How To Win The CCDC

The Collegiate Cyber Defense Competition, usually referred to as the CCDC, is a multi-tiered national competition for college and university students. Unlike other competitions, such as the National Cyber League (NCL), the CCDC is a defensive-focused event, pitting teams from different schools against an elite group of professional penetration testers (referred to as the Red Team) in a qualifier, regional, and eventually a national round. While the student participants whom are competing must be full-time graduate or undergraduate students, the events provide many valuable opportunities for cyber security enthusiasts and professionals as well, with the addition of conference-like talks, job fairs, and even interactive spectator participation.

The CCDC is broken down into ten (10) regions. Each region is responsible for hosting an event and sending a single team onto the national competition. While each region is slightly different, they all follow the general guiding principals, rules, and processes set forth by the National Collegiate Cyber Defense Competition. In order to facilitate the regional selection of a finalist, the regions host their own competitions, but some regions have so much demand that they first host qualifying rounds to limit the playing field. The final regional event is typically held in-person and is a great place to network with vendors, sponsors, and fellow cyber security enthusiasts.

One of the unique aspects that really sets the CCDC apart from other competitions, is the incorporation of themes, scenarios, and real-world challenges. The student defense teams (referred to as the Blue Team) aren’t just defending systems for the sake of it – they’re given a scenario that provides context to the purpose of their participation. The event goes a step further, with the introduction of “Business Injects;” these injects are typical “real-world” tasks that cyber security professionals face every day, from resetting a password, to briefing the CEO of their organization. The CCDC provides a realistic environment for students to test their skills, learn new ones, and grow as cyber security professionals.

If you’re a student in college and interested in cyber security, the CCDC is an invaluable experience. Professionals who want to volunteer can do so by helping in many different areas, such as range networking, event sponsorship, role-playing, and red-teaming. In fact, the CCDC is an amazing opportunity for professional red teamers to not only assist in the education process of our future generations, but also to have a live adversary defending against them on the other side of the keyboard.

So, how do you win the CCDC? Read the following tips!


No doubt, you’ve heard this time and time again. It’s a common suggestion when it comes to any competition, even non-cyber competitions. But the CCDC is in a league of it’s own. Being a team-based event, it’s imperative that you practice and prepare, both as an individual and as a team. One of the most commonly overlooked portions of CCDC practices are the non-technical aspects. Things like communication and documentation are critical during the CCDC event. If your team hasn’t practiced communicating and working as a unit under pressure, it’s a sure-fire route to defeat.

Many teams focus heavily on the technical skills required, but winning the CCDC requires many key components, such as: exceptional leadership, teamwork, comprehensive knowledge of operating systems and services, time management, communication, and a combination of offensive and defensive cyber security skills. That’s right, offensive skills are valuable as well. While the Blue Teams at the CCDC might be defensive-only, that’s not to say you won’t be employing offensive skills during the event (more on that shortly.)

The main point is, you need to dedicate a substantial amount of time preparing for the CCDC. The CCDC should really be treated like a sport, and your team should be practicing on a consistent and frequent basis. Many schools have cyber security clubs and these are a great outlet for not only recruiting, but also preparation. Setup a CCDC-like environment, with systems to defend and people to act as the Red Team. In fact, your team can utilize WraySec’s CyExNG for CCDC scrimmage scoring. Within these practice scrimmages, don’t forget business injects, as they are a major source of points and an area in which teams consistently struggle.

Roles and Responsibilities:

Just like a sports team, the CCDC team should be composed of many different roles and responsibilities. This means your team should consist of members with a wide range of skills, backgrounds, and expertise. Having clear knowledge of what each team member’s responsibilities are makes it easier to quickly snap into action when the event begins, avoiding the loss of precious time and minimizing your chances of failure.

It is crucial that you select a competent and devoted team captain. There is much debate on whether or not the team captain should be your most valuable technical resource, but the bottom line is the team captain must be a great communicator and unswayable motivator.

