Praise for CCDC - Cobalt Strike Research and Development
fortra logo

Praise for CCDC

Over on r/netsec there’s a discussion debating the merits and realism of the Collegiate Cyber Defense Competition.

I’ve volunteered at the North East Collegiate Cyber Defense competition since 2008. I’ve also participated with several CCDC regional events since 2010 and I was on the National CCDC red team last year. I’ve seen more of CCDC than most. I believe in it as an event or else I wouldn’t put so much time into it.

CCDC is a cyber defense competition league. Student teams qualify to participate in a regional event. The winners of these regional events move on to a national event with the winner taking bragging rights.

Each region organizes itself. Some regions mirror the National CCDC rules very closely. Others, do not. Right now, regional events are not happening. They do not start until March. The reflection happening on reddit is about two events that happened over the weekend: a qualifier event and a practice event organized by students at Capitol College.

The qualifier events are simple filters to invite the most prepared teams to the regional event. They’re usually throw aways and many times the qualifiers are no reflection of the rules or organization of the regional.

As for the student run practice events, these are a clue that something special is happening. Student run practice events means students organized an event, reached out to their professional security community, invited people in, and they asked for a lesson.

Why does this matter? We’ll get to that in a moment…

There are many opinions on CCDC’s rules, restrictions, and artificialities. As someone who participates, I see the rules shift year-to-year to make a more engaging game. No organizer wants students sitting bored or idle throughout the event. Everyone’s hair should be on fire.

No two students take the same thing out of CCDC. The team captains have to deal with people issues. They have to motivate their fellow students to take time away from video games and parties to sit down and drill through checklists.

The teams that win assign roles. They have to. One smart person doing everything won’t win a CCDC event for you. Too much is happening. Some students will become Cisco IOS whizzes. Others will learn how to administer and perform intrusion response on UNIX systems. Some Windows. Students from the winning teams will understand the value of staging a secure configuration and migrating production stuff to it with minimal downtime.

The red vs. blue battle aside, students must also write policy and effectively communicate with judges, who act as executive leadership. This is a big part of their score. There’s a lot that happens in a CCDC weekend event.

The teams that will win their regional events are probably spending 10-30 hours each week, practicing as a team, right now.

The success of CCDC isn’t in its rules or how closely it mirrors sitting on a NOC floor for 12 hours with nothing happening. The success of CCDC is in what it motivates the students to do, on their own time, to prepare themselves to enter our field as peers. Last weekend’s student run practice event is an example of this.

Since 2008, I’ve seen the student teams get better by leaps and bounds. I’ve never been part of a regional red team that had access on all teams at the end of an event. Please don’t let the chest thumping of some red team volunteers lead you to believe that students are lost and engaged in an unfair game. Most student teams are well prepared and I’m in awe of them each year.

I run into these students at conferences. We have a good laugh about CCDC. For them and for me as a volunteer, it’s one of the high points of our year.

CCDC works. Students learn leadership, teamwork, and they’re motivated to pick up skills. CCDC is a good thing for our professional community