CyberDragons Train New Generation of Security Experts

It’s not often that undergraduates come trundling home from college competitions with $15,000 checks.

Drexel CyberDragons logo

But last month, three members of the Drexel CyberDragons won the region’s prestigious CyberSEED contest. The Dragons competed against 44 mid-Atlantic teams for cyber markers focusing on reverse engineering, cryptography, and network traffic analysis, among other skills in a contest that simulated the threat landscape by putting contestants in hackers’ shoes.

When the dust settled, Drexel was triumphant. The money was theirs to keep. What could be better than that? As it turns out, a lot. Considering the job-ready skills team members acquire, CyberDragons is far more than an extracurricular club.

For one thing, content lessons at regular meetings basically hand them free cybersecurity training to rival any computer course out there. Members network with industry professionals who speak at their meetings as much to survey the talent as to present lectures. And they come away with a base knowledge that few clubs can duplicate—in one of the most promising employment fields today.

It’s not just for computer geeks, either: everyone with a laptop is welcome at the University-wide club. Students from the College of Engineering join in droves, as do undergraduates from the College of Computing and Informatics. Club President Declan Kelly is still waiting for the first poetry major to show up on the doorstep. But he remains hopeful, fostering a welcoming attitude and a willingness to teach all comers.

“A couple of years ago I went to a meeting and said, wow, this is way over my head. I was intimidated myself,” said Kelly, a fifth-year student in CoE’s Department of Computer and Electrical Engineering (ECE). “But I came back and look where we are now. The only way to get better is to just give it a try. This stuff isn’t necessarily unapproachable or difficult. It’s just a matter of having an interest and coming out.

“There’ll be times when we quite literally have an introductory session, whether it’s an introduction to Linux or to networking,” he added. “But we also work with a bunch of security tools. There are different means and methods of testing the security of websites or databases or networks, and tools that have been developed to do that. We teach that. A lot of these open-source technologies are used by professionals to secure their organizations.

“These competitions have been designed by individuals in industry who use the exact same skills, and they are presented in a way for you to learn them that is much more engaging than your standard lecture,” explained Kelly.

Alia Yeszhanova, ’22, is a computer science major at CCI and vice president of CyberDragons. “A continuing initiative of our club is welcoming students of all majors and backgrounds. We want to create a casual environment where any member can feel comfortable regardless of their level of expertise,” said Yeszhanova. “Personally, I’ve learned a ton about security fundamentals and vulnerabilities.”

A Multitude of Contests

Cyber contests have become so plentiful throughout the country that team members could, if they chose, attend one every weekend throughout the year. Contests fall under one of two categories: “Capture the Flag,” or “Inherit and Defend,” or more simply put, offensive contests and defensive contest: you’re either hacking, or you’re defending against it.

The club teaches tools like NMAP, which allows cybersleuths to probe a network to decipher its structure, and DirBuster, another tool for understanding directories on a machine. These tools are just a few examples of how CyberDragons provide a one-on-one correlation between what students are competing over and what they could be doing once they graduate. It’s all about the training. They meet twice a week, every week, for two hours a session. Their dedication is apparent. At a recent meeting, team members showed up with laptops in tow and assembled on the field of play … a conference room with a large white board and a scrum of members logged in to the lesson.

“These contests are designed as simulacra of the real world. They’re fun, but they’re fun with a very serious purpose and a real societal value.”
Dr. Steve Weber

The biggest cyber contests are an alphabet-soup of acronyms: CPTC (Collegiate Penetration Testing Competition); CCDC (Collegiate Cyber Defense Competition), and NCL (the National Cyber League Competition). The toughest competitors, at least regionally, are West Point, the Army Service Academy, the Rochester Institute of Technology, and the University of New Haven. Nationally, Stanford University and the University of Virginia set the standards. Drexel’s club is just a few years old, but it is gaining ground each season.

Competitions are intense. In the recent CPTC regionals hosted by Penn State, the goal was to conduct the best “pentest,” or penetration test, logging and reporting on all the vulnerabilities contestants were able to exploit on the network they inherited. Findings were written up and provided to organizers. The competition started at 9 a.m.; hands were off keyboards at 6 p.m.; the report was due at 3 a.m.

The CyberDragons won third place in that contest.

Founded in 2014

CyberDragons train by working through a curriculum that club leadership started developing five years ago. That’s when Dr. Steven Weber, department head for ECE and director of the Drexel Cybersecurity Institute, started the club. An arrangement with security experts from the Susquehanna International Group provided technical training for CyberDragon members to get the club off the ground. Today, that training is carried on by Security Risk Advisors. Many of the experts from both companies are Drexel alums, and their representatives often attend the contests to watch the drama unfold.

“One of the most difficult needs we’re trying to address as a country—both in terms of our economy and our national security—is the area of cyberliteracy,” said Weber. “There are various stats on the magnitude of the cyber-skill gap between industry demand and available labor supply. That gap is on the order of hundreds of thousands of positions, which makes it incumbent upon universities like Drexel to help train the next generation of cybersecurity experts.

“It’s an incredibly lucrative field, and there’s an incredible job demand. It’s also an exciting field because it’s always changing—it’s cat and mouse—and this notion of unmet demand is what really motivates organizations to put these competitions in place. They are seen as a viable way to get students engaged in learning the skills that they will actually need when they go out in industry.

“They really are designed as simulacra of the real world,” said Weber. “It’s fun, but it’s fun with a very serious purpose and a real societal value. This club really does try to capture the multifaceted dynamics you have as a security researcher.”

Kelly is his own best case in point. He has already accepted a full-time position in cybersecurity with a firm here in Philadelphia. He graduates in June.