However the CCDC is a team event, and that means your team needs more than just a superior team captain. You need team members to fulfill a number of different areas. In general, your team members should each fulfill one of the following roles:

  • Team Captain
  • Team Co-Captain
  • Windows Administration
  • Linux Administration
  • Network Administration

Given that a CCDC team may be composed of up to eight (8) students, this role delineation fits perfectly. You have a Captain and Co-Captain, useful when the Captain is otherwise engaged, and then two members fulfill each other position. It’s especially important that the team members are familiar with not only the base operating system (in the case of Windows or Linux), but also the common services found on these systems. In the case of the Network Administration role, it’s best to have this team member focus on network monitoring and status.

For Windows, it’s beneficial that the team members be familiar with setup, configuration, and management of at least the following common services:

  • Web Services: IIS, Apache, Tomcat, Nginx
  • Databases: MSSQL, MySQL, PostgreSQL
  • Email Services: Microsoft Exchange
  • Domain Name Services: Microsoft DNS

For Linux, it’s beneficial that the team members be familiar with setup, configuration, and management of at least the following common services:

  • Web Services: Apache, Tomcat, Nginx
  • Databases: MySQL, PostgreSQL
  • Email Services: Sendmail, Postfix
  • Domain Name Services: BIND

For Networking, having an understanding of Network Monitoring solutions like Nagios can be very beneficial.

You and your team should walk in the door knowing your role and its respective responsibilities cold. You will face instantaneous and dramatic pressure. The more you’ve practiced, and the more comfortable you are with your area of responsibility, the easier it will be to stay focused and complete your tasks under fire.

Cross Train:

Having a firm set of responsibilities might be important, but it also might not be enough. In addition to learning your own role you should cross-train. This cross-training will ensure that when the going gets tough, anyone within your team can jump in and help out. While no one is expected to be an expert in every area, it will be invaluable to be able to solicit additional support if a particular area of operations is being overrun.

Take time to train fellow team members in your area. One methodology for accomplishing this cross-training is to participate in scrimmages where you switch roles. This will have the added benefit of forcing communication, under stress, which will be extremely important come the day of the event.

Where To Start:

The beginning of the CCDC is one of the most important times in the event. This is your chance to set a foundation for how the remainder of your time will go. You can get a head start and lead from the front, or fall behind and end up trying to climb back into contention. That is why the start of the event is so important.

You should have a clearly defined game-plan and timeline long before the event, and you should make sure you’ve thoroughly practiced this timeline. While there have been many different strategies for how to begin the event, here is the most successful:

  • Take a Knee
  • Change Administrative Passwords
  • Change User Passwords
  • Change Application Passwords
  • Implement Firewall (Network and Host)
  • Update and Harden System
  • Active Defense

STOP. Seriously, relax, take a breath and take a look around you (figuratively). You’ll want to jump right into the action. You’ll need to jump right into the action. But the reality is this will be a new environment. Take a few moments to get your bearing straight. Don’t panic, don’t rush. Let your training kick in.

Everyone knows you need to change passwords, but this should literally be one of the first actions you take. Yes it’s possible the red team will get in before you login and ultimately see your new password, but if you follow through the timeline, you’ll soon kick them off and reset the passwords again. In fact, make sure you’re regularly rotating passwords, and make them long: pass-phrase long. The ability to quickly crack passwords has made anything short of a sentence fairly insecure. To be fair, password cracking is rarely necessary given all of the other insecurities found at the CCDC but nonetheless, it’s important. As the timeline indicates, start with administrative passwords, followed by user-level passwords; however, do not forget application passwords, including services. This is one of the most commonly overlooked area of credentials at the CCDC. It’s not uncommon to find default passwords in use on database services, and the like, at the end of the event!

After all of the initial passwords are changed, which shouldn’t take you long, it’s time to get your firewall rules setup. This includes both network-based rules (on a firewall, etc) as well as host-based rules. While ingress is important, egress is mandatory. Lock down the traffic to only permitted services, to permitted systems, and if possible, to include only permitted protocols. Then only allow the minimum outbound traffic necessary, again forcing protocol verification if possible. Just be careful you read the rules, know precisely what you’ll be scored on, and configure your firewalls correctly. In a way, the firewall configuration is the most important, yet most dangerous task. Proper configuration can set you ahead of the competition, but improper configuration will all but guarantee a loss.

