################## Competition Rules ################## ************ Definitions ************ .. glossary:: CDC Cyber Defense Competition ISEAGE Internet Scale Event Attack Generation Environment (a simulated Internet). Blue Teams Competitors playing the role of the Information Assurance community. These teams must identify and defend against various security threats via the ISEAGE network. Red Team Comprised of professionals from the Information Assurance community playing the role of hackers. This team must create and implement various attack strategies against the Blue Teams, and capture flags from the Blue Team servers. It is headed by the Red Team leader. White Team Comprised of respected individuals from the Information Assurance community. This team is the judging authority for the CDC. Green Team This team consists of members with various computer familiarity and skill levels. They play the role of typical network users. The Green Team duties include regular Internet usage and the execution of predefined anomalies. It is headed by the Green Team Leader. Flag a file placed in a predefined location. The Red Team must capture these flags from or plant them onto teams' systems. Anomalies These events are injected into the system at various times throughout the competition. The Anomalies are designed to test, or simply just complicate, the Blue Teams' duties during the competition. Competition Director Oversees the operation of the CDC, the final authority on scoring and adjudication, and coordinates the Red, Green, and Blue Teams. White Team Leader Oversees the operation of the CDC, Leads the White Team in scoring and adjudication and coordinates Red, Green, and Blue Teams. IScorE The web-based scoring application tailored to the CDC. IScorE may be used by all teams to submit, view, and alter scores. Located at https://iscore.iseage.org. *********** Objectives *********** The purpose of the Cyber Defense Competition is to provide students with a simulation of real-life experiences in Information Assurance for the purpose of education. Students play the role of the Blue Team, or Information Assurance community, under fire from the Red Team, simulating the attackers of a network. The White Team oversees the competition, judging (and scoring) each Blue Team based upon Red and Green Team reports received. The Green Team plays the role of general network users, and the strain they place upon ensuring security within a network. The Blue Team with the most points at the end of the competition will be named the winner. See the :doc:`../scoring/index` for more information. *********** Blue Teams *********** Students will form teams of 4-8 to tackle the challenge laid out in the Scenario document. They will set up and secure a network that is usable by the Green Team while defending it against attacks from the Red Team. Each Blue Team will be assigned a domain name (teamN.isucdc.com) and a subnet of IPs on which to make their services available on the ISEAGE network. Check the your dashboard on IScorE for your teams' range. Some of the services in the scenario will be provided and will need to be secured. If a Blue Team damages a provided service beyond the point of recovery, the White Team can provide a fresh image of the system, but the Blue Team will incur a scoring penalty of 75 points per re-install. Access and functional requirements specified under each server in the Scenario document must be met in order to receive any points for that particular server. If these requirements are not met, service scanner points will not be awarded and additional penalties may be applied in some circumstances. .. attention:: Blue Teams may not perform any offensive action toward any other participant or ISEAGE during setup or the competition. Doing so will result in a penalty up to disqualification of the attacking team. Blue Team members are responsible for any ISEAGE accounts assigned to them for use in the CDC environment (Remote Desktop, vCenter, chat accounts). Any actions performed on these accounts will be attributed to the team who the account is assigned to, and penalties will be assigned accordingly if necessary. **Therefore, do not share your CDC credentials with anyone.** ============ Remote Setup ============ Setup will be available remotely 24/7, see :doc:`../remote_setup/index`. ISEAGE provides online support via chat, available at https://setup.iseage.org. Setup chat is only staffed during specific hours of the day, 8 AM to 9 PM. If an ISEAGE staff member is not available to chat, you can submit support requests to cdc_support@iastate.edu. Always include your team number in correspondence. Rule clarification or procedural questions should also be sent to this e-mail address. Teams are encouraged to seek help from anyone (including White Team) during this phase. -------- Hardware -------- Each team will be provided access to the VMware vCenter server environment. The white team operates the administrative accounts on vCenter. These accounts will not be used maliciously; you will not need to worry about securing the VMware environment. The Blue Teams will be held accountable for missing or damaged hardware at the end of the competition. If hardware becomes damaged or is missing, contact the White Team immediately. If hardware fails during the competition or there is a suspected network outage, please contact the White Team immediately. -------- Software -------- All software