Network Security

SC Media spies on NSA’s annual Cyber Defense Exercise

They’re called the “Red Cell” – a team of computer network specialists, working under the auspices of the National Security Agency, whose mission is to relentlessly launch cyberattacks against the finest young tech minds the U.S. and Canadian military academies have to offer. Posing as black hats – they even plot their attacks from beneath a large skull and crossbones flag draped from the ceiling – these professionals are playing an important role in the NSAs annual Cyber Defense Exercise (CDX). It is their job to test the network security know-how of cadets and midshipmen from the U.S. Coast Guard Academy, U.S. Merchant Marine Academy, U.S. Military Academy (Army), U.S. Naval Academy and the Royal Military College of Canada. It's Wednesday, April 12 – day three of the four-day event – and SC Media has been granted access to watch the Red Cell in action at its headquarters in Columbia, Md., inside a corporate cyber operations center located just a stones throw from the NSAs home base in Fort Meade. The approximately 70 Red Cell members include government, military and corporate experts from such institutions as the NSA, the Delaware Army National Guard, the Canadian military and Microsoft, whose daily jobs are to secure highly sensitive networks and communication systems. Throughout the hotly contested exercise, students from the five participating military academies represent rival “Blue Cell” teams that operate out of their respective campuses. Teams earn or lose points depending on how effectively they can defend their own computer networks from the Red Cells intrusions. Each network is comprised of machines running on four different operating systems – Windows 10, Windows 7, Linux and Unix. And none of them is safe from attack. The victorious team wins bragging rights and is awarded the highly coveted CDX Trophy (replete with a very patriotic bald eagle and pair of American flags). But the most meaningful prize is the experience of fortifying a network and defending it against an onslaught of bona fide threats and exploits that exist in the wild. “It allows them to see firsthand what actually happens in the real world,” says James Titcomb, the CDX technical lead. While successes are celebrated, mistakes can prove even more valuable because they help students discover where they need more training. Good thing, because it is immediately apparent upon entering Red Cell territory on Wednesday morning that one of the Blue Cell teams is already facing a crisis. Prominently displayed on one of the Red Cells large screens is the image of a school web page that the Royal Military College of Canada is, by rule, required to host on its network. Unfortunately, the page has been defaced. It now shows an image of military personnel conducting a medical rescue, along with a taunting message that says “WE NEED TO MEDIVAC THIS WEBSERVER.” In other words, this web server is on life support, and the longer the team goes without detecting and fixing this attack, the more points they will be docked. “We periodically check to see if its still defaced and if it is, that basically means that theyre not doing a good job of keeping up their services,” says Red Cell member Barrett Darnell of the U.S. Air Force. “At some point, they get task saturated because theyre looking at all these different attacks and theyre doing incident response across their entire enterprise and this is something that is probably lower on their list that they havent gotten to.” Ironically, the Red Cell members who pulled off this hacktivist-type attack on the Canadian students are actually Canadian military personnel working the late shift. They call themselves the “Eh” Team. Not the A-Team, mind you, but the decidedly more Canadian “Eh” Team. And, we are told, they relish pulling off attacks on their own fellow countrymen. In addition to site defacements, Blue Cell members will be forced to contend with malicious code injections, attempted data breaches and distributed denial of service attacks. Attacks can happen at any time, day or night. Of course, one of the most common scenarios that network defenders typically face is the insider threat, such as an employee who irresponsibly opens a spam or spear phishing email containing a malicious attachment. Obviously, the students themselves wont be foolish enough to fall for such a scam in the middle of the competition, so thats where a third group, the Gray Cell, comes in. Gray Cell members pose as poorly trained network employees who accidentally infect the academies systems. It is then up to the Blue Cell teams to detect, diagnose and mitigate these attacks. (A fourth group, the White Cell, serves as judges or referees.) Unbeknownst to the student competitors, later that evening a Gray Cell member is going to “accidentally” infect one of the teams machines with ransomware. This will be first ransomware attack the NSA has ever incorporated into its CDX competition. Teams will be given a deadline of one hour to rescue their encrypted files. Within that narrow time window, they will face a difficult choice – scramble to undo the infection in order to start earning points again for having their services available online, or pay the ransom, which comes in the form of a 3,000-point deduction. Make a wrong move, like rebooting the system in defiance of the ransomwares instructions, and the infected box will be lost permanently. “Its going to act like real ransomware,” says Titcomb. “Were really, really excited about this because the Air Force is actually going to use this as well later on, in other exercises.”
