Dave Kukfa Security bub

My Experiences Competing in CCDC

The Collegiate Cyber Defense Competition (CCDC) is often mentioned in discussions about security education. Specifically, there’s been a good amount of debate on the value of the competition and what students learn by participating. After competing at NCCDC this past weekend and wrapping up my final CCDC season, I’d like to share some thoughts I have about the competition and its value in education and the security community. Please note that this post represents my thoughts and opinions as an individual, and not necessarily those of my team or institution.

Initial Attraction

At the beginning of my Junior year in the CSEC program at RIT, I had gotten my feet wet learning about information security, and I wanted to dive into the forefront of the security community and quickly climb the learning curve of security education. I was learning about web and systems security through various online resources, and wanted to exercise those skills in a competitive environment to test myself and learn from others.

My school competes in CCDC and is a regular contender at the national competition, so when tryouts came around, I applied for a web security role within the team. Soon after, I joined the team specializing in web security and took on the additional role of managing injects (business tasks assigned to teams during the competition). This allowed me to leverage and build upon my soft skills as well as my technical skills.

Positives

Practicing for and competing in CCDC over the coming months taught me a great deal about OS internals and how systems interact with one another. I became comfortable operating in both Windows and Linux environments, and learned to dig deep into either system to hunt for red team malware and rootkits. I also learned to backtrace red team attacks to identify and remediate the root causes of compromise.

Competing in CCDC allowed me the opportunity to meet tons of great people in the security space who are involved in the competition – everyone from red teamers to white teamers to other students. After each competition, the red teamers do an individual debrief with each team to address what the team did well and what they could improve on. This is paramount for learning from the competition and improving for future iterations.

Many internships and full-time jobs are found from CCDC competitions. Participating in CCDC is a great way to demonstrate your interest and dedication in security, which is noticed by sponsors and red teamers looking to expand their teams and hire passionate students.

Negatives

Many of the complaints raised against CCDC address how the competition is run in a vacuum of sorts. By this, I mean that competitors often need to ‘game the game’ and do things you would never see or do in practice. Winning teams usually end up employing crazy strategies or tactics that are hardly viable in the real world. For example, I’ve heard of teams using embedded devices such as phones or printers as firewalls, and scripting snapshot restores on virtualized systems to avoid red team persistence but just barely pass scoring checks. Teams may also resort to disabling core components or functionality of the operating system in order to reduce attack surface. These strategies are creative and clever, but where do these skills transfer to real-world scenarios and environments?

Historically, the networks that competitors are tasked to defend can contain systems or technologies that are woefully out of date – sometimes being EOL’d more than a decade ago. While these may be present in some networks in reality, it would be more beneficial to learn to use and defend modern systems and technologies rather than legacy systems of yesteryear.

The North Eastern region (NECCDC) is doing a great job at changing this. This year’s regional competition featured a modern network (including development and production clouds complete with load balancers) as well as modern technologies (GitLab, Foreman, and Jenkins). These types of topologies are much more likely to be encountered in the real world, and training and competing within updated infrastructures will better prepare students for things they’ll see on the job.

Is it worth it?

After my first year, I continued to participate in CCDC. This was largely to continue improving my technical skills (OS internals, malware hunting) and my soft skills (teamwork, management, writing). However, I believe there’s a point of diminishing returns for participating in CCDC. After reaching this point, students will only get better at competing in CCDC with little transfer of skills or expertise to the real world. The length of time it takes to reach this point will differ between students, but I do believe it exists whether it takes 4 years or a single season.

Bottom line

CCDC has taught me a lot, and I’m thankful for the opportunities it’s provided me over the years. Overall, I can conclude that participating in CCDC yields a lot of learning and experience, but there’s a point of diminishing returns where these rewards lessen year by year. Students should evaluate whether the competition is worth it for them with respect to the nature of the competition and their prospective career path.