Public Info Menu

Skip Search Box

Cyber Defense Exercise 2012 Video Transcript

((Pensive piano and strings music))

VOICE OFF SCREEN: Battle stations everyone.

JOHN CHRIS INGLIS, NSA DEPUTY DIRECTOR, NSA: We're not just fighting a kinetic war but we're actually in the midst of a cyberwar. That's why you're here. You could have done a lot of other things, but I assure you that there's no greater outcome that you could commit yourself to than the stuff that we do here.

((Piano and strings continue to play))

Go to town. Make them shake.

((Music builds))

All is quiet on the Western Front but we don't know how long that's going to last.

((Music continues))

VOICE OFF SCREEN: So they're hitting it.

VOICE OFF SCREEN: Did you make the website?

FRANTIC VOICE OFF SCREEN: I need you here now!

VOICE OFF SCREEN: They're trying to hit our web server pretty good. If there's any SNORT or BARNYARD issues we've got a problem.

VOICE OFF SCREEN: Stay Vigilant! I need confirmation that that was five. Ohhh snap! We have a full XE... DGPC one G. Awww F--

((Ominous drum beats))

My name is Marc Abbott. West Point 2009. I participated in the CDX for 3 years.

...Connect into the web server on HTTPS. It failed for some reason. What CDX taught me is we had to work together. You had to plan in advance. You had to be ready for everything.

((Guitar begins new music))

FEMALE VOICE: We spent the last quarter building a network and now the NSA gets to take a crack at it. Can they get in, and once they're in how fast can we get them off.

((Music continues playing))

MALE VOICE OFF SCREEN: Teams from the different service academies, as well as a Canadian team and some post graduate schools create a network.

((Music continues playing))

It's going to be a big work weekend this weekend making sure everything is good to go. Game on. We're just trying to get everything working. If we can beat AFIT I'll be happy. It's going to get pretty ugly soon though.

The Gray Cell definitely is a different challenge that we have to face.

We really have to watch them and see that they're not opening up anything malicious. Coast Guard is going to win this year. We've got Kenny.

Kenny is kind of our go-to-man. The brain-trust of the whole network. He is one of the best with computers out of the Electric Engineering major.
Sir- we've got too many ones and not enough zeroes. Oh. Kenny's been at a SANS course this past week so that's had kind of an impact on what we're doing. It'd be nice if he was here. We're doing the best we can. So close.

((Music ends))

NSA PRODUCER: What was it like to lose to Army by such a close margin last year?


((New music begins))

ECHOED MALE VOICE: The academy winner in 2011 for the Cyber Defense Exercise is... The United States Military Academy at West Point.

((Cheering from West Point CDX Team 2011))

I'd have to think a little bit to be diplomatic on this one... um...

((New music continues))

Needless to say I was a bit let down when we found out we didn't win but putting that behind us, it's water under the bridge and we are just working hard to try to make sure that we're prepared for this year.

MALE VOICE: We won 6 out of the past 11 years and it'll be 7 out of 12 pretty soon so there's not much to lose sleep over.


...not much to lose sleep over...

((Music ends))

((Ominous drum beat))

Good afternoon and welcome to the 12th annual Cyber Defense Exercise. My name is Debora Plunkett and as the Information Insurance Director here at NSA, it is my great pleasure to kick off our 12th annual Cyber Defense Exercise.

Let the games begin.

((Ominous drums continue))

((New music begins))

MALE VOICE: Of course we're going to win this year.

MALE VOICE: Oh, we're absolutely going to win this year. We have it in the bag. Ahhh we'll see. It's still early. Uh you know, to all those competing against us, good luck. You're going to need it. We don't want to be last. No way.

ABBOTT: You know, you prepared for months. There's always that feeling "Did I miss something?" They're coming at you and this is game time. So normally what we do is we start off slow. We're not doing that this year. So uh, at about 10 o'clock this morning we activated a message that told all of our Windows pre-planted malware to start calling back to us...

...and the lucky winner of the school this year that was the first to call back was...

((Fast drum beats))

We may have left a huge gaping hole in our firewall. That's the dumbest thing I've ever heard. We've lost 75% of our points from our token agent from Gray Cell already, right?

((Music speeds up))

I understand what you're saying. Allow everything out on all ports also allow out 80 to this and 80 to this and - I understand what you're saying. Like all connections out are valid. That's explicitly what I was told to do. I had it the other way and they said change that. But it - so wait...


I guess they have won.