used in the competition must either be freely available or provided by ISEAGE, see the :doc:`../remote_setup/index` document. Trials of non-free software that do not exceed the trial period are allowed. ---------------------- Accounts and Passwords ---------------------- * List of users and their passwords will be provided * Must work for the services described in the Scenario document * You may **NOT** change the password for any required user unless instructed to by the Green Team Leader or White Team Leader * Users may be furloughed or fired from the organization and must have their access disabled or removed swiftly if this occurs. See the scenario document for more information. * Some passwords are specific to individual teams. They are denoted by "********" or "Team-Specific" and will be provided on IScorE. ----------------------------------- Required Flags for Red Team Capture ----------------------------------- See the scenario document for required flag locations. You will be required to maintain a "flag" for some of the required services (see the scenario document). Once setup commences, you will be given these flag files via IScorE. Flags are intended to represent data stored in each of these directories, and thus cannot have more restrictive access permissions than other files in the directory. They cannot be compressed, encrypted, encoded, or in any other way obfuscated. In addition to planted flags, there may also be sensitive data that Red Team will want to capture such as passwords, financial information, etc., which may be located in files or databases. If Red Team manages to capture this sensitive data you will lose flag points for each item lost. If the Red Team determines a flag is missing, it will be considered captured unless the Blue Team can prove it is present. See the `Red Team`_ section and the :doc:`../scoring/index` document for more details. =============== On-site Setup =============== During the competition, teams WILL NOT be provided with hardware to access their machines. This means that your team should bring laptops to the competition as a front-end to the virtualization environment. We will provide a safe network, isolated from the red team attacks, onto which you can connect your personal computers and manage the machines directly. If you do not have a computer available, let the Competition Director know before you arrive and the ISEAGE staff can accommodate you. ============== Attack Phase ============== During the attack phase, the Red Team will arrive on-site and attempt to gain access to your services in order to capture flags, reduce usability, or take the services offline. This will begin at specified time (8am for ISU CDC's) on the day of the competition. We will announce the start of the attack phase on the competition floor before it begins. Blue Teams are not allowed to specifically block or ban specific IPs or IP ranges; doing so is unrealistic and completely ineffective in the real world of IT. Automated systems that block connections for a few minutes after N failed login attempts (e.g. fail2ban) are allowed. If applicable, please justify any blocks made after N failed login attempts within your network documentation. The Competition Director reserves the right to determine whether an IP blocking policy is beyond realistic and breaking the rules. Blue Teams may **NOT** receive help from anyone not registered on that team (including advisors or mentors, professors, company recruiters or friends) during the attack phase. Doing so will result in a penalty of up to 500 points. .. attention:: Blue Teams may not make in-person contact with a Green Team member or Red Team member directly. These contacts must go through the Green Team leader or White Team leader. -------------------- Green Team Anomalies -------------------- In the real world of IT, there is never a dull moment. Green team anomalies simulate the never-ending stream of requests that everyday IT employees must be prepared to handle. During the competition, anomalies will be released via IScorE. They are worth varying point values based on their difficulty. Blue teams will need to submit anomalies before they expire in order to gain points. Completion of anomalies are **optional** unless the anomaly specifies otherwise. However, Blue teams that refuse or do not submit an anomaly will not be awarded any points for it. Anomalies will account for a significant amount of points and are highly encouraged. Blue Teams' members are in charge of making sure that the Anomalies are submitted on time and with responses that are professional. .. attention:: Any anomaly that is submitted after the time deadline will not be graded unless stated by White Team or the Director. ------------- Communication ------------- During the event, the Green Team Leader, Competition Director, or White Team may announce instructions or important information. All instructions must be obeyed. At the Competition Director's or White Team Leader's discretion a penalty may be assigned to a team that does not follow the instructions in a timely manner. --------------- Service Uptime --------------- IScorE's automated service scanner will be used to check if your services are online every few minutes. This data will be automatically incorporated into scoring results. Any attempts to whitelist, or otherwise give preferential treatment to the service scanner is disallowed. This includes heavy rate-limiting. Teams