Wednesday, August 14, 2013

U.S. Cyber Challenge 2013


In June I attended the U.S. Cyber Challenge, and for those that don't know about it, I'm posting a review because this is one event that deserves more attention.

To sum up what it is, here's an excerpt from the main website:
USCC Summer Camps feature one week of specialized cyber security training that includes workshops, a job fair, and a culminating “Capture the Flag” competition.  The workshops are lead by college faculty, top SANS Institute instructors, and cyber security experts from the community.  The workshops and presentations focus on a variety of topics ranging from intrusion detection, penetration testing and forensics.  Participants can also participate in a job fair that provides them the opportunity to meet with USCC sponsors and discuss potential employment.  The week-long program ends with a competitive “Capture the Flag” competition and an awards ceremony attended by notables in the cyber security industry and government.

Qualifying
Image Credit: vmpyrdavid

In order to attend the camp, you have to compete in the initial challenge.  This year that involved packet capture analysis, which tested not only your ability to filter through the pcap for relevant information, but also to identify in the pcap what type of web-based attack was happening (XSS, SQLi, etc).  Based on how well you performed, you are sent an invitation email.  I think the invitation is really just a process to weed out those individuals that are really motivated or genuine about attending the event, because to complete the invitation, you have to seek out two letters of recommendation (LoR).  One of those letters can be personal from a friend, but the other has to be from either a teacher or your boss.  People not willing to go to those lengths are not given further consideration.

After submitting the LoR, I received an email confirming my selection along with instructions for attendance!

Event Venue

Apparently, the event venue changes from year to year and in 2013 it was held at the Hotel Roanoke in Virginia.  USCC attendees were slated two to a room.  Make sure you check out the event logistics for future years so you don't mistakenly tell someone they can come room with you and then have to nix those plans later.

The hotel had all the required amenities including a gym, pool, and cafe/bar.  Hotel wireless is bound to the credentials of the person checking in, and there's a max of 5 devices per login.

Attached to the hotel was a conference area where the USCC conference would be held.  The wireless signal reached in all areas, but perhaps due to the number of attendees, bandwidth was slow.  Don't plan to rely on your carrier's hotspot because multiple attendees from multiple carriers had spotty service in the conference area.  Your mileage may vary.

The Classes

The cyber camp is really a 4-day session of differing topics each day, capped off with a capture the flag competition at the end of the week.  These were the daily sessions:
  • Day 1 - Scapy
  • Day 2 - Android Pen Testing
  • Day 3 - Memory Forensics with Redline and Volatility
  • Day 4 - Tactical Incident Handling & Hacking Techniques
Each session included SANS excerpts from their classes focusing on these topics, along with instructors who teach those classes.  The quality of instruction was extremely high, and for that alone the USCC is worth attending.

At the end of day 2 there was an ethics discussion panel to review topics such as expectation of privacy.  Each table was grouped into a team for discussion to review a couple hypothetical scenarios, with the results shared in an open dialog.  It was very interesting conversation.

At the end of day 4 there was a job fair.  Already gainfully employed, I did not attend.


Capture the Flag

Day 5 culminated into a CTF, with attendees grouped randomly into teams of four or five.  The infrastructure for the CTF was provided by iSight through their Threatspace CTF platform.  The challenges, from what I can remember now, were largely based on web-oriented and forensics-oriented approaches.  I used OWASP-ZAP and HTTP Header manipulation tools to identify some flags from the web-based challenges.  For the forensics-focused we used Wireshark, John the Ripper, Cain & Abel, and aircrack.

Although my team did not win or place, it was fun learning new tools and their extended usage.

Overall, this experience was fantastic, and I highly recommend everyone give themselves the opportunity to experience it.  Keep checking the USCC Cyber Quest site for future challenges!