CyberPatriot is a cyber education program with an emphasis on defense and endpoint security for middle and high school students. Every year there is a competition season that spans several rounds and culminates in a national finals event. Thousands of teams register each year to compete, and only about 30 teams will advance to the final round. During each round of the competition, students are issued several preconfigured virtual machines (VMs) that they must secure. The host operating systems on these machines varied, but mostly used Ubuntu, Debian, and Windows (including Windows Server).

These VMs have misconfigured services, including DNS, HTTP, FTP, SSH, RDP, SMTP, databases, and more. There are also unauthorized users, unwanted software, and malware. A subset of these issues are scored by a proprietary scoring engine developed by the Center for Infrastructure Assurance and Security (CIAS). Each VM also has unique challenges, called forensics questions, which can include activities like deciphering encoded messages, reviewing logfiles, retrieving data hidden with steganography, and more. These VMs are developed from scratch every competition season. It was my job to create and configure all of the VMs used for the CyberPatriot XIII and CyberPatriot XIV season, about 50 in total.

Challenges

The time required for VM development often led to crunch time, as the complexity and quantity of each VM increases as the season progresses, but the interval between each round in the season remains constant. Furthermore, we were not able to create these VMs too far in advance due to contracting restrictions.

A constant challenge for the CyberPatriot program in general is balancing education and competition. Generally, sharing information specific to solving issues that appear on the VMs is prohibited, which means that competitors who don't receive all of the points on a VM are not allowed to ask about the specifics of what they missed on that image.

What Went Wrong

One of the lessons that the competition aims to teach is that it is important to install operating system updates regularly. As such, this is a scored task during a timed competition. Unfortunately, this process can take a long time to complete successfully. In one competition event, an Ubuntu 20 system would fail to complete the update process and became unresponsive, forcing competitors to revert the system to its original state at the start of the competition, setting their score back to zero. Once this problem was identified, I investigated and implemented a workaround for future events. However, issues like this can appear unexpectedly due to the dynamic nature of modern operating systems and the competition requirements.

What Went Right

The effort I put in to designing the competition scenario, along with my research into vulnerabilities and forensics questions for each system paid off. This enabled me to produce my own style of competition images that adhered to established competition rules but also allowed for some fun personalization. With my continued investment into the design and testing of virtual machines, the competition seasons were described as some of the best they ever had.

Lessons Learned

It is possible to host your own services, but with this freedom and flexibility comes a significant maintenance requirement and awareness of cybersecurity risks. Even though it's possibly to DIY, sometimes it's worth paying to have someone else handle these issues, especially when it comes to the possibility of data breaches and other malicious activity.

Additional Media

Learn more about the competition from the official CyberPatriot website.