The Keystrokes to Victory
Five pro tips on winning a hacker contest
Computer hacking competitions are everywhere, with government agencies and private companies racing to find and recruit the top minds in the field.
Even the Pentagon is getting in on the action, offering rewards to pre-screened hackers who find vulnerabilities in their systems. Meanwhile, the Defense Advanced Research Projects Agency is putting on its Cyber Grand Challenge, a quest to develop computer software so secure it finds its own flaws and fixes them instantly.
Nobody knows how to win this kind of contest better than Tom Nedorost. He coaches the University of Central Florida Knights, the defending back-to-back champions of the Raytheon-presented National Collegiate Cyber Defense Competition.
As that contest heads to its final around April 23 and 24 in San Antonio, Nedorost and his fellow coaches offered tips to help hackers succeed in these high-stakes cyber shootouts:
1. PRACTICE EVEN THE EASY STUFF
Even the best basketball players in the world practice free throws. They do it because just one can make the difference between winning and losing a game. The same concept applies to cybersecurity competitions, said Ron Pike, the NCCDC coach for California Polytechnic State University – Pomona.
“The simplest little things are what will undo you at NCCDC if you don’t manage them properly,” he said. “Everyone needs to understand things like account management, applying simple filtering at the device level and locking down a system. You need to know that stuff before you start getting into the fancy, more exotic cyber disciplines.”
And while every cyber competition team needs specialists in Windows, Unix, firewalls and other areas, it helps to have a team well-versed in all the basic principles of information technology, Pike said.
“The number-one thing I pound in is the fundamentals. In class, I gamify it. I have contests to see how fast the students can lock down a Unix system,” he said. “If a student does it in four minutes, then I challenge the class and say, ‘Who can do it in three?’”
2. Watch THE OTHER TEAM'S GAME TAPE
Cybersecurity has everything to do with computers, but it’s also a profoundly human activity; there are people behind all this stuff, and studying them provides insight into their strategy.
In NCCDC, for example, the 10 teams in the finals aren’t battling each other – they’re fending off realistic attacks from a “red team” of cybersecurity experts and penetration testers. The more you know about them, the better equipped you are to anticipate their next move.
“We see the same red team members year after year, and we know who many of them are,” said Dr. Mark Shaneck, NCCDC Coach at Liberty University. “We watch their video blogs, read their posts and follow them in social media. They’re actually pretty friendly and helpful, and they’ve given us advice after competitions. Of course, they don’t tell us all of their secrets.”
Attending seminars and keeping a close eye on cybersecurity news is helpful too, said Dustin Bowe, captain of Liberty University’s NCCDC team.
“If you know what and how systems are being broken into, then you can prepare to defend against those attack vectors,” he said.
3. PLAN YOUR PATH
In sports, winning teams develop a game plan. They build their offensive and defensive strategies around their strengths, then run the plays over and over until they have them down perfectly. The same kind of preparation is key to winning a cyber contest.
“Knowing what you’re going to do the first hour is critical,” said Derek Brodeur, Northeastern University NCCDC coach. “You need a checklist of what exploits you need to patch and what services you’re going to secure. So having a good game plan going in is very important.
“And while the scenarios will vary every year, what the teams are scored on doesn’t change,” Brodeur said. “While they may have to adjust to the environment and call an audible, a game plan will keep them on track and going in the right direction.”
4. wORK WELL TOGETHER
Knowing the red team’s tricks can give you an advantage, but it’s just as important to know about the people working alongside you. Winning teams work together, and they do it without ego.
“The key to winning regionals for us was our teamwork,” said Ryan Haley, captain of the DePaul University NCCDC team. “We get along with each other, spend time together outside the classroom, and genuinely enjoy each other’s company.
“We know each of others’ strengths and weaknesses, how we react under pressure and when to react, jumping in to help when needed,” Haley said. “We also try to keep it light, so we don’t get under each other’s skin."
5.Diversity = power
At a recent college cybersecurity competition, Brigham Young University NCCDC Captain Laura Wilkinson overheard an opposing student ask, “Why did BYU waste so many spots on girls?”
The next day, he got his answer. BYU’s team is split evenly between men and women, and they believe that ratio gives them a competitive advantage.
“Think differently…that’s what we do,” Wilkinson said.
It's not that men or women are naturally better at any part of cybersecurity, team coach Dale Rowe said. It's that combining their different approaches makes it more likely they'll solve the problem in front of them.
"It's one of the reasons our team is so successful," he said.
Success in finding and fixing network flaws makes for a calm, competent team, said Sarah Cunha, the BYU squad's firewall lead.
“One of the things that we hear from the white team (the judges) is that we get along so well with each other,” she said. “They’ll tell us the other teams are either freaking out or yelling at each other, and we’re in here doing a sing-along.”
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations. E16-NXZM