((Music intensifies))

This morning we, uh, thought we had our proxy locked down and that uh we basically could regulate all of the traffic that is coming out of our Grey Cell users with that and that actually completely backfired.

((Music intensity ends))

We're not getting near as many callbacks as we should right now so far it's only been West Point. But yeah, we did get the number one school from last year so we're feeling pretty good about that right now.

MALE VOICE: Let's go ahead and see if we can allow explicit hosts for passive and then as those FTP tests fail, we'll knock them out and redo them. Enter, enter.

((Music Continues))

When you mess something up then you have to pay for it. It hurts, but you just have to kind of bounce back and keep going. They have won the last- what did they say this morning? 6 out of the last 11 years or something crazy like that. Oh hey, Air Force. Okay, alright. Alright, we'll see. It's day one.

((Ominous drum beats))

((New intense music))

Josh, I need you here now. White Cell and Commander dot P7B are files and our Gray Cell Dot P7B is a directory.


((Intense music continues))

Everybody was coming online at about the same time. We had to make sure that connectivity issues weren't our fault or maybe they were our fault and we had to fix them.

Our FTP proxy is too slow. If this is protecting us from Red Cell doing something... may be worth it.

We can make the rules to go to just each individual IP address. We lose a lot when we do that. Because now FTP is an unconstrained exfiltration channel for Red Cell. That's true.

((Intense music stops))

MALE VOICE: We didn't sleep at all Monday night!

((Guitar plays slow music))

ABBOTT: You're sleep deprived, and you haven't slept all weekend and you've been working on one computer and one service for a month. Delirium.


((Slow music continues playing))

NSA has managed to compromise two of our workstations pretty much completely. Our domain controller doesn't work which isn't helping us control the workstations which are actively getting owned by Red Cell. It's more like warfare against ourselves so far. Right now it's okay. They haven't really broken into any of our servers. That we know of. Oh god. That's a big one. Well we were having a lot of problems with the scoring. Both the tokens and the, um, what's the other one? Can't even remember. It's been a long day. We're still not last, which is pretty good feeling. We're beating Navy whose strategy seems to be pretty "My Little Pony" uh oriented.

((Alternative rock music begins))

Everyone is in to the ponies, they just don't know it yet.

NSA PRODUCER: Which one is that?

NAVY PARTICIPANT: Thisis Princess Celestia.

NSA PRODUCER: Princess what?

NAVY PARTICIPANT: Celestia. PWNIES is like POWNING or to hack a computer. So in the internet subculture, on a lot of hacker forums you have the "ponies"... just playing on the word "Pwoning". They're just saying "hi" to everyone on the outside world. "Hello Red Team".

RED CELL: You're Pwond again. If you'd like to take a look up here um... we have one of the systems from Navy and it looks like they have antivirus installed which is not allowed during this competition. White Cell was actually like "Hey, so you have an antivirus going on" and we were like "Oh..."

So it's kind of just like "surprise!" And it decided to make itself act as a service and we have some issues getting that service off now.

((Music Ends))

NSA PRODUCER: So what's the resolution for something like that?

NAVY PARTICIPANT: Pray. Pray a lot.

((Ominous drum beat))

ABBOTT: The most glaring gaps in vulnerability will be obvious the first day. So that first day is "What did we miss?" And then once you clean it out "Okay, when is the next trap going to spring?"

((New upbeat music))

Everything is working exactly as expected so far. That's probably the biggest surprise.


NSA PRODUCER: So tell us what you just did there as far as AFIT. Rapheal Mudge was able to get a java implant into the boxes of AFIT 1 and AFIT 2.

((Music continues)) We've got the first java inject. Here it comes.

MALE VOICE: We know that all of the workstations are infected with this. All of the malware is coming from there.

What we're trying to do right now is actually escalate those privileges into something more meaningful that we can actually utilize.

They're calling out on Port 53 now. 70 to Good luck. I'm just giving you a heads up, they're trying.

We're freaking out right now, but our systems are working. Our firewall has got it, don't worry about it. It's a beautiful thing. Great success.

ABBOTT: There's the old saying: "A soldier's life is sheer boredom punctuated bymoments of sheer terror."

((Ominous drum beats))

((New music))

So today's Wednesday and it's going really really stressful. Oh, I can play f------ freecell instead of getting there and watching their logs.

Our network monitoring team wasn't monitoring the network.

The assumption is no longer "everything I'm doing is working we're good". The assumption is now "everything is broken let me ensure that it's fixed."