doing this will not receive points for any affected services and may retroactively lose service points for those services at the Competition Director's discretion. ----------------- Intrusion Reports ----------------- In real-world IT, management will require regular reports on the security of your network, as well as in-depth analysis of any intrusions. Blue Teams may turn in an intrusion summary report at 9 am, 11am, and 1pm. These times can be changed, added to, or cancelled at the discretion of the White Team Leader or Competition Director and will be announced. This report should cover, in detail, any intrusions noted or lack thereof (in your IDS or otherwise), your team's assessment of their impact, and the mitigating measures your team took, along with evidence to support your analysis. **A simple printout of a log file will not earn any points, nor will a "No Intrusions Detected" without any evidence to back it up.** Each report is worth up to 25 points and must be submitted via IScorE. Late submissions **WILL NOT** be graded. They are scored on: * Detail (0-7 pts) * Supporting evidence (0-5 pts) * Insightful analysis (0-5 pts) * Mitigating actions (0-8 pts) ============= Documentation ============= .. danger:: If the white team suspects your team submitted another team's documentation both teams will receive **ZERO (0)** points on the documentation! ----------------------------------- Network (White Team) Documentation ----------------------------------- White team documentation represents the reports that real-world companies require of their IT staff. In it, you should explain, in detail, your plan for setting up and securing your network. You must provide this prior to the scheduled start of the competition by submitting it on IScorE. It is worth up to **100 points** and should include: * Details of your network layout (IP addresses, firewalls, whether you have chosen to use NAT) * Network Diagram(s) * Discussion of the Operating Systems, Software, etc. you have chosen to run each of your services * Anything else that you feel demonstrates your preparedness to the White Team This document needs to be professional and thorough. It is scored on: * Detail **(0-40 pts)** * Professionalism **(0-30 pts)** * Supporting diagrams, figures, and tables **(0-20 pts)** * Effectiveness of plan **(0-10 pts)** The Network Documentation score will decrease by 25% for every 30 minutes it is late. The first penalty will take effect immediately following the start of the attack phase. ------------------------- Green Team Documentation ------------------------- Green team documentation instructs your users (the Green Team) on how to use your services. You must submit this prior to the scheduled start of the competition on IScorE. Keep in mind that the usability scores given by Green Teams will be severely affected if this documentation is not present! Teams often underestimate the importance of usability - it can easily make or break the competition. Ensure your networks have a good balance between usability and security. This documentation is worth up to 100 points and should include instructions for users with little or no computer experience on how to use all of the services you have provided. *HINT*: You may find a screen capture program such as `Jing `_ extremely helpful in completing your documentation. It is scored on: * Detail of Instructions **(0-20 pts)** * Clarity **(0-20 pts)** * Completeness **(0-20 pts)** * Professionalism **(0-20 pts)** * Supporting graphics, figures, and diagrams **(0-20 pts)** The Green Team Documentation score will decrease by 25% for every 30 minutes it is late. The first penalty will take effect immediately following the start of the attack phase. ******** Red Team ******** The Red Team represents the "bad guys" – malicious users, advanced persistent threats, or other agents that may want to cause harm to a Blue Team's infrastructure. The Red Team is staffed by professionals in the Information Assurance community chosen by the Competition Director and the Red Team Leader. The Red Team will evaluate the efforts of the Blue Teams at the completion of the Attack Phase. ================ Read Team Leader ================ The Red Team leader is chosen by the Competition Director and will coordinate with the White Team Leader to ensure a fair and successful competition. The Red Team Leader will serve as a mediator between the Red Team members and the White Team to settle any scoring disputes, and will, if necessary, set boundaries for attacks to keep the competition running smoothly. ============ Attack Phase ============ Red Team members will keep detailed accounts of all attacks performed. IScorE will provide a place to document all offensive actions taken. These documents will be made available after the competition on IScorE under the "Red Team Wiki" page. Red Team members will attempt to obtain flags on each Blue Team's network, see `Required Flags for Red Team Capture`_. Blue Teams start with a given number of flags, and for each of the flags captured by the Red Team, a number of points are lost. The Red Team must submit the captured flags via IScorE for verification and scoring. Blue Teams may challenge a capture if they feel it is warranted. See the :doc:`../scoring/index` for more information on the scoring of flags. ------------------- Rules of Engagement ------------------- * Attacks cannot leave the ISEAGE environment * Must