baker College Cyber Defense Champs – []

CCDC Documentary Preview
Fourth Mid-Atlantic Regional CCDC – Part 1 – []
Fourth Mid-Atlantic Regional CCDC – Part 2 – [] Students
Fourth Mid-Atlantic Regional CCDC – Part 3 – [] Hackers
Fourth Mid-Atlantic Regional CCDC – Part 4 – []
Fourth Mid Atlantic Regional CCDC Hacker Q&A
Hacker Interview Part 1 – []
Hacker Interview Part 2 – []

RIT on TV News: Cyber Defense Competition – []
Security Dawgs – Cyber Defense in 2010 2010 Illinois
SIU Security Dawgs – Cyber Defense Competition – [] 2010 Illinois
Red Team Brief Part 1 – [] 2010 Midwest Regional
Cybersecurity: First Pacific Rim Cyber Defense Competition – [] 2008

Comments are closed.