Yeah that pretty much sums it up.

((Music continues playing))

MALE VOICE: So far there are a few schools that have been hit pretty badly. Uh the Naval Academy for example.

I think it's going pretty well. I feel great right now. I am fully aware of what's going on and I no longer have my splitting headache. Air Force has a huge lead on us right now. Army- I think we're catching up to but so hopefully we'll be either really close to them or ahead of them by the end of the day.

MALE COAST VOICE: I don't really think they've gotten into any of our servers. So things aren't so bad. Because we're awesome.

Coast Guard is pretty vulnerable right now. We have a couple implants in several of their boxes and we're working right now to maneuver through their network. So there's still a lot to do, if you will.

ABBOTT: If you look to the scoreboard you see your number either go higher or lower, there's different levels of panic.

((New music begins))

We're also going to dump the General's Laptop on them today. The General's Laptop is a virtual machine that was sent to us by the "Department of Defense".

MALE VOICE: General is coming, he wants to get on, you got to do it. You have this amount of time. I am over here setting up the General's Laptop. The idea is by 11:30 we should have this up and running. It's meant to replicate a surprise visit from a General. We're going as fast as we can. The General's Laptop is infected with all sorts of stuff. What the hell has happened to this mouse?

What the hell is happening?

Each one of those costs us 200 points. So it's not going so smooth. We're supposed to be up and running at 1:30 but, uh, I don't think we had email working until about almost 3:00. We ran a lot of tests, we were pretty thorough. So we should be good. Probably within half an hour of setting that laptop up uh we got hit for our confidentiality. So that gives us more hooks to get in. I love laptops. I mean add more stuff to the network, it's more for us to attack.

We had to really scramble to get that set up. We didn't have any time at all to even breathe before we got that thing up and running. I don't think I cleaned it up very well. I did my best but... c'est la vie.

Our team is athree-prong team. And right now the Food Team is probably doing the best out of all three. You can't expect to do good work without good food.

((Guitar begins playing))

The Army has always run on a diet of typically cigarettes and coffee. Now we're trying to make sure that we have a more healthy approach. Teryaki Chicken shish kabob with pineapples, onions, peppers, and mushrooms. I'm trying to, trying to get together a uh a pulled pork for dinner tonight. I've got steak right here. How can you lose when you're cooking pulled pork, steak and ribs? I mean, it's hard not to win.

This is the next 12 we're putting on right now. Barbecue, chili powder, of course you have to have garlic with just about anything you make. A whole pan of ground beef, we're going to throw on the grill and season here in a couple hours. So just hoping to keep it up, fill my boys' stomachs and to make sure that Air Force is looking like that pork roast downstairs-good and broken.

((Music ends))

Today we're working on USAFA. We're making some pretty good progress. We're throwing just tons of packets at them trying to confuse them but they're doing a great job, I have to admit.

((New music begins))

The biggest threats that we face from Red Team tend to involve malware. We are working on a cocktail.

We actually have a member of the team who's really good at malware analysis and reverse engineering.


Hey Luke! He's like right there. Oh sorry, there you are...




Every single time we get something, we just go grab it and send it to him. He reverse engineers it, tells us where it's trying to dial home to, and we can block it on the firewall as malicious.

...And it has all of their exploits. We stumbled upon this website that happened to have every single bad thing that Red Cell had prepared for us that day. There we go, now we're going. Okay. And so we're just downloading all of the malware that they were going to send us?


Uh- Red Cell I guess got lazy and didn't lock down the directory. So as soon as we saw that, we immediately grabbed everything from there as we could and we sent it over to Luke. I'm actually still figuring out the evilness but we've already told the IPs to block for the dial backs. Once we protected against those attacks, about half an hour later we could see those attacks getting thwarted at the firewall. We do feel special.

((Music Ends))

((Ominous Drum beat))

((New music begins))

Air Force has not had a significant breach of their network yet. Who do you think the Red Cell is going to be targeting today?

I think Red Cell's strategy is: "Get Air Force."

NSA PRODUCER: Who's doing really well?

RED CELL TEAM LEAD: USAFA. USAFA is doing really well. And they are still the only ones that we haven't scored a token on. Which is unfortunate. Multibrowser explains... Actually, actually just the Air Force Academy is the only school we have not been on their computers yet. So our Thursday morning report is all quiet on the western front, but we don't know how long that's going to last. So allegedly uh Air Force has been defaced. Via their webpage, we decided to change some stuff.