It’s common for people to believe the CCDC is a “patching” event. That’s hardly true, especially given the addition constraints faced in the CCDC. If you have the means to patch, this would be the time to do so. It’s best to focus solely on the most critical patches that result in easy exploitation. Be strategic, focus first on items exposed through the firewall. Do not focus on patching everything; this will be a waste of your time and a distraction that will cost you dearly. Instead focus on the most commonly exploited vulnerabilities, ones you know exist in standard red team tool suites (like Metasploit, CANVAS, Core Impact, Etc.).

During the Patch and Harden time period you should employ the typical system hardening techniques: disable unneeded services, lock down or remove unused accounts, verify permissions and configurations for optimal security, etc. Use this time to get the system into a stable and secure state. A side benefit of this process will be familiarization of the environment.

Active Defense:

This is so important it gets an entire section!

This is without a doubt the most important stage of your timeline. It’s also the step in which you’ll be for the majority of the event. Once you’ve established your secure baseline, it’s time to monitor your systems and respond to any intrusions.

Ensure your team knows the signs and indicators of a compromise; equally, it’s important you know how to disconnect an intruder without interrupting the service or legitimate activity. Tools like Microsoft’s Sysinternals or the various Linux alternatives can be great assets in this process.

You will want your team members to be actively monitoring the systems for malicious activity. Once malicious activity is found, the appropriate member(s) should disconnect and discontinue the activity as quickly as possible. This game of cat-and-mouse, or wack-a-mole, while unpleasant, is critically important.

This state of active defense, and then active countermeasures will be continuous and the zone in which you will spend the remainder of the event. As new attacks are successfully leveraged you should respond by implementing mitigations to defend against the technique. This is where having multiple members per role, or even cross-training can really be beneficial.

Keep in mind that during this time period you will be interrupted to complete business injects as well, so you’ll need to strategically balance your active monitoring of systems with the completion of injects. Every distraction that draws you away from monitoring the system is an opportunity that can be exploited by the Red Team. In fact, the Red Team is relying on your team being distracted and spread-thin.

To help amplify your monitoring capabilities and shore up any gaps, you should have the networking team members implement network monitoring tools, including an IDS (time permitting). This will help ensure you have coverage even as additional distractions are introduced. Keep in mind though that successful configuration and usage of an IDS is technically challenging. If this is something you want to approach, make sure you’re adequately prepared.

Automation and Time Management:

Many people have come before you, and while they won’t be on your team, there are plenty of cool tools that have been published. Take a look around for tools that have been developed as a result of the CCDC and employ them when it’s logical to do so.

Additionally, during the event, any task that can be automated should be. Time is extremely limited and overly valuable. Every moment you spend working on one task is time not spent on active defense or yet another task in the queue.

Speaking of time, manage it wisely. Prioritize actions, completing simple tasks such as changing default passwords at a rapid pace. Do not spend too much time on one thing initially; if it is taking up too much time, ask for assistance. Your team captain should be delegating tasks, setting the pace, ensuring timely completion, and allocating resources as necessary.

Communication and Documentation:

You’ll have noticed by now this is a reoccurring theme. Yet it’s just too important to overlook. You need to be familiar and comfortable with your teammates. You’ll want to be able to quickly and easily communicate, no matter the medium. You will want to have been in stressful and straining situations before, so that you can ensure communications don’t break down. Your captain becomes irreplaceable in this capacity. They need to ensure that the team is informed and working towards the right goals, all while not being distracted. It’s a delicate balance.

Keep in mind that you may not be able to safely use verbal communications. Other teams, and even Red Team members might be able to hear you. Your team should have a plan in place on how to conduct communications in the event that you can not safely speak out loud.

In addition to being able to communicate with one and another, it’s important that you have a system in place for documentation. You’ll want to be able to take notes, save information, and report details. There are times when your team captain may be unavailable or something more pressing is occurring, and you’ll want to be able to come back to your notes and pick up where you left off. But there will also be times when someone else will need to step into your position, and you’ll need them to be able to understand your notes as well. Define a format and process for documentation ahead of time.

