Skip to main content

C3X2018 Genesis Review



What a year this has been. C3X2018 "Genesis" just wrapped up on October 24th and I couldn't be happier (and happy that it's over because I forgot what real sleep feels like).

For those of you who have no idea what I'm talking about, the Canadian Collegiate Cyber Exercise or C3X is an event that Ben Wells (@1StealthMove) and myself started working on in 2016, and brought  into reality in 2017 with a beta run of the event. You can watch the trailer from last year here:



So why did we create  C3X at all? Sadly, Canada doesn't have too many red vs. blue, cyber war game type events (at least to my knowledge) and as far as RedBlack is concerned, that's a shame. We have a lot of CTF's and the like, but there's no shortage of those already. We've also come to learn that many students do not get the required and needed exposure of  learning about defending Windows environments, ActiveDirectory and being able to put what they've learned in school to the test before going out into the world.

If you have ever heard of the CCDC (https://www.nationalccdc.org/) and the CDX (https://www.cyberscoop.com/inside-nsas-cdx-high-tech-competition-pitting-cadets-elite-attackers/) (better link?) they were both a source of my inspiration. Having helped out in the CCDC red team a couple times, I really was bothered that we didn't have anything similar up here. So, like Field of Dreams (ugh I'm getting old) "If you build it, they will come" :)

C3X2017 "Beta"

The first run of C3X was hosted at George Brown College in Toronto, Ontario. It involved  student teams from Lambton College and George Brown College. 10 students per team, a white team made up of a few mentors to help the students along and aid in coordinating the whole event, plus a 5 person red team. 

The students walked into an environment I had built for them with zero knowledge of it and had 7 hours to defend it as best they could. We designed the game  around an essentially mini, scaled down Windows enterprise environment,  consisting of  10 desktops, 5 servers, AD, and then to help them out, some defensive appliances like Security Onion, Microsoft ATA, and a custom ELK stack - along with various scripts and tools for hunting I personally utilize , on their blue team virtual machines.

We paid for everything out of pocket, asked for no money from anyone including the sponsors, other than their time and some sent us swag to give away on top. We love and appreciated all of your help.

That being said, the situation described above limited what we could do in terms of size, scale and complexity of the game. So, in preparation for the following year we decided to change up our approach.

C3X2018 "Genesis"

This year we decided to beef things up a bit. 

We created a builders team and formed a meetup with about 20 individuals, who again generously volunteered their time and energy to make this new iteration happen. We gave this year a theme and a scenario, as well as heads up information, technical specs, diagrams and topologies and video demos I created for the students on how to hunt down the red team using the provided environment.

We increased the game complexity up to 30 desktops, 10 servers, ATA, Security Onion and HELK, Windows event forwarding with selected logs of interest and aggregated them into HELK (https://www.invokethreat.actor/2018/09/leveraging-wef-and-helk.html) for the students to have more tools at their disposal. 

The red team was made up of 11 individuals this year. We opened up the event to more sponsors and funding, invited 3 schools with teams of up to 20 students each, and added  business inject cases into the game to add context for the students

What I'd like to do is break down and thank the various teams, volunteers and sponsors for all their efforts:

Student Blue Teams - George Brown, Sheridan and Seneca

First off, this is all about you and built for you. I wish I had something like this when I first started out - so it really does warm my heart so much (I'll be honest, I get a little water in the eyes thinking about it) to see you all come out to C3X.

Some folks had harder days, some days things break and don't work, some teams get hit harder than others; but that's the whole point. We design this to try and take you out of your comfort zone and dial up the stress and intensity of defending against an aggressor. Given that,  all participants showed tremendous determination and energy. It was inspiring.

Watching team members communicate with each other was another heart warming thing to see; Teamwork is under-appreciated and sometimes not enough weight is put on how important it is to be able to work together cohesively, especially in a pressure cooker situation.

My hat is off to every single one of you.

White Team

The white team was a mix of our simulated upper managers and executives, blue team mentors and volunteers helped with everything from setup and tear down, to making all three days happen overall.

Without you, C3X would also not be possible. The fact you took the time to hang out in school for 3 days for  10-12 hours in some cases is just incredible and I don't think I can put into words how much that means to all of us. 

I value every one of your efforts and input for the game. I hope you all wish to be involved for next years build and execution.

You are all wonderful people.

