 |
| The lake outside of Deloitte University |
The first round of the competition was a multiple choice quiz on a large range of security topics including some technical and some managerial questions. The 10 students that had the highest scores in this round moved onto round 2.
Round 2 consisted of an online capture the flag exercise with 10 different challenges that were available for two weeks. The challenges included login scripts that were vulnerable to SQL Injection, XSS vulnerable search queries, and hidden keys in data packet captures. Each challenge had a different point value, and the four students who scored the most points on this section were invited to travel to Deloitte University in Westlake, Texas.
I was one of the four students who was invited to represent Penn State University so this past week, I flew down to Texas to compete along with John Kissell, Jared Rittle, and Brady Ripka.
I didn't know any of the other three students that I was competing with other than through a few emails and text messages. However, Deloitte allowed us to arrive a day before the competition to stay in a hotel. We took this opportunity to grab a few drinks and get to know each other before the competition. In hind-sight, this probably gave us a slight edge because we seemed to be the only team that wasn't fighting through the awkward stage of getting to meet their team on the day of the competition.
 |
| A night at The Barn with ribs, pulled pork, macaroni, and brisket |
After a fun night of watching hockey and having a ton of fun, we were transported to Deloitte University in a company-owned Escalade the following morning. At the University, we were in shock when we were greeted with the revelation that all of the food at Deloitte University was free and buffet-style. There were ribs, steaks, lamb legs, and beef jerky all made by what must be a fantastic group of chefs because we couldn't stop commenting on how delicious everything was.
Then it was time to get serious.
We moved into a room with all of the staff and students that were involved in the competition. After a short presentation with some cool text-based feedback on what we thought of the competition so far, we were introduced to our coaches. The coaches were all Deloitte employees who had previously attended the school that they were coaching for. This gave each team a good way to quickly get along with their coach, and eventually network with other coaches and students.
Next, we moved into a larger room with tables set up for each school. Each table had an scoring packet for the coaches, an inject packet for each student, and a laptop that was disconnected from the internet. This came as a surprise to many of the students because round 2 was such a challenging technical competition, and it suddenly became very obvious that there would be little technical skill required for this round.
 |
| Deloitte University main entrance |
The format of round 3 was a cyber war game. Each team was acting as the information security staff at a fictional institution, Mammoth National Bank. The first inject was a letter from a "trusted" government agency that was notifying the bank of an imminent threat from a Russian hacking collective known as "The Ghosts." Within 10 minutes of receiving this notification, we were directed to give a verbal briefing on what was going on and how we were going to respond. This was 10% of our overall score for the competition.
The next 2 hours consisted of a series of injects being revealed from our inject packet. The event was designed to be fast-paced in order to simulate a stressful situation in a real business environment. We were provided with a new "Time of Day" and additional information about the event every 10-15 minutes. Our task as a team was to respond to each inject. Based on our responses, we were either given points on the coach's scorecard or the coach directed us to open another inject that provided more information. The scores received on this section constituted 30% of our overall score for the competition.
For example, one of the earlier injects was an email from the organizers of a banking conference that some of our employees had attended in the previous months. They notified our team that a company called InfoSaber registered under false pretenses and that they were handing out USB flash drives to attendees of the conference. One of our reactionary responses was to request a list of the attendees of the conference. This prompted another inject to be opened, which was an email indicating that 7 employees attended, 5 of these employees took flash drives, and that 1 empoyee plugged the drive into their work computer.
Each team was also given a $100,000 budget to spend on services to respond to injects. Some of the available services included basic forensic analysis, advanced forensic analysis, DDoS protection, emergency backup generators, external PR, and consultation with a Deloitte expert. With the expenses of each of these services, there was no possible way to purchase everything that we wanted, so we had to prioritize what we needed.
Throughout the event, we had to deal with a variety of situations including:
- A rootkit-infected flash drive that penetrated the network
- Customer reports of unavailable funds and unrecognized transactions
- Phishing emails to a regional bank manager
- A keylogger on the computer of a high-level access employee
- DDoS attacks on customer-facing websites
- Negative social media responses from customers
- Online sales of customer data
- Leaked company data including emails, salary information, and contracts
- Ransom requests
 |
| The Penn State team in the war game room |
Our last inject was an email requesting a 15-minute briefing from the CEO the next morning. We were given 2 hours to prepare and submit a presentation to be given the next morning. We were instructed to use a template that guided us to provide specific information, but this proved to be useless.
The next morning, our team showed up ready to present, under the impression that we would have 7 minutes to talk and 7 minutes for questions. However, after our introducing ourselves and telling the board of directors that we were under attack, we were immediately hammered with questions. This threw us off-guard a bit, but we responded well to the changing situation.
This proved to be much more realistic than we were expecting, which was perfect for providing a learning experience. A high-pressure presentation in front of a board of directors should never be an easy thing to do. There were certainly things that we were asked and didn't know. In fact, the judges knew that we weren't going to know many of the things being asked, and were expecting an answer similar to "We don't have that information right now, but we'll work on it and get back to you as quickly as possible."
Another point that the competition made is that when presenting to a board of directors, you need to speak their language. They're not going to know what a rootkit is, so there's no point in giving technical details. The stress has to be on giving a high-level overview of information that is important for the board to know. Even though there may be information that is important to the security team, it may not have any significance in that setting. The presentation was the last 60% of our overall score for the competition.
Although our team came in 4th place, I had a lot of fun, and learned even more. The entire experience was phenomenal and I can't thank Deloitte enough for the opportunity to learn along with some of the best security experts in the field.