terminate attacks upon request of the White Team * Will attempt to plant flags onto each Blue Team's network in White Team-designated locations. * At certain points during the attack phase, the White Team may allow physical access to the competition area without the presence or supervison of Blue Team members. Special rules apply during these engagements. Red Team members may not: * Search through personal belongings or cause excessive untidiness * Remove *any item* from the competition area without explicit permission from the White Team * Tamper with ISEAGE infrastructure, including but not limited to: servers, switches, power supplies, and cabling. Exceptions may be made when ISEPhone is in use. * Perform any action that is beyond the scope of the competition or inconsistent with the spirit and goal of the Red Team (e.g. installing malware, copying or removing personal files or data, or otherwise harassing Blue Team members) * In addition to required flags, sensitive information (e.g. credit card numbers, Social Security numbers, etc) will be present on some systems; see the scenario document for more information. At the discretion of the Competiton Director and Red Team Leader, Red Team members who operate in excess of these rules may be asked to leave. -------------------- Red Team Evaluation -------------------- The break down on the scoring of the Red Team Evaluation cam be found in the :doc:`../scoring/index`. *********** White Team *********** The White Team will be led by the White Team Leader. The White Team is responsible for setting up and maintaining the ISEAGE network, IScorE, and all CDC infrastructure as well as running the competition. At least one White Team member must be present at all times during On-Site Setup and the Attack Phase. ================== White Team Members ================== White Team members will be chosen by the Competition Director. The White Team may not aid or assist teams in any way during the attack phase except to resolve disputes. =================== Grading and Scoring =================== The White Team is in charge of grading all Documentation, Intrusion Reports, and Anomalies The Green Team Leader may grade the Green Team Documentation and the Green Team may assist with grading Anomalies as decided by the Green Team Leader and White Team Leader on the day of the competition. White Team will assign penalties if necessary. At the end of the competition, they will determine the final placement of Blue Teams. ======== Disputes ======== If a Blue Team member, mentor, or coach objects to scoring, enforcement of the rules, etc. during the competition, they may first contact the head of the area in dispute to resolve that conflict. For anomalies and usability checks, they should contact the Green Team Leader. For questions about rules, scoring, or anything else, they should contact the White Team Leader. The Green Team Leader or White Team Leader will make a decision. If the Blue Team member, mentor, or coach disputes that decision, they may appeal to the Director who will make the final decision. The Director is the final authority and cannot be further appealed. *********** Green Team *********** The Green Team represents the users of a Blue Team's infrastructure. They will score each Blue Team on the usability of their services. ================== Green Team Leader ================== The Green Team Leader will coordinate the efforts of the Green Team members in order to assess the Blue Team's fairly. The Green Team Leader will also coordinate with the Competition Director in the creation of Green Team Anomalies, and with Green, White, and Red Team members in their execution. The Green Team Leader may also assist with grading Green Team Documentation and Anomalies. The Green Team Leader is the custodian of Blue Team password and other information as described by the scenario. The Green Team Leader or White Team Leader must authorize any password changes by Blue Teams. The Green Team Leader must be present if a Green Team member wishes to confer with a Blue Team. Blue Team members with questions regarding scoring of Usability or Anomalies should confer with the Green Team Leader. ================== Green Team Members ================== Just like in real-world IT, Green Team members will be of varying technical skill and ability. Green Team members will score Blue Teams in several Usability Checks during the attack phase by completing normal activities such as browsing the web server, connecting to the file server, or logging into the remote desktop server. They will fill out a Usability Form on IScorE during evaluation. This Usability form is unbiased and consists of Items like: "Is John Smith able to login to the RDP Server" with simple Yes or No answers. Green Team members will also, at the direction of the Green Team Leader, score Anomaly submissions. Green Team members may NOT confer with Red Team members during the Attack Phase. They may not, under any circumstances, give passwords or other sensitive Blue Team information to the Red Team. Additionally, Green Team members may NOT intentionally perform attacks or malicious actions against any Blue Team. Unruly Green Team Members may be asked to leave by the ISEAGE staff. ************************* Requirements for Services ************************* All services must work as described in scenario document. In addition, all your services must provide the functionality described below. If