NSA Launches 'Codebreaker Challenge' For Students: Stopping an Infrastructure Attack

Slashdot reader eatvegetables writes: The U.S. National Security Agency launched Codebreaker Challenge 2017 Friday night (Sept 15) at 9 p.m. EST. It started off as a reverse-engineering challenge a few years ago but has grown in scope to include network analysis, reverse-engineering, and vulnerability discovery/exploitation.

This year's challenge story centers around hackers attacking critical "supervisory control and data acquisition" (SCADA) infrastructure. Your mission, should you choose to accept it, is to figure out how the SCADA network is being attacked, find the attack vector(s), and stop the bad guy(s)/gal(s)/other(s).

Codebreaker-Challenge is unusual for capture-the-flag(ish) contests due to the scope/number of challenges and how long the contest runs (now until end of year). Also (this year, at least), the challenge is built around a less than well-known networking protocol, MQTT. It's open to anyone with a school.edu email address. A site leader-board shows which school/University has the most l33t students. Carnegie Mellon and Georgia Institute of Tech are at the top of the leader-board as of Saturday morning.
Last year, 3,300 students (from 481 schools) participated, with 15 completing all six tasks. One Carnegie Mellon student finished in less than 18 hours.

A resources page offers "information on reverse engineering," and the NSA says the first 50 students who complete all the tasks ths year will receive a "small token" of appreciation from the agency.

Infrastructure

[AmiMoJo]

Can we teach people to repel state level attacks on our internet infrastructure?

Like GCHQ before, it's weird when these agencies act like they weren't caught breaking the law on an unprecedented scale.

You must be bonkers to participate

[Rosco+P.+Coltrane]

People who choose to take part will have their name permanently on the NSA's watch list for dangerous hackers - and potentially, on some terrorist watch list, or the TSA's no-fly list also.

Stay the fuck away from the NSA people. It doesn't matter if they say they have good intentions: the reality is, they don't.

Re: You must be bonkers to participate

[nehumanuscrede]

Nah.

These are the sorts of folks they'll actively seek to recruit.

Because if you can successfully attack their scenario, you can likely do it in the real world against an NSA target of choice.

Start at the data diodes, go from there

[ka9dgx]

The first thing is to do a traffic analysis of the data that has transited the outbound data diode. Look for unusual destinations. Then work backwards to see what system generated that data. Then start searching all of the computers for rogue USB devices or other media carried into the office. Actual fingerprints may help catch the culprit, if it wasn't a staff member who was social engineered into using the device.

Remove the hard drives from any affected systems, and do a bare metal restore from the most recent trusted backup. Then use the delta backups to bring things to a reasonably current state.

There should be no physical way for internet traffic to get inbound into the system, as it should be air-gapped except for the data diode. As we all know, a data diode has no physical inbound connection, and is thus secure.

If there isn't a data diode, start questioning the qualifications of the existing IT staff and engineers.

Re:Start at the data diodes, go from there

[blackhedd]

All good thoughts and quite correct.

Practical questions: how many SCADA systems do you know that actually have data diodes? There's decent penetration of this technology in electric-power transmission/distribution and a certain amount in O/G upstream. Manufacturing/pharma/connected infrastructure/other sectors, not so much.

How much would you spend to secure a SCADA installation with data diodes? To a different poster, how about the spend (both capex and opex) for site-to-site VPN? This can make a lot of sense in enterprise networks where the ratio of connected devices to defensible network chokepoints is high. But with SCADA, what if your OT is highly distributed across physical space, and perhaps with sporadic networking and few IT-savvy personnel (oilfields, substations, smaller manufacturing facilities)? What if you're a company like a major automaker, for whom even $1000 is a lot to spend on a piece of technology that you'll have to replicate and manage across a huge global footprint?

How about the personnel problem? SCADA systems are generally managed by OT people. When they see IT people bearing gifts like data diodes, their first response in many places is to say "get your security stuff out of my production network before your latencies and your false positives disrupt my processes and violate my safety rules!" Then you say "but... security!" And they say "We're already airgapped here. We've been running SCADA since before you amateurs even had TCP/IP. We've never had a breach and never will." And then you say "but... what about that unsecured wireless access point right over there?" At this point, the OT guys will often start throwing things at you.

My point comes down to: doing this at scale is harder than it looks. The correct starting points are: first, get a C-level to knock heads together until the OT guys start listening to the IT-sec guys; and then do a standard risk/impact assessment to identify the systems at the top of the criticality list. Then you put the data diodes into those places, for a start. (In electric power companies subject to NERC compliance, you'll generally find that all of this has been done already for the CIP-high locations.)

To bring it back to what NSA are doing: it's valid to question their motives but keep in mind that a good chunk of their mission does involve network defense. (VADM Tighe, who used to be the deputy commander of US Cybercom, referred to this in her remarks last week about the McCain incident.)

It's also valid to question the ability of that other group of people, DHS, with a more explicit charter to keep the national infrastructure safe. For years, it's been hard to get these groups to talk effectively, but I would say this problem is really starting to get a little better these days. With that, I don't mean to suggest that the data sharing problem is close to resolution, because it's not. But as I say, I do believe some progress is now being made.

Here's another challenge ...

[CaptainDork]

... Which student(s) can paint a wall on my house the fastest?

A small token of appreciation will be given to the winner(s) once the house is painted.