How the Department of Energy is Developing the Next Generation of Cybersecurity Experts - Ep. 14
Recently, the Department of Energy hosted its annual CyberForce National Competition. Of the 66 selected teams to compete, the University of Central Florida’s Collegiate Cyber Defense Team won the national competition, which challenges teams across the country to build a robust corporate network that can withstand attacks to steal data, deface websites, or wipe out critical systems. The team’s captain, Austin Sturm, joins the podcast this week to discuss their winning strategy and cybersecurity from a generational perspective.
Learn more about the Department of Energy’s CyberForce Competition.
A Way to Develop Cybersecurity Experts
Arika: We have a great show for you guys today. We have with us Austin Sturm, from the University of Central Florida, who is captain of their collegiate Cyber Defense Team. Austin and his team recently won the Department of Energy's Cyberforce Competition. We thought it'd be great to take some time on today's episode, learn about the competition, learn about the strategy that Austin and his team had to win, and also just talk about Cybersecurity from a next generation perspective. So Austin thank you so much for joining us today.
Austin: Thank you very much, Eric and Arika. It's a pleasure to be on here.
Arika: So, Austin, let's just kick off. Tell us about the competition. Tell us how it came about. My understanding is that you guys, the University of Central Florida (UCF), you competed against 65 other teams across the country. You built a network prior to the competition that then during the actual in-person piece was hacked. And I know there were more details than that to the scenario so please definitely insert those. But just tell us about the process and how this competition works and in terms of how you guys got involved, your strategy and so on.
Department of Energy's Competition
Austin: Of course. So let me give you some history on the competition itself. The D.O.E. has been putting this on I think four years now.
Specifically, this is coming from the core team Amanda Joyce, Director of the competition is leading that now as the director of the competition. So this is the fourth year, I personally have competed in the past three and UCF has competed in these past three, as well. It's mainly Grad, Undergrad students, and then you're given this network and you're coming in from. This year it was you're already an employee; you've been maintaining this infrastructure, and every year you do a quarterly assessment, determine what you need to fix, what you need to implement, what your next strategies are going into the next year.
In previous years it was consultants - a cybersecurity experts - coming in to fix their network, defend it, but this year we are given a web server, a mail server, a help desk. You had to provide some additional functionality that you were just required ICS - Industrial Control System- had to have like an HMI - Human Machine Interface - viewer That's kind the physical component or machine that you can utilize to access some of that SCADA network. And so what we wanted to go ahead and do this year is we tried to focus it on creative ideas because this competition differs in the sense that they're not just wanting you to secure it, they want you to come up with that next level technology or creative ideas that we haven't been seeing previously in technology.
Bringing in Creativity
So we try to focus on that creativity element. Both this year and last year we've been trying to work on kind of a software appliance to work around and fill in some of the gaps that you have and some of the protocols that ICS uses such as modbus or DNP3. So we had a high focus there.
Here are some interesting notes: you're given this network and you only have a month and it's quite a long time to get everything set up but you've got to pretend and role play a little, such as I've worked here and I get involved into it, as well. And one of the interesting parts of that, I guess, some of the other competitors may have not been aware of it because during the competition we saw a lot of teams that got hacked or they lost access to their network. And, these systems you've got to understand that there are vulnerabilities present.
There could have been an attack at one point. So the first thing we do, and I recommend anyone who does compete prior to take a look: Ping test your systems. Look for indicators of compromise because you never know what's on there. It's always good to take a look frequently and then you can start to build the idea of this is what I want the network to be and start securing it down a little more.
Eric: So you're given a working system from the Department of Energy, from the competition, per se. You're given this working system and you need to then secure it and look at how you're going to protect it into the future but you may have an adversary already inserted into the system they give you.
Austin: Yes, exactly. So, I'll give an example. One of the things they had was a Cron job. For people who aren't familiar that's just a scheduling utility in Linux that was creating a user called Ra-Q...
Eric: Or Unix for us older guys, go on...
