Cyber Defense Competitions,  DevOps,  Solutions Architecture

Wouldn’t you prefer a nice game of chess? – Designing and Running a Cyber Defense Competition in AWS

In July 2018 Highline College and Namibia University of Science and Technology (NUST) hosted the 3rd annual International Collegiate Cyber Defense Invitational (ICCDI). In 2017 the competition was held on the Highline College campus in Des Moines, WA and all participating colleges save one competed on campus. Eight students from Politeknik Negeri Medan in Indonesia competed remotely. The competition was run on Highline’s VMware infrastructure and the team in Indonesia connected via VPN and accessed the game environment through VMware Horizon virtual desktops. For the 2018 competition we would have teams of students at Highline and at NUST s well as Indonesia competing remotely again. With teams in at least three different locations around the globe competing it no longer made sense to have the game environment locally hosted on Highline’s infrastructure. But I had an idea… move the entire infrastructure to AWS.

Highline College has been designing and hosting cyber defense competitions for 10 years, and over that time we have fined tuned building a gaming environment on VMware with up to 48 class C networks and over 150 virtual machines to almost a science. Well, maybe more of an art. So it felt like starting from scratch. And what was worse is we had only 2 months to do it.

ICCDI 2017 Network Map
ICCDI 2017 Network Map

The first step was deciding which AWS Region to use. We chose EU-London since it was roughly equidistant from each of the three locations and Namibia is connected to the internet via underwater fiber optic cables coming from London. Once we had that we needed to create a network that looked like the VM networks we have designed in the past. This was easy enough. We need to create a VPC (virtual private cloud), a subnet for the scoring engine and the red team, and two subnets per student team (blue teams).

Next we had to create the servers the blue teams needed to protect. Normally this would be a simple task in AWS. Simply create a new instance (VM), choose which OS you want it to run, what resources you want it have, and violá, you have a shiny new EC2 instance. However, this wouldn’t work in a cyber defense competition. The images in AWS called AMIs used to create new EC2 instances are, naturally, already patched and updated. And why wouldn’t they be? But if we gave the blue teams fully patched servers, what fun would that be? The servers the blue teams get in a cyber defense competition are designed to be insecure. Unpatched, misconfigred, full of security holes, and often times completely broken. So we would need to upload our own AMIs. The servers would need to be created in VMware, left unpatched, and all the security holes would need to be configured before uploading the images. Luckily AWS makes it easy to upload your local VMs and convert them using their Server Migration Service.

Now all that was left was to build out the entire environment. For each blue team we needed to create subnets, deploy EC2 instances from the custom AMIs, associate the instance with their subnet and configure networking, create security groups and attach them to the appropriate instance, create elastic IPs for each instance so they can be accessed remotely, and create DNS records for each elastic IP. This would need to be done for each blue team. Each blue team had 2 subnets, 9 EC2 instances, 9 security groups, 9 elastic IPs, and 9 DNS records. And this year we had 8 teams. That’s a lot of time in the AWS management console clicking buttons.

AWS-CLI to the rescue.

With the AWS command line interface I was able to write a python script to build out the entire environment. It used an .ini file to describe the environment such as how many blue teams, how many subnets each team gets, which AMIs to use and what IP address each instance would get. The entire thing ran in about 12 minutes. That’s 72 unique instances, 72 security groups, 72 elastic IPs, 72 DNS records, 16 subnets, and 1 VPC.

There was still some stuff we needed to configure manually such as Identity and Access Management (IAM) to allow the blue teams to access to the AWS management console, but this will be incorporated into the python script for the 2019 competition.

We had several other challenges to overcome such as how to run a live event in three different timezones around the globe and how to give the red team (hackers) access to the AWS environment, but despite a few hiccups the event was a complete success. Our next cyber competition is the Pacific Rim Collegiate Cyber Defense Competition (PRCCDC). This will most likely be a hybrid environment using VMware and AWS which I’m sure will come with it’s own set of challenges but I think going forward AWS will play an ever increasing roll in our competitions. Unless of course Microsoft Azure wants to give us some money.

ICCDI 2018 @NUST, Windhoek, Namibia

Leave a Reply

Your email address will not be published. Required fields are marked *