Wednesday, May 06, 2009

Lessons from CDX

In my post Thoughts on 2009 CDX I described my initial reaction to the Cyber Defense Exercise from the point of view of seeing the white and red cells in action. Thanks to this press release I learned the outcome of the event:

The National Security Agency/Central Security Service (NSA/CSS) is pleased to announce that the United States Military Academy at West Point has won the 2009 Cyber Defense Exercise (CDX) trophy for the third year in a row.

I found more detail here:

The USMA team won the exercise for the third year in a row––West Point’s fifth win since the competition began in 2001. That means they successfully fended off the NSA hackers better than the U.S. Naval Academy, U.S. Air Force Academy, U.S. Coast Guard Academy, U.S. Merchant Marine Academy, the Naval Postgraduate School, the Air Force Institute of Technology and Royal Military College of Canada...

"We had large attacks against our e-mail and Web server from multiple (Internet protocol) addresses (all NSA Red Team), Firstie Josh Ewing, cadet public affairs officer for the team, said. "We were able to withstand their attacks and blocked over 200 IPs that they were using to attack the network."

All the while, the cadets were tasked with extra projects such as network forensics. The cadets’ scores from these extra tasks contributed to their win, Adams said.


Based on my discussions with people from the exercise, it is clear that West Point takes the CDX very seriously. As in previous years, West Point dedicated 30-40 cadets to the event. They appear to use the CDX as a capstone exercise for a computer security class. Based on manpower alone they dwarf the other participants; for example, the Coast Guard had a team of less than 10 (6-7?) from what I heard.

Thinking about this exercise caused me to try classifying the various stages through which a security team might evolve.

  1. Ignorance. "Security problem? What security problem?" No one at the organization realizes there is even an issue to worry about.

  2. Denial. "I hear others have security problems, but we don't." The organization thinks they are special enough that they don't share the vulnerabilities and exploitation suffered by others.

  3. Incompetence. "We have to do something!" The organization accepts there is a problem but is not equipped to do what is required. They may or may not realize they are not equipped to handle the problem.

  4. Heroics. "Stand back! I'll fix it!" The organization develops or hires staff who can make a difference for the first time. This is a dangerous phase, because the situation can improve but it is not sustainable.

  5. Captitalization. "Now I have some resources to address this problem." The heroes receive some funds to advance their cause, but funding alone is not sufficient.

  6. Institutionalization. "Our organization is integrating our security measures into the overall business operations." This is real progress. The organization is taking the security problems seriously and it's not just the security team's problem anymore.

  7. Specialization. "We're leveraging our unique expertise in X and Y to defend ourselves and contribute back to the security community." The organization has matured enough that it can take advantage of its own environment to defend itself, as well as bring lessons to others in the community.


Based on what I know of the West Point team, they seem to be at the Institutionalization phase. Contrast their approach and success with a team that might only be at the Heroics phase. Heroics can produce a win here and there, but Institutionalization will produce the sort of sustainable advantage we're seeing in the West Point team.

You may find these labels apply to your security teams too.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

No comments: