This one day exercise will allow participants to operate as network attackers or defenders in a live head-to-head experience. The Live Fire Range Exercise is a scenario that puts multiple groups of Red Cell hackers against multiple teams of Blue Cell defenders. Each defending team is given a small network infrastructure with a router, firewall, servers, and desktops. The Blue Cells are responsible for keeping their network alive and functional with real services such as email, e-commerce and DNS. The Red Cells are responsible for attacking the Blue Cell network.
Prizes will be awarded for top defenders and attackers.
The CNA/CND Live Fire Exercise is a Capture the Flag type Red-vs-Blue Attack/Defend scenario. It is being held on a closed network, with the tools (for attack) and the patches (for defend) available on the exercise server. However, Red Teams are strongly encouraged to bring their own tools. All defensive systems (servers, router/firewall, etc.) will be provided. Red Teams must bring their own attack hardware (laptop, Wi-Fi, cat5 cable, etc.)
This exercise will be held in the same room that the Intermediate Penetration Testing (Hacking 102) course will be held the day before. When White Wolf Security sets up for the class, the same network will remain for the exercise. If you are competing, you might want to attend the class to get a feeling for the competition.
Now, for the tough words. Yes, if someone is going to participate as a team of four in the CNA/CND Live Fire Exercise, they will not be able to attend other InfowarCon panels unless their team is knocked out of the competition or they forfeit as competitors. After the competition is over you can join the others. We’re attaching the draft rules. Now, the good news. If you have a team that wants to compete, they can concentrate on winning. If you are one of the fingers-on-keyboard types, you’re probably hosed; you’re going to be working up a sweat attacking/and/or defending. But, if you are in charge you will probably have enough freedom to float around not only the competition but also InfowarCon as well. Our gut feeling and advice? Send a team of four to compete and a team of three to ‘supervise’. Send at least three people in charge, rotate in and out, but those guys aren’t included in the team of four, they’re extra.
How about your competitors? I know the same team that won in the big CTF competition in 2008 is scheduled to compete at InfowarCon 2009. The exercise is not the same, however. How good are your social engineering skills?
This competition is limited to ten teams, so register early!
I have participated in a number of these hacker competitions over the years, originally as the sweating pig at the keyboard then as the supervisor/manager. They are fun…, when you win. Actually they are fun anyway, and are excellent experiences for learning new techniques.
I am practiced in IT security, which means I trained myself to program and don’t have the natural skills the great penetration testers do. Like any profession, there are naturals and the naturals are very talented. One of the problems I have seen government bumping into lately is that very skilled youth are getting sucked up early by IT security companies, not necessarily because the pay is good, but because these IT security companies have effective outreach strategies that identify long before the kids get into college who the naturals of the IT space is.
Several of these young men and women go straight out of high school right into the IT work force, skipping college and unaware of other options, simply because the ‘cool factor’ presented to them from the corporate recruiters was too appealing for these young people to pass up. Recruiting in colleges for top IT talent is also at a premium, it is very rare to see the top technical talent in today’s Universities to be unsure where they will be working by their Junior year.
While it is absolutely true that many of these folks often end up working in government or with the services as consultants from large security companies, I’ve long believed that the public sector including the military is passing up on a real recruiting opportunity for serious IT talent. These type of hacker competitions are not only fun for the participants, but conducted in the right atmosphere, they can be a great experience for professionals and tinkerers alike to simply attend.
There is no reason why any recruiting office, in partnership with sponsors like Red Bull, Geek Squad, and a local University or Community College couldn’t conduct these competitions in several places a year. Based on how popular these type of competitions are, the services will come across a lot of raw, young IT talent; the naturals who usually don’t opt for public service because they simply aren’t aware of it as an option.
Given the resources, job opportunties, and education options the military services can offer compared to the vast majority of corporations trying to recruit the young talent, I’d bet the services will find a number of talented recruits, and given the premium on IT security talent, just getting the right one or two recruits a year would insure the entire program would pay for itself.