Austin: It was creating a user called Ra-Q and ping testers would be familiar with the Ra-Q word list...just top common passwords. It's most notably utilized in brute forcing attacks. But it created a user with the username Ra-Q. The password was a random password from that file and that was supposed to be an indicator of compromise showing that somebody got into the system and now there's a user out there. So you've got to look out for little tidbits like that.
Arika: And the other thing I saw too when I was reading the scenario was that as you were thinking about how you were securing this network, one of the caveats was no major purchases could be made which is something that I think a lot of organizations, especially government, sometimes have to do is having to do more with less.
Respecting Budgets and Other Constraints
Austin: Of course. Budgeting is the hardest thing to get, right? So it actually was completely free software. You couldn't use any paid software besides Windows licenses that were available through Azure.
Eric: OK and then no major upgrades either to the critical production systems, so the business side of the house you couldn't impact that in a negative way.
Austin: Correct. You had to maintain uptime with infrastructure that they had already given. You were budgeted about two additional VMs. These are two gig max for memory and so they're kind of throttled in the sense of how strong they are and what you can do on them.
Arika: So it was a challenge. A true competition.
Eric: And relatively technical. I mean we don't get a lot of people talking about modbus and SCADA protocols on this podcast. Maybe we should look into it. But I mean a relatively technical scenario where you're getting your hands dirty. You're not just talking, you're actually doing. All 65 schools were doing.
Blending Technical with Business Aspects
Austin: Exactly. And they tried to implement the business aspect too, so that's when the role playing comes in like we had to give a CSO talk so you had to present the creativity of your project to what was supposed to be the panel of committee members that are going to review your reports and kind of make business decisions.
Eric: And how did that work? I know you have a background in computer engineering and now you're studying digital forensics. Did you have somebody on your team who was more comfortable presenting? Did the whole team do it? Did you break it out?
Austin: So last year I gave it along with one of my fellow members that was on the team this year. This year, he actually presented it himself. We're all technically focused for the most part, but he built out the software appliance originally so he had the technical focus on what he wanted this to be and we try to pride ourselves on our ability to be somewhat professional.
Eric: On a 1 to 10 scale, reality scale, how close do you think this reflects a real situation you run into every day in the work force?
Austin: So to be frank the limitations make you have to implement some creative ideas that you would not have to consider otherwise. Like we couldn't firewall people off and whitelist IP's. So you get more of creativity but the idea that you have a system and it could be compromised, you need to secure it up...I mean, I'd say it's probably about a seven.
Eric: That's pretty good.
Arika: And any other interesting observations from what you saw from the other teams? Or how does it actually work, the in-person competition? After you spend this month or so first securing your existing network, building out the software, then you went to one of the labs, the Argon lab in Illinois and so what happens there? That's when you did the CSO talk?
Structure of the Competition
Austin: Exactly. That's when the in-person elements begin. So the majority competition, you come in on Friday and that's just a day to set up your network a little more. Because there is a physical component. They do set up a Raspberry Pi. It's hooked up to motors and other valves. This year it was supposed to be an oil company so it was supposed to be like an oil pipeline. But you get to take a look at that, doing the modifications you may need to do. Then the Red team starts scanning it. So we do have the active attackers and I think it's over 100 Red team members that are attacking these systems amongst all 66 teams.
That first day is just them scanning and then the next day, the in-person, the true competition begins and they do things called anomalies which are just little fun things to give you something to do while you're doing the competition and monitoring your systems and that's like a capture the flag competition doing forensics challenges, doing just fun things to get everybody to talk to each other and enjoy the time that they're there, as well, since it also it's not just a competition. It's a time to network, meet peers, and develop a growth in cybersecurity.
Growing Cybersecurity Experts for Tomorrow
Arika: And, Austin, there's a lot of talk especially within government about the cybersecurity, just the workforce. And there's a huge recruitment element that's happening right now to...
Eric: That's where I was going, Arika.
Arika: Well that's why you're Eric and I'm Arika, we're thinking alike. So, I'm curious, I think competitions like this are so great for shaping that next generation of the work force. So what are your thoughts in terms of where cybersecurity is going, how to bring new thought, new mindsets, especially next-generation mindsets to the industry and to the area.
