Once hacked, the teams had to considered several questions. What should they do? Who should they call? What evidence did they need to prove the attack happened? Unfortunately, many IT professionals with years of experience do not know the answers to these questions. As a result, when an incident does occur, the attacker often goes unpunished — even if everyone knows who did it.
For this reason, the CCDC incorporates an Incident Reporting feature into the games that serves several purposes. The first and foremost is that the students become familiar with basic incident handling procedures. For example, knowing what constitutes as a reportable intrusion, having some idea of who to call, being able to provide the necessary information, and understanding how to treat the "evidence" are all integrated into the event.
To assist with the incident handling training, and to help make the reporting a bit more realistic, the US Secret Service donated two agents to review and evaluate the incident reports. This reality factor is an excellent example of what the CCDC seeks to accomplish. Not only do students learn first hand how to handle an attack, but they are able to interact with real agents — a valuable experience on many levels. In Figure 4 you can see the two USSS agents discussing a break-in with one of the students.
Figure 4: : US Secret Service in Action
As can be expected, learning the proper reporting procedures took some training and practice. The first and most important lesson that the students learned was that detecting an attack is not enough. Granted, you might know that your web page was defaced, but can you prove it? Just seeing the words "You are owned" on your main web server is not enough to convince anyone that a hacker really got into your system. You must have irrefutable proof. Unfortunately for the students, the red team's first action in most cases was to disable all logging and to wipe any existing logs that might be on the system. Sadly, this is a real world example of why hackers often go free. If a team would have had a sniffer enabled or an monitoring system in place, they would have been able to show who had actually attacked them. One item I would like to have seen was some forensics analysis integrated into the workshop. While doing low-level file analysis was beyond the time restrictions of the game, it would have been nice for the students to see the types of activities that investigators have to go through to properly analyze a compromised system.