CNA/CND Live Fire Exercise

February 2009


InfowarCon 2009 is going to have a little Live Fire Exercise, what some of us call a hacker competition sponsored by White Wolf Security. Below are some of the details.

This one day exercise will allow participants to operate as network attackers or defenders in a live head-to-head experience. The Live Fire Range Exercise is a scenario that puts multiple groups of Red Cell hackers against multiple teams of Blue Cell defenders. Each defending team is given a small network infrastructure with a router, firewall, servers, and desktops. The Blue Cells are responsible for keeping their network alive and functional with real services such as email, e-commerce and DNS. The Red Cells are responsible for attacking the Blue Cell network.

Prizes will be awarded for top defenders and attackers.

The CNA/CND Live Fire Exercise is a Capture the Flag type Red-vs-Blue Attack/Defend scenario. It is being held on a closed network, with the tools (for attack) and the patches (for defend) available on the exercise server. However, Red Teams are strongly encouraged to bring their own tools. All defensive systems (servers, router/firewall, etc.) will be provided. Red Teams must bring their own attack hardware (laptop, Wi-Fi, cat5 cable, etc.)

This exercise will be held in the same room that the Intermediate Penetration Testing (Hacking 102) course will be held the day before. When White Wolf Security sets up for the class, the same network will remain for the exercise. If you are competing, you might want to attend the class to get a feeling for the competition.

Now, for the tough words. Yes, if someone is going to participate as a team of four in the CNA/CND Live Fire Exercise, they will not be able to attend other InfowarCon panels unless their team is knocked out of the competition or they forfeit as competitors. After the competition is over you can join the others. We’re attaching the draft rules. Now, the good news. If you have a team that wants to compete, they can concentrate on winning. If you are one of the fingers-on-keyboard types, you’re probably hosed; you’re going to be working up a sweat attacking/and/or defending. But, if you are in charge you will probably have enough freedom to float around not only the competition but also InfowarCon as well. Our gut feeling and advice? Send a team of four to compete and a team of three to ‘supervise’. Send at least three people in charge, rotate in and out, but those guys aren’t included in the team of four, they’re extra.

How about your competitors? I know the same team that won in the big CTF competition in 2008 is scheduled to compete at InfowarCon 2009. The exercise is not the same, however. How good are your social engineering skills?

This competition is limited to ten teams, so register early!

I have participated in a number of these hacker competitions over the years, originally as the sweating pig at the keyboard then as the supervisor/manager. They are fun…, when you win. Actually they are fun anyway, and are excellent experiences for learning new techniques.

I am practiced in IT security, which means I trained myself to program and don’t have the natural skills the great penetration testers do. Like any profession, there are naturals and the naturals are very talented. One of the problems I have seen government bumping into lately is that very skilled youth are getting sucked up early by IT security companies, not necessarily because the pay is good, but because these IT security companies have effective outreach strategies that identify long before the kids get into college who the naturals of the IT space is.

Several of these young men and women go straight out of high school right into the IT work force, skipping college and unaware of other options, simply because the ‘cool factor’ presented to them from the corporate recruiters was too appealing for these young people to pass up. Recruiting in colleges for top IT talent is also at a premium, it is very rare to see the top technical talent in today’s Universities to be unsure where they will be working by their Junior year.

While it is absolutely true that many of these folks often end up working in government or with the services as consultants from large security companies, I’ve long believed that the public sector including the military is passing up on a real recruiting opportunity for serious IT talent. These type of hacker competitions are not only fun for the participants, but conducted in the right atmosphere, they can be a great experience for professionals and tinkerers alike to simply attend.

There is no reason why any recruiting office, in partnership with sponsors like Red Bull, Geek Squad, and a local University or Community College couldn’t conduct these competitions in several places a year. Based on how popular these type of competitions are, the services will come across a lot of raw, young IT talent; the naturals who usually don’t opt for public service because they simply aren’t aware of it as an option.

Given the resources, job opportunties, and education options the military services can offer compared to the vast majority of corporations trying to recruit the young talent, I’d bet the services will find a number of talented recruits, and given the premium on IT security talent, just getting the right one or two recruits a year would insure the entire program would pay for itself.

Posted by galrahn in Cyber

You can leave a response, or trackback from your own site.

  • UltimaRatioReg


    Superb post. I was involved in cyber exercises in the civilian/govt sector for a number of years, before network technology found a mature place in the business model of most organizations. The move toward NCW gives us as many, if not more, vulnerabilities as advantages, so network defense is going to loom very large indeed. These exercises are often quite expensive and require some sophisticated simulations of network architecture and transactions, and must be expertly designed and conducted. But they do indeed yield myriad lessons, technical and tactical.

  • They aren’t cheap to develop, but cost is relative to other recruiting and advertising marketing. The difference is you can put the events on in all 50 states and hold them on the same day, with potentially multiple events in multiple states.

    The events I have seen like this, which in one case I intended one put on by a hobby group, usually have about 200 or more people attending, with about 50 participants. So the outreach is physical touch to a pool of skilled recruits (no one signs up to be embarrassed, they sign up to win) numbering around 2500 plus those who attend to watch but do not actually engage.

    About 10 years ago I attended one run by a local telecommunication company in cooperation with the University of Arkansas at Little Rock. One of the participants, a friend of mine who didn’t even win btw, ended up getting hired by the sponsor. I also know within a year he ended up coming up with 3200 lines of code that fixed virtually every W2K problem in the organization, saving the company millions of dollars leading up to that problem.

    I have several similar stories to this, but this isn’t really the forum to share.

  • intended should be attended. Nice spelling by this guy eh?

  • UltimaRatioReg


    You are right, of course, regarding relative cost. But like much of the exercise biz, one has to be a bit of an insurance salesman to convince people to expend the money and effort…. until we get another Slammer, or Solar Sunrise, or Naval War College penetration, and a bunch of others that won’t see the light of day.

  • Thank you for your comments. I represent the company putting on the exercise at InfowarCon. We support collegiate level exercises (http://www.cyberwatchcenter.org/ccdc) that are used as both training and recruiting grounds. There are several other college competitions as well as a very few high school one too. In fact, this topic of using these as recruiting opportunities is something that has come across my desk more this year than in the past. Please let me know if you’ll be at InfowarCon; even if you will not be competing.

    Tim Rosenberg
    President and CEO
    White Wolf Security

  • UltimaRatioReg


    We met at Dartmouth College some time back. (At ISTS, we did LIVEWIRE some years ago.) I would love to know how the exercise turns out for your folks.

  • Something like this requires a high level sponsor/leader, someone who has the clout to protect/shield the recruits/red-blue cells from the bureaucracy. You almost have to fold this under SOCOM because what you are envisioning probably wouldn’t survive elsewhere in the DoD. Even the military intelligence people have to deal with quite a bit of bureaucracy, in terms of pay and assignments. The officer corps as a whole may not be able to handle an organization like this.

  • UltimaRatioReg,
    Nice to talk again :). We’ll be running our full exercise backend at this one so we’ll have complete reporting (red and blue), traffic captures and a central IDS. Once the exercise is completed we’ll be posting a full AAR for public consumption.

    Drop me a line off blog and we’ll catch up.