Austin: I want to say, of course security is I think the fastest growth rate in the industry, I think it's like 25 or 35 percent growth rate in the next four years so it's very important that we develop at a young age an interest in cybersecurity and programming. I think these competitions are becoming a great way to grab potential employees, potential researchers who have a real passion for the security element and you're not giving the people who just want to be there as a resume booster or something. These are people who are just truly passionate and it provides a great gateway to get people both interested because it's a fun way to get into cybersecurity and you learn a lot. I think it's a great gateway into recruitment efforts and getting more passion in the field.
Cybersecurity as a Career Field
Eric: Why do you like cybersecurity? Why did you pick that as a career field?
Austin: There's something about just messing with something that you might not know anything about and seeing what could happen, the unknown I guess.
Eric: Okay. Would you like to work for the government when you graduate?
Austin: It could be a potential thing. I've mainly stuck to the private sector and most likely will be where I continue on. I think it's very important that we get some good passionate people to start moving their way into the government in cybersecurity especially.
Eric: When you interact with all these other members, these other students who are obviously very capable and intelligent, do you talk about where you want to go career-wise, what the options are, the pros and cons?
Austin: A lot of our club likes to stick together. We've been noticing a lot of people go into the same cities and same companies, you know, Amazon, Microsoft, some of those big tech companies, but I think now this competition has provided more insight into the elements that can be sought in government and a lot of interest in the things that you can see from a government perspective that you might not see from the private sector: nation-state attacks. Unless you're one of the big companies you're not going to have any involvement within that so I think it's provided a lot of insight that more people are getting interested in going into the government.
Attraction of Going into Government
Eric: Really? So what I'm hearing you say is that the interest level in the type of work that the government may do versus a random private commercial organization.
Austin: Exactly. The interest is in what you could see.
Eric: Okay, without leading you, any other factors that would convince you to either go into the government or not or any or your peers you've dealt with?
Austin: I think there's a stigma that governments don't pay what the private sector is going to give you starting off and I think that might be a factor that a lot of people are playing in when they... because not everybody has this lets say patriot mindset where they just are doing it for the greater good. It's still hard to get past the budget factor of it.
Eric: From a compensation perspective?
Austin: Yeah from a compensation perspective.
Eric: Okay but you've got the full work, you've got the paid time off, the great benefits, you're doing something patriotic, as you said. At the end of the day the paycheck definitely is ...
Government is Looking for the Best Talent
Arika: Well, I think that's reality but what we do know is that the government is definitely hiring right now for cybersecurity. That is a top, top area where they were definitely looking for the best of the best talent. So keep that in mind, Austin.
Eric: I mean, heck, they're even sponsoring the competition and giving you something to put on the resume to go get a commercial job, or a government job.
Austin: Exactly. And they do a great job and it really does actually...I think this competition is a great way forward for them to build up that interest because you're starting to see more of the fun aspects of it, you know. It's not all suit and tie.
Arika: Well excellent. Well thank you so much Austin for being on with us. So what's next for you? When's graduation?
Eric: Oh I'm going to be here for quite a while just I started my graduate degree, actually finished undergrad last semester so...four more years for me.
Arika: Well it flies by so best of...
Eric: Do grad uh...four more, oh part-time, I got you.
Austin: Yeah. Part time. I currently work full-time in the private sector.
Arika: Excellent. Well best of luck to you and again...
Eric: Arika, I have one last question.
Arika: Okay go ahead.
Never Stop Learning
Eric: Austin, based on what you've seen, what you've learned, the interaction with the competition, what is one piece of advice you'd give for us older gentlemen and ladies out there who are in the cybersecurity business?
Austin: Never stop learning, really.
Eric: That's a great piece of advice.
Arika: It's changing every day so that is, that's great. Well thank you, Austin. We appreciate it and again best of luck to you, congratulations to you as well as to rest of the University of Central Florida team. Great work by you guys to have won this national competition.
Austin: Thank you very much, Arika. And have a great day now.
Eric: Big win. Let us know if you want to move into the government and we'll get you in touch.
Austin: Alright we might be in touch.
Arika: You never know.