By Sonja Hansen
“Imagine that a Stanford-size organization with thousands of employees and a plethora of different systems had their entire IT and security team fired, and you have to fill in for them as eight students only learning about [the situation] the day it starts,” said Stanford Applied Cyber’s captain Antoni Wojciech Rytel ’21. “Now, imagine that the past team was incompetent at best and configured the system to be very vulnerable.”
Rytel was describing the setup of the National Collegiate Cyber Defense Competition (NCCDC) in Orlando, Florida, which took place over three days from Tuesday to Thursday. For the first time since the student group’s inception in late 2015, Stanford Applied Cyber was a national finalist in the two-day long simulation that mimicked the high-stress situation of a cyber attack.
“If that’s not enough,” Rytel continued, “Imagine that you’re under [cyber attack] by a team of about 30 professional hackers who are actively trying to break in, and the management not only doesn’t tolerate any disruptions in business operations but also swamps you with a number of bureaucratic tasks.”
Of the 235 colleges participating in the league, only 10 qualified for the annual national competition. Stanford was admitted after shooting from nearly last place to first in the Western Regional bracket, comprised of California and Nevada.
The event was conducted in a “red team versus blue team” style of competition that is often associated with military and cybersecurity training simulations. The red team is made up of professional “white-hat” hackers, or computer security specialists who hack into a system or network for the purpose of assessing its security. These hackers simulate a barrage of attacks on a fictional organization’s computer systems. It is up to each student team — the blue teams — to defend their network.
The professional white-hat hackers are usually able to penetrate the students’ networks on the first day. According to NCCDC’s website, last year they broke into the first network about 30 seconds into the competition. In the following days, the hackers attempt to steal customer information, such as financial records, from the databases.
Teams work frantically in rooms, separated from their opponent teams and the white-hat hackers for 16 hours total over two days. The isolation means that teams can only guess how their opponents are faring against the swarm of offensive maneuvers. The game designers try to keep participants on their toes. For example, in another competition, Rytel was surprised to find that the teams would be defending North Korea, specifically a fictional Red Star operating system (OS), the country’s version of the Linux OS.
On the third day, University of Virginia (the 2018 champion) was declared victor yet again, followed by University of Central Florida and Rochester Institute of Technology. Though Stanford did not place, Rytel values the success of their adaptability and capacity to work under pressure.
“The competition attempts to, as much as possible, mimic the environment of actual attacks, which are by definition chaotic,” he said. “It’s effectively impossible to plan for every eventuality, so fast decision-making was key.”
For the majority of the team, this is their first year as members. For some, it’s their first contact with computer security altogether. Their majors range from economics and mathematics to Iranian studies to physics and computer science.
“The variety of backgrounds allowed us to get new perspectives and, for example, better respond to business tasks, which are an integral part of the competition,” Rytel said. “This allowed us to have the degree of flexibility in skillsets most other teams didn’t.”
Apart from NCCDC, Applied Cyber competes in the annual Collegiate Penetration Testing Competition, the offensive equivalent of NCCDC, in which they have taken first in Nationals two years in a row. Throughout the year the club also competes in Capture-The-Flag (CTF) events, in which teams are tasked with challenges of increasing difficulty. These challenges require programming, reverse engineering and handling of ransomware and malware.
Despite the team being made up of mostly rookies, Rytel said that they were able to “stand on the shoulders of giants” thanks to the support from former teammates.
“In this rapidly evolving field, there are always new challenges, and we’re more than ready and willing to take them on,” he said.
Contact Sonja Hansen at smhansen ‘at’ stanford.edu.