your service is not follow the guidelines below it can be downed administratively, red on IScorE, by White Team. If White Team determines that your service is not functioning as as required they will administratively down that service. =========== All Systems =========== Must allow access to the Internet via the proxy and all required users should have correct access per the scenario document. ======= SSL/TLS ======= Unless otherwise stated, your services may use their SSL/TLS variant if you wish to do so. The certificates used by these services **SHOULD** be signed by the ISEAGE Root CA. Contact White Team with your CSR (Certificate Signing Request) if you want the certificate to be signed. .. note:: The ISEAGE Root CA is installed on the RDP hop and is available for download `here `_. .. important:: While self-signed certificates are allowed, there are no guarantees that Green Team will ignore certificate warnings (that are not caused by the ISEAGE Root). ============== Remote Desktop ============== Users **MUST** be able to connect to a desktop environment with macOS, Windows, and rdesktop clients. RemoteApps alone are **NOT** sufficient, all users **MUST** be able to use a full Remote Desktop session. Administrative users **MUST** have the correct access as per the scenario. When RDP is used as an actual RDP server (not just remote admin), more than two (2) simultaneous sessions must be allowed. Only automatic blocking of connections is allowed. ==== HTTP ==== Your service **MUST** be fully functional as per the scenario. === SSH === Users **MUST** have access to their home folder and run simple commands, such as :code:`ls`, and administrative users, defined the scenario document, **MUST** have administrative access as per the per the scenario in order to receive service scanner points. .. important:: Only password authentication is allowed for competition users. We will not do checks (either Green Team or the service scanner) with SSH Keys, multi-factor authentication, or other non-password schemes. === FTP === You can switch to other options such as SFTP or FTPS. However, users **MUST** be informed of how to use these alternate options in your team's green documentation. Users **MUST** have read/write access as per the scenario. ===== Email ===== All required users **MUST** have access, defined the scenario document, and users must be able to send and receive emails. ======= Backups ======= At a minimum, user data, configuration, application code (if applicable), and any additional directories or files listed in the scenario **MUST** be backed up. Backups **MUST** be taken at *least* every 30 minutes. This applies to **ALL** machines on your network. .. warning:: **Snapshots are not a backup solution**. White Team may, at their discretion, disable your ability to take and restore from snapshots during the attack phase. You may use snapshots to assist in the setup phase. More specifically, at *minimum* the following need to be backed up: * ``/etc/`` * ``/home/`` and ``/root/`` * ``C:\Users`` * Application Source Code * Database data ************* Phone Systems ************* The ISEAGE Phone System (ISEPhone) is a telephone analog of the Competition Network. It is isolated from the public switched telephone network, as well as from the Competition Network. When ISEPhone is used, it is the preferred method of communication between Blue Team and Green Team. The availability of ISEPhone will be announced at least 24 hours prior to the Green Team documentation deadline. The Director may require that the Phone System is the only method of communication allowable during the attack phase; this decision need not be announced prior to the attack phase. Blue Team may initiate phone calls to Green, White, or Red team for any reason. Blue Teams are not permitted to call other Blue Teams. Red Team may not initiate a call to Green Team, however they are permitted to use other social engineering techniques, website defacement, or other practices to trick Green Team into calling Red Team. Green Team may call a Blue team for a number of reasons, including technical support, help, and Green Team usability checks. Red Team may also call a Blue Team for any reason, including impersonating Green Team. ISEAGE makes no guarantee to the accuracy of CallerID information from ISEPhone, nor any guarantee to any pattern of phone numbers. However, once a phone number has been used, it will not be repurposed to a different phone for the remainder of that competition. Blue Teams are solely responsible for providing Green Team with telephone authentication policies and procedures. Green Team will adhere to any telephone policies provided in Green Team documentation, provided such policies are conspicuously identified in the table of contents of the documentation. Red Team is allowed to attack the ISEPhone system at the Blue Team location. Any Blue Team analog phone line is in-scope, as well as any network cable which only carries VoIP traffic, provided this network cable is located in the Blue Team area. In effect, this means that scope begins at the Blue Team handset and ends at the ISEAGE trunk switch. Red Team is prohibited from performing physical attacks against ISEPhone equipment located in White and/or Green Team areas. Attacks against ISEPhone servers are not allowed. Attacks against Blue Team analog phone adaptors are permitted, provided Red Team coordinates with an ISEAGE staff member.