Do you know how to do a proxy?


There's ping session and there's hover-over. Yeah I think that that's bad.

They have a nice little picture of Justin Bieber. Hold on. Saying that is who they're fighting for. Don't worry about it. So we're actually looking at our web server to make sure that that has not happened to us. I think we're alright.

((music ends))

((New music begins))

My name is Marc Abbott, West Point 2009, and now I'm on the other side, Red Cell. It's quite a change. Our website was calling out to a website looking for a file. It ended up being a PDF file with an embedded piece of malware in it.

(slyly) Devilish. So it's a form of attack called cross-side scripting. So they were able to modify our page when clients went to it. Air Force forgot to clean it up. Hole. Owned. Just like that. I'm not really a fan of Justin Bieber, especially on my website.

The fact that it happened, while it was amusing to us, it taught them how to do this right. So when they go out and they become administrators if they're defending a network, they know how to stop it in the future. They will never, ever forget that. Clever little monkeys.

((Music Ends))

The actual web attack itself uh is a lot of fun it's very visual. Uh but where the scoring will be hit is when people go to their site, whatever university whatever school goes to their site, will be subjected to the same malware. We've got some malware on these things that are just hammering our proxy server and web server and we're trying to get it to stop.

((New music continues playing))

They hacked the forum. Our webpage is down right now so we're rebooting it.

Black screen reboot.

The web is not 100 percent available so that's an availability issue. So we're trying to figure out why that is. Hello Red Team. Doing good, doing not as bad as the other teams but not too good either. You should check out West Point.

They tried to pull our password file off our web server using like cross-side scripting but it failed.

We're in third still. Yeah. We are about 10 points off Army. Almost exactly 10 points. Now it's just a matter of waiting and hoping that something terrible happens to one of the other teams. I mean we're in last by far.

VOICE OFF SCREEN: USAFA is spanking Army! To tell you the truth, it's too close to call. I know AFIT 1 has done really well so they're a little ahead of us. The token agent was just, it's simulating that we were rebooting when we weren't. We lost a lot of points. They're doing exactly what I expect them to do. I'm going to have them browse to that page. That's, just throw everything at us all at once and see where it gets.

((New music begins))

Oh they're still trying. That's good.

I'm really tired.

I just want to go to bed.

I haven't slept.

VOICE OFF SCREEN: Just over 10 minutes.

VOICE OFF SCREEN: Stay vigilant, 5 minutes.


15 seconds.

10 seconds. 9...8...

The CDX victory for USAFA would mean a lot to all of us.


We're confident that we're going to beat everybody else.


A loss would be devastating.


End Ex.

Happy ending.



I'm not kissing you! I'm not kissing you. No.

((Ominous drum beats))

Towards the end of the exercise we got a notice from White Cell headquarters saying that Air Force's availability scores had been more than twice what it should have been.

...They're going to go

down from what they are...

VOICE OFF SCREEN: Hell yes! And we're going in to go fix it, they have too many points right now that they shouldn't be having. So that's going to drastically change their final scores. They went from about 75 percent down to 35 percent.

I see nothing different.

((Single ominous drum beat))

((New music building))

((voices from a speaker phone))

IAD DIRECTOR DEBORA PLUNKETT: Welcome everybody back again. This is Debbie Plunkett the Information Insurance Director. I'd like to start off by thanking all of you for participating in the CDX this year. You are the next generation of cyber warriors. And you are leaving this exercise we believe better prepared for the realities that await you. So now a drum roll...

This year's winner of the graduate schools is AFIT 1. Congratulations. Whooo! Yeah!


Next the finalist between the service academies, again it was a wonderful wonderful race all week, and this year's winner is...

US Air Force Academy. Congratulations!

((Wild Cheering))

I think the real key to our success this year was we all worked together really well. Everybody this year did their job on the team keeping the Red Team at bay and taking the punches that we got so I'd say that was the real key. We were able to capture malware that NSA was sending to us and reverse engineer it. It was absolutely an amazing job by our forensics team. What I think won this competition was availability and having really good solid connectivity and that is something that Air Force continued to do better than us and any of the undergraduate institutions.

((roar of jet planes))

The airplanes that just passed by were 20th century warfare, but cyber is going to be 21st century warfare.

((Music ends))


Date Posted: Nov 27, 2012 | Last Modified: Nov 27, 2012 | Last Reviewed: Nov 27, 2012