The NSA Cyber Defense Exercise trophy.
The NSA Cyber Defense Exercise trophy.

SC Media was granted inside access to the NSA's annual Cyber Defense Exercise, where computer network specialists tested the network security know-how of the finest young tech minds the U.S. and Canadian military academies have to offer.

They're called the “Red Cell” – a team of computer network specialists, working under the auspices of the National Security Agency, whose mission is to relentlessly launch cyberattacks against the finest young tech minds the U.S. and Canadian military academies have to offer.

Posing as black hats – they even plot their attacks from beneath a large skull and crossbones flag draped from the ceiling – these professionals are playing an important role in the NSA's annual Cyber Defense Exercise (CDX). It is their job to test the network security know-how of cadets and midshipmen from the U.S. Coast Guard Academy, U.S. Merchant Marine Academy, U.S. Military Academy (Army), U.S. Naval Academy and the Royal Military College of Canada.

On Wednesday – day three of the four-day event – SC Media was granted access to watch the Red Cell in action at its headquarters in Columbia, Md., inside a corporate cyber operations center located just a stone's throw from the NSA's home base in Fort Meade. The approximately 70 Red Cell members include government, military and corporate experts from such institutions as the NSA, the Delaware Army National Guard, the Canadian military, and Microsoft, whose daily jobs are to secure highly sensitive networks and communication systems.

Throughout the hotly contested exercise, students from the five participating military academies represent rival “Blue Cell” teams that operate out of their respective campuses. Teams earn or lose points depending on how effectively they can defend their own computer networks from the Red Cell's intrusions. Each network is comprised of machines running on four different operating systems – Windows 10, Windows 7, Linux and Unix. And none of them is safe from attack.

The victorious team wins bragging rights and is awarded the highly coveted CDX Trophy (replete with a very patriotic bald eagle and pair of American flags). But the most meaningful prize is the experience of fortifying a network and defending it against an onslaught of bona fide threats and exploits that exist in the wild. "It allows them to see first-hand what actually happens in the real world," said James Titcomb, the CDX technical lead.

While successes are celebrated, mistakes can prove even more valuable because they help students discover where they need more training. Good thing, because it is immediately apparent upon entering Red Cell territory on Wednesday morning that one of the Blue Cell teams is already facing a crisis.

Prominently displayed on one of the Red Cell's large screens is the image of a school web page that the Royal Military College of Canada is, by rule, required to host on its network. Unfortunately, the page has been defaced. It now shows an image of military personnel conducting a medical rescue, along with a taunting message that says "WE NEED TO MEDIVAC THIS WEBSERVER." In other words, this web server is on life support, and the longer the team goes without detecting and fixing this attack, the more points they will be docked.

"We periodically check to see if it's still defaced and if it is, that basically means that they're not doing a good job of keeping up their services," said Red Cell member Barrett Darnell of the U.S. Air Force. "At some point, they get task saturated because they're looking at all these different attacks and they're doing incident response across their entire enterprise and this is something that is probably lower on their list that they haven't gotten to."

Ironically, the Red Cell members who pulled off this hacktivist-type attack on the Canadian students are actually Canadian military personnel working the late shift. They call themselves the “Eh” Team. Not the A-Team, mind you, but the decidedly more Canadian “Eh” Team. And, we are told, they relish pulling off attacks on their own fellow countrymen.

In addition to site defacements, Blue Cell members will be force to contend with malicious code injections, attempted data breaches and distributed denial of service attacks. Attacks can happen at any time, day or night. Of course, one of the most common scenarios that network defenders typically face is the insider threat, such as an employee who irresponsibly opens a spam or spear phishing email containing a malicious attachment.

Obviously, the students themselves won't be foolish enough to fall for such a scam in the middle of the competition, so that's where a third group, the Gray Cell, comes in. Gray Cell members pose as poorly trained network employees who accidentally infect the academies' systems. It is then up to the Blue Cell teams to detect, diagnose and mitigate these attacks. (A fourth group, the “White Cell,” serves as judges or referees.)

Unbeknownst to the student competitors, later that evening a Gray Cell member is going to “accidentally” infect one of the teams' machines with ransomware. This will be first ransomware attack the NSA has ever incorporated into its CDX competition.

