Wednesday, May 06, 2009

Thoughts on 2009 CDX

Last month Tony Sager was kind enough to invite me to visit NSA's Cyber Defense Exercise (CDX), an annual computer defense drill where cadets from the nation's military service academies defend training networks from red teams. I first mentioned CDX in 2003 and attended a great briefing on CDX summarized by my 2006 post Comments on SANS CDX Briefing.

For this event I drove to Elkridge, MD and visited the defense contractor hosting the CDX white and red cells. The red team conducts adversary simulation against the cadet teams while the white cell runs the exercise and keeps score. NSA did a great job hosting visitors, ranging from lowly bloggers like yours truly, all the way up to multi-star generals and their staffs. I'd like to mention a few points which caught my attention.

  • This is the second year that the participants were given a budget. This means that making changes to the architecture they were defending, such as installing software and taking other actions, inflicted costs. To me this makes enterprise defense much more realistic.

  • Three weeks prior to the exercise, the students receive the images they will be running during the event. This gives them three weeks to essentially conduct forensics against the systems to determine what is wrong with them. The NSA red team "taints" the systems prior to delivery, so they typically contain malware and other persistent backdoors that permit the red team to access and pillage the systems once the cadets deploy them in the exercise. This really tests the teams's forensic abilities but it seems highly unrealistic.

  • The room I visited held approximately 30 red teamers. They were focusing their efforts against 9 or 10 target teams. That level of effort helps you understand the sort of real adversary forces arrayed against real targets.

  • Points are lost when the teams fail to keep their services operational. The main services are Web/database, DNS, instant messaging, and email. While services are clearly important, the exercise doesn't test the sort of real-world scenarios we see, such as data exfiltration. Good threat agents don't disable any services. They steal while keeping everything running, like the good parasites they are.


I'll save comments on who won and why they might have won for a future post. Thanks to Tony and those who kindly hosted me and took time from the schedules to do so!


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

No comments: