Drexel Team Eyes Collegiate Cyber Defense Competition
January 11 2017
Drexel University is preparing to field its first intercollegiate team in cybersecurity. A dozen students have been in training since the summer, coached by professionals from Susquehanna International Group, LLC, to ready themselves for the Collegiate Cyber Defense Competition—a national contest that pits students against hackers and a variety of digital dilemmas they might face in the cybersecurity field. Drexel and SIG are partnering to enter a team in the competition for the first time.
While information technology and cybersecurity have been among the fastest growing fields for industry and government talent over the last decade—with projections that the demand will rise to more than 6 million jobs globally by 2019. Educators face challenges in preparing students to enter these fields because new skill sets are required and there has been little standardization in teaching them. The Collegiate Cyber Defense Competition, was, in many ways, an answer to that challenge when educators, students and representatives from industry and government created it as a “regular cybersecurity exercise with a uniform structure for post-secondary level students” in 2005.
Since then, the contest has grown to include thousands of collegiate teams, with the top 10 reaching the final tournament through a regional qualifying round.
Drexel’s Issac L. Auerbach Cybersecurity Institute has been a leader in the Greater Philadelphia Region when it comes to working with government and industry to develop solutions and prepare students for the challenges of cybersecurity. In addition to Drexel’s degree and certificate programs, the Institute has formally partnered with the U.S. Army Reserves to train reservists to meet the needs of government cybersecurity. According to Steven Weber, PhD, a professor in Drexel’s College of Engineering, and director of the Cybersecurity Institute, entering a team in the CCDC is an intuitive step toward the Institute’s goal of getting students interested in cybersecurity studies.
“Working with SIG to bring together a team for the Collegiate Cyber Defense Competition is a natural extension of our mission to prepare our students to be leaders in the profession,” Weber said. “Drexel’s partnership with SIG on the CyberDragons team is a great example of industry and universities working together to confront an important issue for our national security and economy: the cybersecurity skills gap.”
The competition is set up as an “inherit and defend” scenario, this means a team is dropped into a pre-established simulated work environment and they must keep their company’s servers and network up and running. During the course of the four-hour event, the team will be presented with tasks that IT professions would routinely handle—things like updating software on workstations across the company, setting up new users or changing to a new email server. And, as it would be in the workplace, they must maintain network security and accessibility while performing these tasks.
And this is where the real competition begins.
Rather than squaring off against other teams trying to sabotage each other, competitors will face attempted intrusions, disruptions and nefarious bugs created by a team of professional ethical hackers, dubbed the “red team,” which are all trying to throw a wrench in the works. Teams must do their best to thwart these hacks and protect both the functionality of the system and the private information of the company and its employees. They can earn points by keeping the network up and running. But if the firewalls are breached, the teams that best recognize what is happening and what information is being comprised, can still receive some credit.
According to Chuck Ludwig, one of the team’s advisors, who leads the Information Security team at SIG, these exercises are an accurate portrayal of what the students will face as they move into cybersecurity careers and an excellent way to prepare for the perils and pitfalls of an actual work environment.
“All the tests in the competition translate directly to what they’d experience in the field,” said Ludwig, who’s been working with the CyberDragons since July. “At a regional tournament these teams get to see it first hand. They are essentially compressing what they’d deal with in three to four years in the field into one intense weekend—they really throw the book at them during the competitions.”
Ludwig and several of his coworkers have met with the Drexel students weekly since the summer, when Weber and Drexel’s student cybersecurity club partnered with SIG to put a team together for the competition.
“SIG has been a co-op employer and a partner with the Cybersecurity Institute for some time, and as it turned out they also had experience with getting the CCDC’s Northeast Regional off the ground. So when we had the idea of putting a team together to qualify for a spot in the Mid-Atlantic Regional, SIG was the perfect partner to help guide it,” Weber said.
While the majority of the team members are in their first or second year at Drexel, they have already acquired a good bit of baseline knowledge of the programs—systems like Linux, Unix, Windows—and bring some experience with network management from their co-op positions. But most of the students did not have much experience with cybersecurity techniques before joining. Ludwig and the SIG advisors, in addition to providing the technology to set up a lab for practice, have helped to fill in any knowledge gaps and, as the winter term starts, the team plans to move into more intensive preparation for the cybersecurity side of the competition.
To make it into the Mid-Atlantic Regional, a 12-team qualifier for the national championship, the CyberDragons must first advance via a virtual qualifier in February. This abbreviated version of the full contest is designed to sift out the top teams in each of the 10 regions. It is performed remotely in the lab of each team while being observed by an official. Making it into the regional is no easy task, especially for first-time teams.
“We’re dedicating the winter term to prepping for the virtual qualifier,” said Colbert Zhu, an undergraduate computer science major in Drexel’s College of Computing & Informatics, who is a team leader and the president of the Drexel Cybersecurity Club. “It’s going to be tough considering a lot of these schools have been doing it for several years now and we just started this fall—but I feel optimistic.”
On his co-op, Zhu has already garnered some experience in the areas that will be tested in both parts of the competition. His first position was part of a the security operations center at Security Risk Advisors and he is currently in a penetration testing role at the company, where he attempts to expose network vulnerabilities in order to make it more secure. But he acknowledges that even the most prepared teams can still be hacked, and responding to these breaches is also an important part of the job.
“I’ve seen some of the impressive work of one the red team volunteers, Raphael Mudge, who has developed tools that are actively used in the industry—the guy really knows what he’s doing,” Zhu said. “Suffice it to say, teams will definitely end up getting hacked, but we want to just find a way to respond appropriately and mitigate the situation.”
Virtual qualifiers for the CCDC are from Feb. 23 to March 1. The Mid-Atlantic Regional is held Mach 30 – April 1 at Johns Hopkins University and the National Championship is in San Antonio, Texas on April 13-15.