My plug for RIT SPARSA's ISTS - Cobalt Strike Research and Development
fortra logo

My plug for RIT SPARSA’s ISTS

CCDC season is coming. CCDC is the Collegiate Cyber Defense Competition. In 10 regions, universities organize teams to come and defend a network. I highly recommend participating if you have the opportunity to do so. CCDC is well-known, so I’d like to take a moment to plug another event that’s happening around the same time. The Information Security Talent Search (also known as ISTS).

ISTS is run by the Security Practices and Research Student Association at the Rochester Institute of Technology. I believe this will be its 11th year. ISTS is like CCDC in many ways. Students show up for a two-day event where they must defend systems while deflecting attacks from a professional red team. There’s one twist. Student networks also include systems equipped with BackTrack Linux and they’re expected to attack each other for points and delight.


I gave the keynote talk and played on the red team at the 2012 ISTS event. I think you should play in ISTS. Don’t let the phrase “student run” fool you. ISTS is as professional as any exercise I’ve participated in. In the case of some events, it’s actually better run.

I saw many things at ISTS that surprised me. The team from RPI came to the event armed with a new agent. They made the competition into one big botnet. More impressively, this custom agent could migrate processes, log keystrokes, and do a lot of other meterpreter-like things. As I build these capabilities into my own Beacon, I appreciate how much work these students put into the event. It’s pretty impressive what these students come up with.

Another twist to ISTS, they do a very good job to keep all teams engaged throughout the competition. You get points for defending your system and attacking, sure. But there are also style points for doing things like creating a botnet or demonstrating a clever hack to a judge. Much to my chagrin, points would have been awarded to anyone who managed to hack one of the red team members. As the red team were the only folks using personal laptops and we didn’t know about this provision–we weren’t too amused. The judges quickly amended this when it was brought up (we were supposed to be told). Otherwise, it was all good.

I’m writing this blog post for a reason though. The 2013 ISTS event is March 22-24 at the Rochester Institute of Technology. It’s for students. You do not need a faculty mentor. If you’re a group of five friends who wants to go hack for the weekend, you can sign up. It’s $100 to do so, but well worth it. The event is limited to 10 teams this year, so I highly recommend that you sign up, right now.