Teams will be given a deadline of one hour to rescue their encrypted files. Within that narrow time window, they will face a difficult choice – scramble to undo the infection in order to start earning points again for having their services available online, or pay the ransom, which comes in the form of a 3,000-point deduction. Make a wrong move, like rebooting the system in defiance of the ransomware's instructions, and the infected box will be lost permanently. 

"It's going to act like real ransomware," said Titcomb. "We're really, really excited about this because the Air Force is actually going to use this as well later on, in other exercises."


Graduate students from the Royal Military College of Canada
were challenged to defend and remotely hijack an unmanned
ground vehicle.
 

In the days leading up to CDX, teams were also required to hide a special “token” file somewhere within their respective networks. This token symbolizes highly sensitive, confidential data that the Red Cell will try to exfiltrate. Teams lose points if their token is stolen, and they are further penalized if the Red Cell successfully pulls off a data integrity attack by returning the token in a modified state, without detection. As of SC Media's visit, none of the teams' tokens was successfully stolen, but some of the teams' networks were temporarily breached before the intruders were forcibly removed.

Even though the NSA plays host to the event, the attacks on the students' networks do not exhibit the sophistication of a nation-state or advanced persistent threat group. Instead, the Red Cell's arsenal of exploits consists solely of open-source techniques and tools that are widely known to the hacker community at large, such as Kali Linux and Mimikatz.

"If we're going [after] a hard target and it hasn't worked, we just keep going and going," said Curtis Williams, the Red Cell lead. "As far as the academies, they have real-live competitors at an expert level, so they do fairly well here. Even if they don't win... that experience is going to be valuable."

At one point during the competition Red Cell members notably tried to exploit Linux machines using Dirty Cow, a prominent privilege escalation bug that was discovered in the Linux kernel in 2016. To their credit, the students were prepared for that one, as no one was successfully exploited. 

Indeed, the game may already be won or lost during the painstaking prep work that precedes the actual challenge, as competitors diligently strive to patch buggy software, install anti-virus software, and introduce threat detection tools. In fact, just to raise the stakes, the RSA provides the teams with certain mandatory software programs that are intentionally left unpatched. Then, on the first day of competition, the Red Cell thoroughly pen tests the teams' networks, sniffing and probing for any open ports, any default passwords, any overlooked vulnerabilities that can be used to trigger attacks on day two.

As meticulous as the students try to be, sometimes they still miss the obvious. Several years ago, members of one team wrote their network passwords on a whiteboard, completely forgetting that the Red Cell is allowed to watch them the entire time on camera. They had just unknowingly gifted their enemy unfettered network access. 

In the weeks leading up to the main event, the teams also competed in a number of side challenges that will impact their final scores. Students were asked to reverse-engineer a malicious binary, perform forensic analysis on a host and its network traffic, offensively pen test a network for vulnerabilities, and defend and hack into simulated unmanned aerial drones. Those scores from these challenges are kept secret and will not be revealed until the official results are announced at the conclusion of the event.

Separate from the main competition, select graduate students from the Royal Military College of Canada also got to try their hands at securing and defending a network-accessed ground station and space satellite that suffered a simulated attack, as well as defending and remotely hijacking an actual unmanned ground vehicle. (The students did succeed at taking over the vehicle, but in the process also crashed it into a wall.)

As of SC Media's Wednesday morning visit, the defending champion USMA was holding a narrow lead over the Naval Academy. In the 17 years of CDX, the West Point institution has won more than any other military branch. But by Friday, April 14, it was announced that the Navy had overcome its deficit and won the trophy for the fourth time in competition history.

Among those who were rooting on the Army was USMA Cadet Connor Eckert, who was among a few non-competing military students who were chosen to observe the Red Cell team. "I was surprised when on the first day, the Red Cell guys were like, 'Yeah, we got root on almost all the boxes. We got backdoors everywhere.' I'm like, 'It couldn't have been that easy. All of West Point's boxes have been owned already?"

But those backdoors aren't the only doors being opened here at the CDX competition, as students like Eckert develop new skills that they can apply to jobs in the public or private sector. "Talking to a lot of the NSA guys has really opened my eyes as to how much the civilian world has to do with... cyber, and not just the military," said Eckert, noting that this experience could very well "open some doors after my time in the service."