Another important aspect of documentation will be on Incident Reporting. This is a valuable technique that’s not only applicable in the real world but will contribute to your success within the CCDC. The better you are with documentation in general, the better your team will be at completing thorough incident reports.

Incident Reporting:

As was just mentioned, this is a valuable aspect of the CCDC, not only for the real-world practicality, but also from a point perspective.

When completing an incident report it’s important to remember that you must include more than just technical facts and details, you need to relay the entire timeline and context.

Make sure all of your incident reports include the Five W’s and One H: Who, What, Where, When, Why, and How. It’s common to be missing some of those aspects, but include all of what you know and provide detailed proof to substantiate your claim.

Far too often incident reports are discounted because they lack any supporting evidence, or provide no contextual details to sustain any claim.

Delegation and Decision Making:

This one is geared towards the team captain, but it’s important that everyone hears it. First and foremost, neither you (or anyone else on your team) are a one-man army. You need to delegate tasks accordingly. Leverage the strengths and weaknesses of your team members to get the tasks at hand completed efficiently and accurately.

Equally important is decision making. During the event you will be faced with many choices. Some may seem minor and others will seem insurmountable, but the best choice you can make is to actually make a decision. Even the wrong decision is better than no decision at all. Your team will falter and fail if you leave them without any guidance. You can course-correct and account for a mistake, but recovering with a team that is breaking down is far more difficult and time consuming.

Using Red For Blue:

Offensive actions against other teams, or the infrastructure is prohibited within the CCDC. After all it’s a “defensive” competition. But there are times when knowing offensive skills can be beneficial.

One common usage of offensive skills is to determine how an attacker might approach your systems. Knowing how an attacker thinks and might act can help facilitate the hardening of your environment, and it might help you strategically monitor your system. For example, what do Metasploit connections look like, or where do Meterpreter binaries get stored on your system?

However, offensive skills aren’t just limited to strategic planning, they may be deployable within the event itself. For example, you may need to use some non-standard tactics to regain access to a system of yours that you’ve lost to the red team. Follow the rules of the event, but this self-hacking can be valuable in the panic that will follow a total lock out.

Know Your Stuff:

This might seem obviously, but it’s worth noting.

You’ll want to be sure you know what you’re doing. Know your operating systems, know your services, know your tools, know your commands.

It’s undoubtable that you’ll need to do research during the event. Even professionals use the man pages.

But the more time spent trying to find the most common switch for `tar`, the more time the Red Team has to make your lifer harder.

This certainly falls back into the practice realm, but don’t overlook the basics. You can also print tons of documentation out and take it with you. Printed notes, documentation, plans, and resources are extremely valuable, and as counter-intuitive as it may sound will be far easier accessed than an internet search.

Keep It Simple:

Too many people overthink the CCDC. You walk in the door with a crazy game plan that “just might work.”

Far too often these plans overshoot the objective, and they are almost always too complicated to achieve.

Keep it simple, employ the basics and just try to survive. You don’t need to over engineer the solution, just do your job and you’ll succeed.

Plan to Change:

Have a plan, but keep in mind that no plan survives first contact with the enemy. No matter how much you practiced, when the heat is on and the bullets are flying panic sets in. Worse, the ideas, plans, and tactics you prepared may fail. Be agile, and ready to adapt to new situations.

Build a Toolbox:

Knowing which tools to use and how to use them is one of the most important aspects of winning the CCDC. The following is a list of commonly used tools for the CCDC:

  • Microsoft’s Sysinternals
  • Wireshark
  • Tcpdump
  • NetworkMiner
  • Netstat
  • Nmap
  • Snort
  • Nagios
  • Nessus/OpenVAS
  • Microsoft Baseline Analyzer
  • Free (Allowable) Anti-Virus (Read The Rules!)

This list obviously doesn’t include every tool that’s useful for the CCDC, but it’s a great start. Begin here and build the rest of your toolbox around your own team’s expertise and strategy.

Have fun, and good luck!

Leave a comment

Your email address will not be published. Required fields are marked *