Since my team placed 3rd in the Fall, we qualified for ISU’s National Cyber Defense Competition this Spring. This was a slightly different competition than the ones I have competed in before, mainly because the scenario was slightly different this time around. It was unique for a few reasons: unusual applications and services were required, plentiful competition-day anomalies, and an additional service that was added to the scenario less than a day before the competition started. There were a lot of flags to protect, and to be captured.The scenario essentially stated that we were a SaaS company that provided hosting and application programming services. We were required to implement the following services: DNS for our domain, a highly-vulnerable custom web application that contained sensitive company data, a chat service of our choosing, remote desktop, method for backups, a Nagios monitoring service, and a “beta” Python application that was given to us just before the competition. For added benefit, we also introduced a gateway firewall, Active Directory server, and Splunk monitoring. This was a challenging, but also exciting and rewarding, scenario. My two main responsibilities were securing the web application and implementing the Splunk system.
The web application was very insecure mainly because it was written in ANSI C, had numerous OWASP Top 10 vulnerabilities, and multiple malicious backdoors. I will most likely have a separate write up just for that application because I would like my main focus here to be on the overview of the competition and what we could have done better. In addition to securing the web application, I was tasked with monitoring our network using Splunk, which is an operational intelligence platform. I used this software to gain insight into our network and to make sense of the data our systems were generating. It was very useful because the whole team could log in and use Splunk’s web interface to search and parse log files and look at metrics relating to their assigned services. It was really neat to see visualizations of what was happening to our services and network. Below I’ve included some graphs and results we received from Splunk throughout the day.