This post was written by Ray Truex, Cybersecurity major and captain of Messiah’s CCDC (Collegiate Cyber Defense Competition) team.
Last Friday and Saturday (March 31 – April 1, 2023), students from Messiah University were given the opportunity to compete at the MACCDC (Mid-Atlantic Collegiate Cyber Defense Competition) regional event. Originally, the team had placed 12 out of about 30 teams, missing qualifiers by a few spots. The team still planned on attending the regional event as volunteers but thanks to a last-minute dropout of another team, Messiah was actually able to compete. In less than a few hours a team of six was assembled and on their way to Largo, Maryland.
The night before the competition the final team packet was sent, and we noticed that we had over forty systems to harden and ensure availability. The competition was scored on six categories: service availability, business injects, board meetings, orange team, red team activity, and IR reports. The team was very limited, half of us had not even competed in the qualifier, and this was our first CCDC event.
The initial plan once the competition started was to get into the systems and change the default passwords. After that, students broke into groups; some worked on injects while others worked on hardening services. As the team captain, I was tasked with responding to board requests which were very aggressive in their demands. Their main demand was to make sure that the hypothetical shipping company that we were running was accepting orders and getting packages shipped. Day one came to an end quickly. Everyone was very fatigued and there was still a lot to do. After a debrief at Applebee’s with our coach, Dr. Bibighaus, we made sure we had a more focused approach for day two.
At the start of Day two, we had a meeting with the board of directors, during which I got yelled at by them for not having shipped any packages yet. As soon as the meeting ended, we got back to work. Unfortunately, we were unable to prioritize their request for getting packages shipped as the team was busy putting out fires the rest of the day. We did, however, have a minor victory of getting the blog server up and running, and at one point even having the greatest number of services running. The rest of the day consisted of continuing to harden and ensure availability, as well as completing injects and incident response reports.
Day two was also April 1st, April Fools’ Day, so we started the day with the power strip turned off. This incident ended up being the highest scored incident report that we submitted, so it worked in our favor. An additional April Fool’s setback was the scoreboard being messed up the whole day, making it exceptionally hard to determine how we were doing on keeping our services online. After lunch on day two, the red team was given the green light to destroy everything, and we started noticing subtle signs like our webpage being defaced by power rangers. Within an hour or two left in the competition, services were dropping like flies. The last thirty minutes of the competition was dedicated entirely to filling our incident response reports due to the sheer number of attacks we were experiencing.
The competition ended and Messiah placed 6th out of 7 teams, beating out George Mason University for last place. The team was very happy to get anything but last place, since this was our inaugural year. Being able to compete at regionals was much more than we expected. We brought back so much more to learn, practice, and prepare for next year. We were also able to meet many new employers and other teams to partner with in the future. The team is very excited to prepare for next year and hopefully get back to regionals.