Another element that has gained in popularity over the years at the CCDC event is the practice of performing incident response. Student teams can reclaim some of the points lost due to a system compromise by collecting and documenting a concise incident report of the event. The incident reports also act as a training tool, helping the students understand proper forensic techniques and what to look for on a compromised machine. The end result is an incident report that can be used by management and law enforcement. That's right—law enforcement!
A mock law enforcement group is at the Blue Cell students' beck and call to help in facilitating arrest of Red Cell members believed to have compromised systems, performed attacks against their environment, or other inappropriate acts. If the students have done a thorough job of documenting an incident, the law enforcement team will find the culprit and conduct an arrest. An arrest in the CCDC event means that the Red Cell team member(s) must stay out of the competition area for a defined period of time.
Knowing that numerous Blue Cell teams witnessed the emptying of their Med Kits, the Red Cell braced themselves for the incident reports and arrest that would inevitably ensue. Several hours after Red Cell had conducted their raid, a small contingency of mock law enforcement officers came to impose the arrests with incident reports and warrants in hand. While this role-playing game adds entertainment to the event, it also acts as a tremendous training tool for the student teams.
Students learn that incident response is extremely complex and is not just about the technology that has been affected. Students also learn that proper planning and precautions were necessary before the event. In this case, the proper configuration of systems and logs was necessary to be able to tie an intruder who compromised the back end support systems to the Med Kit's to the individuals who witnessed taking the medicines from the Med Kits. Student teams that recognized the importance of proper planning for unforeseen events were successful in getting an arrest imposed, while those teams that did not properly plan struggled to get the required evidence and materials to support an arrest.
It is this type of education and experience that the CCDC events provide that cannot easily be taught in a classroom. The students get to learn from their mistakes in an exercise environment and come out better prepared when faced with a real incident that requires the cooperation of law enforcement.
As a sixth-year veteran of the Mid-Atlantic CCDC events, I've had the distinct pleasure of watching the event grow over the years into something that is both unique in its delivery and an excellent learning tool. What once was a little funded event has grown considerably as sponsors and hiring institutions recognize the value and education that can comes from the event. Students use the event to not only learn what it takes to be successful in the information security industry but also the commitment that is involved with a job that will most certainly require life long learning and willingness to adapting to change.
Students also learn the challenges of having to managing highly complex systems while at the same time juggling the daily demands of the business. It is these fundamental experiences that are so difficult to teach in a classroom environment but so easily delivered in a hands-on exercise.
When everything is said and done, I believe it is the companies and information security industry itself that benefits from the CCDC events. The CCDC events help mold students who ultimately will bring their experiences and honed skills to a workforce that is under constant attack by both internal and external threats. I once heard someone say theory and studying is valuable, but nothing beats hands-on experience, and it is exactly that which the CCDC events delivery to the information security professionals of tomorrow.