Red Team

Oh my sweet red team :)

Thank you all for being there and doing me the honour of being evil for 3 days. I wish I was able to be your captain again this year, but as you could see, it was important I be available to help everyone else as needed - you all did a wonderful job without my full attention.

The students, facial expressions excluded, appreciated all the pwnage you brought upon them. So many laughs and fun times throughout the whole exercise and like everyone else, this would not be possible without your efforts. We almost managed to unlock the blue team door with a hook. So close. Video forthcoming.

It was a privilege and pleasure to have you there. Love you all.

A Special Thanks

It's easy for everyone to look at the part I played in designing and building the game as a massive effort (don't get me wrong, it was) due to the technical nature of everything I needed to implement. But let me be very clear here, none of C3X would have happened in the slightest, if it weren't for Ben Wells (@1StealthMove) from our company essentially organizing and coordinating the entire event.

Without his time, sweat and energy there would be no C3X. If there's anyone you should be thanking, it's him.

Thank you sir.

The Final Thanks

I cannot wrap up this post without some name dropping and very heartfelt thanks to our contributors, sponsors and other mentions that made this all possible. Please follow the folks below since they're all such awesome people. If I've missed you from the list or incorrectly referenced you please let me know :)

An epic sized thank you to:
· Sponsors
o Ragnarok Digital Security
· George Brown Staff
o Albert
§ As always, you accommodated beyond our expectations
o Syrus
§ Thank you for all your assistance with the lab
o Rick
§ Thank you for helping with issues and playing a role on our white team
o Jeff 
§ Thank you for everything you continue to help us with each year. Means a lot.
· HELK
o Thanks for the 5am troubleshooting help @cyb3rward0g :)
· White Team
o Cheryl Biswas - @3ncr1pt3d
o John Perea - @SecBustersInc
o Fréderic Dorré - @orange_logger
o Alp Tanatmis
o Quang Tu
o Don Mallory - @MonochromeAttic
o Rick Mahadeo
o Chris MacPhee - @Drag0nFox
o Ryan Boroumond
o Kim Crawley - @kim_crawley
o Jeff Lubetsky
· Red Team
o Jose Sanchez - @el_infector
o Brendan Hohenadel - @bhohenadel
o Paul Lariviere - @dcept905
o Alana Staszczyszyn - @cubes_n_spheres
o Amadeus Konopko - @AmadeusKonopko
o Corey Chambers - @OratorioNumber8
o Nadia Hassaan
o Dave Storie - @seeonedave
o Harun Fetic - @SnkyBruslSprout
We'll see you next year!!




- ITG

Popular posts from this blog

Leveraging WEF and the HELK

In an effort to have some more content on this blog (wow life gets busy sometimes!) I thought I'd write up this post on how to configure Windows Event Forwarding and the awesome project, HELK.

On a bit of a side-note, this post coincides with an event we run up here in Toronto, Canada called the Canadian Collegiate Cyber Exercise (C3X). This year we are running the first real iteration (although we executed a pilot version last year which you can see here: https://www.youtube.com/watch?v=oycYKQzzHoU) and part of the design will be providing the students with HELK.
OK back on track. I'll admit that when I first learned about Windows Event Forwarding it seemed a little daunting. A few of the posts I first read seemed confusing and a lot of moving parts. To the newcomer, Windows Event Logs can also be fairly intimidating which is why projects such as HELK are so fantastic to be openly and freely distributed.
So why leverage WEF? Well, at a very basic level (and this whole post wi…

Introducing ISOPodCast

So I decided to start a podcast. I'm a big fan of podcasts and it's been very cool to see more Information Security related ones surface. I wanted to get in the action and try to do something (hopefully) a little different than most in that the purpose was to have on people I find fascinating, set a topic that doesn't necessarily have to be technical and just see where it goes. 
I present ISOPodCast and let me explain the name.
The ISO stands for Information Second Opinion because I want to discuss and debate with the guests various issues such as community (Episode #1), education, mental health and the like. There's also a bit of wordplay with ISO, InfoSec(ond) and also Isopods are cool looking.
This post is going to introduce Episode #1 - "Community" where my guest Allan Stojanovic (@allansto) talk about our local scene here in Toronto, Canada as a whole and identity.
Now here's what I'd like to ask of you dear listeners:
This is the first episode and I&…