The Collegiate Cyber Defense Competition (CCDC) is the best preparation a college student can get for a career in IT operations or defensive cyber security. I played CCDC as a student from 2007 (the third year of the competition’s existence) until 2011, and acted as our team’s captain for the last two years. Now, I have the pleasure of helping run the Southwest Regional competition as the Black Team (IT ops) co-lead.
CCDC is an IT and security competition for college students that emphasizes the business-enabling aspects of information technology. Teams of up to 8 students play the brand new IT department for a simulated company, and must learn their new network and systems in order to keep critical services online, complete assigned business tasks, serve their users, and defend against a red team of professional hackers. Each school’s team is faced with identical hardware, software, tasks, and adversaries. How each team meets the challenge is up to them. The season begins with a virtual, remote 4-hour Qualifier round open to all (in 2019, 23 schools participated). The top 8 teams from Quals advance to the Regional competition, a much harder multi-day in-person event. The winner of Regionals moves on to National CCDC.
During my time helping organize SWCCDC, students have had to write plans for GDPR compliance; execute an e-discovery process as a result of a lawsuit, and subsequently be deposed by actual attorneys; block web sites; deploy DNSSec; write data lifecycle policies; and maintain physical security of their rooms. They’ve supported simulated trucking companies, biotech startups, law firms, and live dinosaur amusement parks. In all cases, the critical characteristic of CCDC is that the students are tasked with putting the needs of the business first, rather than focusing on the technology for its own sake.
Each year, the team I co-lead designs a new corporate network for the student competitors to discover, manage, and defend. Every aspect of its design is meant to challenge their administrative, technical, and planning skills; they are full of pitfalls and dirty tricks that are almost always based on real challenges we’ve faced in our careers: failing disk drives, critical services running as terminated users, insecure configurations, badly formatted configuration files, mountains of technical debt, and more. We produce a separate virtual network for the Qualifying round in February, and a physical network for the in-person Regional competition in March. And, in 2018, I developed a very small take-home practice environment called the Warm-up.
For Regionals, our small all-volunteer team builds, deploys, maintains, and tears down the entire environment, all in one week. We stand up 9 copies of the simulated corporate network, plus all supporting infrastructure for system build labs, temporary administrative offices, competition wi-fi, and more, all in time for a 3-day competition that gives the student teams the best experience we know how.