As an active member of Toronto’s cybersecurity community, I was honored that RedBlack Cybersecurity founders Lee Kagan and Ben Wells invited me to be a mentor for this year’s C3X competition, which involves students from multiple Toronto colleges. RedBlack describes C3X as
|“The Canadian Collegiate Cyber Exercise (C3X) is designed to develop, broaden and enhance the skills base of the next generation of Cyber Security and ICT professionals.|
The concept in brief: The students were tasked with defending a ‘simulated’ corporate network from intrusion and exploitation by a red team comprised of cyber security pros with a sophisticated skillset.
The students needed to learn to be organized, develop a strategy to combat the intrusion, and communicate with each other and the management team.
There are a variety of goals for C3X – amongst them are helping students connect a technical threat to business impact, cope with the time sensitive nature of an unexpected threat and effectively communicate the needs of the defensive team – while staying in line with company capability, culture and industry standards.”
This year’s event took place at George Brown College between October 22nd and the 24th. There were red teams, blue teams, and white teams playing offensive and defensive roles. I helped out the white team. Honestly, I spent a lot of time waiting around and watching the white team and blue team do their work. But when a few blue team members needed to find useful information in their Active Directory logs coinciding with a cyberattack, I came to their aid. How do you weed out the true positives from the false ones? I got the students to narrow down a possible time range for the attack incident. I told them that if they had log analysis tools and a SIEM, they wouldn’t have to sort through their logs manually. It’s tedious work but the students put a lot of effort into being careful and thorough.
I asked RedBlack’s Ben Wells why they had launched C3X.
“There were a variety of reasons we started C3X. Events like CDX and CCDC in the United States were not matched by similar events north of the border. There didn’t seem to be a lot of excitement or cache to cyber here. The market here is dominated by a few large players who’ve eroded the value of pen testing and security in general by commoditizing it.
We also heard, through a plethora of channels, both professional and academic, that keeping the cyber curriculum current was immensely challenging because the market and the threats therein move far faster then the committees could augment class material to meet those requirements. C3X provides a mechanism for the teaching of applied, practical and modern topics that can’t be deployed to classrooms quickly enough.”
I also asked RedBlack’s Lee Kagan about the inspiration behind C3X.
“C3X came originally to me as an idea to start something in Toronto (and eventually for Canada) that would have a similar feel to CCDC and CDX in the US. There’s CTFs (capture the flag competitions) all over the place and while they’re great for what they can teach, there isn’t really anything for us and specifically students that simulates an aggressor targeting an organization that they may have to defend. Plus, we needed to design it into a pressure cooker form with time constraints, limited time and so on.
I also had noticed a gap in something with education. Students involved in infosec courses don’t really get exposed to red versus blue scenarios. Plus there’s the option to put it all to the test before they go join the workforce, and are then are expected to be able to do it. Most organizations are Windows environments, and most certainly involve ActiveDirectory. So we tailor the network and systems to revolve around that. The gap, was when I would hear things like ‘well, students don’t really get exposure very often to that stuff so this will be too hard on them.’ Ironically, I would then hear things all the time like, ;these co-op or junior SOC (security operations center) analysts know nothing about investigating Active Directory or reading Windows Event Logs.; See the problem? It’s a damned if they do, damned if they don’t type of situation. So we built it.”
Lee also elaborated on the birth of C3X.
“In the early days of RedBlack we had some very small events and workshops we held for ‘non-techie, non-security’ folks where they could come ask us questions about hacking and cybersecurity. This was more of a community project to help raise education and inform families about staying safe. Ben Wells, from our company, also has a lot of experience in event planning from other times in his career.
Combined with running a business, being people who attend lots of events and having so many friends who have experience with event organization made it a far easier task than it would have been without all of that.
For me personally, I tried to attack it like a red team! Just adapt to the situations and problems as they come up, and lean on other sfor help when I’m not equipped to handle it.”
Student Laura Harris worked on the blue team. Her involvement began with an invitation to a war room.
“Initially, we were told about the opportunity to get involved in a blue team/red team war room during one of our classes. Many students including myself decided to jump on this opportunity and sign up. It is extremely rare to experience defending against an advanced adversary and gain real-world experience only obtainable through exposure in the workplace and not the classroom. I believe my team and I walked away with valuable skills and knowledge that we can now be apply in the future. I am looking forward to seeing what the next C3X has to offer, and possibly playing some tricks back on the red team.”
“The experience overall was much more challenging than expected. I think we all went in with a mindset that we would have a lot more guidance. However, in actuality we had to implement a lot of security controls from the start that were not done until later down in the day. Along with exploring other tools and tactics outside of the ones that were provided to us.”
Laura’s entry into cybersecurity was almost accidental.
“Well to be completely honest, when I just started my undergrad I was actually going to school to become a radiologist, but very quickly realized that the sciences was not something I wanted to do for the rest of my life. I think decided to take a view IT courses and get involved in my cybersecurity club who very frequently participated in CTFs. I think from there I developed a love for the field and the challenges and tools that came with it. To this day I can say I would never look back or regret the decision of changing my career path.”
What has Laura learned about cybersecurity so far?
“Hmm. that’s a good question. I would probably say that security is a continuous learning path. You will never stop learning, especially because there is always a new kind of threat being created, tools and strategies that as a security professional you will have to keep up with. Especially if you want to be competent in the industry.”
I would recommend every student wanting to get into security to get involved as much as possible with events like these and CTFs both online and on site to improve skills. Definitely don’t be discouraged when things don’t go perfect the first time around.”
I’m excited about C3X in 2019! I will probably get involved again in some capacity. It’s really exciting to observe the developing skills of our next generation of cybersecurity professionals.