Graduate students from the Royal Military College of Canada were challenged to defend and remotely hijack an unmanned ground vehicle.
In the days leading up to CDX, teams were also required to hide a special “token” file somewhere within their respective networks. This token symbolizes highly sensitive, confidential data that the Red Cell will try to exfiltrate. Teams lose points if their token is stolen, and they are further penalized if the Red Cell successfully pulls off a data integrity attack by returning the token in a modified state, without detection. As of SC Medias visit, none of the teams tokens was successfully stolen, but some of the teams networks were temporarily breached before the intruders were forcibly removed. Even though the NSA plays host to the event, the attacks on the students networks do not exhibit the sophistication of a nation-state or advanced persistent threat group. Instead, the Red Cells arsenal of exploits consists solely of open-source techniques and tools that are widely known to the hacker community at large, such as Kali Linux and Mimikatz. “If were going [after] a hard target and it hasnt worked, we just keep going and going,” says Curtis Williams, the Red Cell lead. “As far as the academies, they have real-live competitors at an expert level, so they do fairly well here. Even if they dont win... that experience is going to be valuable.” At one point during the competition Red Cell members notably tried to exploit Linux machines using Dirty Cow, a prominent privilege escalation bug that was discovered in the Linux kernel in 2016. To their credit, the students were prepared for that one, as no one was successfully exploited. Indeed, the game can actually be won or lost during the painstaking prep work that precedes the actual challenge, as competitors diligently strive to patch buggy software, install anti-virus software, and introduce threat detection tools. In fact, just to raise the stakes, the RSA provides teams with certain mandatory software programs that are intentionally left unpatched. Then, on the first day of competition, the Red Cell thoroughly pen tests the teams networks, sniffing and probing for any open ports, default passwords and overlooked vulnerabilities that can be used to trigger attacks on day two. As meticulous as the students try to be, sometimes they still miss the obvious. Several years ago, members of one team wrote their network passwords on a whiteboard, completely forgetting that the Red Cell is allowed to watch them the entire time on camera. They had just unknowingly gifted their enemy unfettered network access. In the weeks leading up to the main event, the teams also competed in a number of side challenges that will impact their final scores. Students were asked to reverse-engineer a malicious binary, perform forensic analysis on a host and its network traffic, offensively pen test a network for vulnerabilities, and defend and hack into simulated unmanned aerial drones. The scores from these challenges are kept secret and will not be revealed until the official results are announced at the conclusion of the event. Separate from the main competition, select graduate students from the Royal Military College of Canada also got to try their hands at securing and defending a network-accessed ground station and space satellite that suffered a simulated attack, as well as defending and remotely hijacking an actual unmanned ground vehicle. (The students did succeed at taking over the vehicle, but in the process also crashed it into a wall.) As of SC Medias Wednesday morning visit, the defending champion USMA was holding a narrow lead over the Naval Academy. In the 17 years of CDX, the West Point institution has won more than any other military branch. But by Friday, April 14, it was announced that the Navy had overcome its deficit and won the trophy for the fourth time in competition history. Among those who were rooting on the Army was USMA Cadet Connor Eckert, who was among a few non-competing military students who were chosen to observe the Red Cell team. “I was surprised when on the first day, the Red Cell guys were like, ‘Yeah, we got root on almost all the boxes. We got backdoors everywhere,’” Eckert told SC Media. “Im like, ‘It couldnt have been that easy. All of West Points boxes have been owned already?” But those backdoors arent the only doors that were opened here at the CDX competition, where students like Eckert develop new skills that they can apply to jobs in the public or private sector. “Talking to a lot of the NSA guys has really opened my eyes as to how much the civilian world has to do with... cyber, and not just the military,” said Eckert, noting that this experience could very well create opportunities for him “after my time in the service.”
Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.