CDX

The Cyber Defense Exercise was an annual competition sponsored by the Information Assurance Directorate of the US National Security Agency that challenged a number of undergraduate institutions to design, implement, and defend a computer network against attack. The NSA built the backbone exercise network and scoring infrastructure, acted as the competition referee, and fielded a red cell with the task of compromising the confidentiality, integrity, and availability of the competitors' networks.

2017 Competition

Overview

The Exercise Directive describes the 2017 CDX. The 2017 CDX took place during the course of one week in April.

Event Date Time
Availability scoring began April 10, 2017 1400
Attacks and confidentiality/integrity scoring began April 11, 2017 0900
Scoring ended April 13, 2017 1600
All times are in Eastern Daylight Time (UTC−04:00).

The US Military Academy team network spanned 28 virtual machines, and it included servers, management workstations, and user workstations; four network devices; the CentOS, FreeBSD, Ubuntu, Windows 7, Windows 8, and Windows 10 operating systems; and a range of software services.

Some of these files are rather large and thus take a long time to download. We can mail this data set to you for the cost of shipping plus a 150 GB drive.

Results: 2017-CDX-USMA data set

Here you will find data collected by the US Military Academy team during the 2017 CDX. We granted these data into the public domain. Please refer to this data set collectively as 2017-CDX-USMA and consider acknowledging the authors: W. Michael Petullo, Ben Klimkowski, William Clay Moody, Joshua Bundt, and Michael Kranch. We could not have collected these data without the efforts of the cadets of the US Military Academy team, our fellow competing teams, and the NSA CDX team.

Network diagram
Noah Ogrydziak maintained our team's CDX network diagram. The first page of the diagram contains a summary of each of our team's subnets. Subsequent pages provide details such as IP addresses, gateway IP addresses, netmasks, and so on.
Packet captures; compressed size: 37 GB; SHA-256: e4eaec0e05d79be21ee4306f5dfe446accd138e8a5e28d20ae9d9727d92ef1a3
This data set contains packets captured by a sensor the team installed during the CDX. The capture is not complete with respect to time, but it contains all of the packets transmitted within the team's subnet during the periods the sensor was active.
Consolidated event logs; compressed size: 959 MB; SHA-256: 7dc9386eac72a8b10c105180e4804cd99f4b0d4a3c7989f383ecdbb0947a9754
This data set contains all of the log data collected by the team's centralized log system. This includes VisorFlow logs; Unix system logs; logs from applications such as lighttpd, squid, postfix, dovecot, and bind; Windows events; and Bro logs.
Recorded compromises
The NSA provided a time-stamped list of instances where a token agent detected token modification or the red cell reported a token back to the white cell. We provide these records here as comma-delimited text.
DNS blacklist
We developed a heuristic during the CDX to determine which domains to blacklist in our DNS server. This list contains these domains.
Squid blacklist
We developed a heuristic during the CDX to determine which URLs to blacklist in our Squid proxy. This list contains these URLs as regular expressions.
Firewall blacklist
We developed a heuristic during the CDX to determine which URLs and IP addresses to blacklist at our firewall. This list contains these values.
Gray-cell disk images
These disk images contain malware, so you should analyze them with care. We distribute these images as QCOW2, a sparse disk image format. The qemu-img utility is one tool that can convert this format into others, such as VMDK or raw.
Host Pre- and Post-CDX links; compressed size; SHA-256
Alpha
(Ubuntu)
Pre-CDX; 7.5 GB; e84d6be77e85cc555ab7c637e75430e4b89d582d323b46bff7b91489c04459b3
Post-CDX (/); 5.4 GB; a2d3aaac3426273699defc78916fa48c64f61c31ec12a56365325b8b622ac312
Post-CDX (/home); 353 MB; b42ae5c9c51bdc35c0c4ae0a38fdcf0cc25653e40fff6d709e61d9b3521175db
Beta
(CentOS)
Pre-CDX; 17 GB; 42f5fe5bdc0579a4e89677486ead0288021773aea3d27f546401494ca3363eac
Post-CDX (/); 9.7 GB; cf70b6c6f5a748590f37f8b98bfc86c29fd8a8347bf7459c8b8e814c3a0199f9
Post-CDX (/home); 103 MB; 6c47f178c3d800831b25e0f099e8d9c21f07e58629cca04dc0800bae9ee1882e
Post-CDX (/tmp); 128 MB; 38d469449235498367b38ed92f4b77f02701b4711dc13b4c8b4d4a0e5469e7eb
Delta
(Windows)
Pre-CDX; 5.4 GB; 97fbc4918840cb21f90e11dfed45cd78687e8cd2136ed3fbf053fdb2f528cd36
Post-CDX; 26 GB; 42ad8423b623131c6ec236c37a4fa736b53d77edace9ce8442fecf479753d519
Gamma
(Windows)
Pre-CDX; 5.7 GB; f13b994ea91aa5a05220f357a4489a389557f5600d89b3a5eb1bd508cbf0149f
Post-CDX; 31 GB; 873231111bfc7d3192dc566f122bba3d689ac12323b083e3faa629c92242c1a7

2016 Competition

Overview

Six documents describe the 2016 CDX:

The 2016 CDX took place during the course of one week in April.

Event Date Time
Availability scoring began April 11, 2016 1600
Attacks and confidentiality/integrity scoring began April 12, 2016 0900
Scoring ended April 14, 2016 1600
All times are in Eastern Daylight Time (UTC−04:00).

The US Military Academy team network spanned 27 virtual machines, and it included servers, management workstations, and user workstations; four network devices; the CentOS, FreeBSD, Ubuntu, Windows 7, Windows 8, and Windows Server 2012 operating systems; and a range of software services.

Some of these files are rather large and thus take a long time to download. We can mail this data set to you for the cost of shipping plus a 300 GB drive.

Results: 2016-CDX-USMA data set

Here you will find data collected by the US Military Academy team during the 2016 CDX. We granted these data into the public domain. Please refer to this data set collectively as 2016-CDX-USMA and consider acknowledging the authors: W. Michael Petullo, Kyle Moses, Ben Klimkowski, Ryan Hand, and Karl Olson. We could not have collected these data without the efforts of the cadets of the US Military Academy team, our fellow competing teams, and the NSA CDX team.

Network diagram
Austin Herrling maintained our team's CDX network diagram. The first page of the diagram contains a summary of each of our team's subnets. Subsequent pages provide details such as IP addresses, gateway IP addresses, netmasks, and so on.
Packet captures (April 4, 2016–April 24, 2016); compressed size: 130 GB; SHA-256: 892a4201689b025182ccb294713ef4c3ce2b3810126758e622a725ef5f4b202b
This data set contains packet captures collected from three Security Onion sensors that the team installed during the CDX. The sensor on eth1 captured packets from outside of our core firewall (between the firewall and external network in the diagram above), the sensor on eth2 captured packets from each of the ports on our main switch (all internal subnets except for the subnet labeled gray), and the sensor on eth3 captured packets from our end-user subnet (gray subnet).
Consolidated event logs (April 8, 2016–April 14, 2016); compressed size: 157 MB; SHA-256: 6533be7e69739f4fc2c082dfbe5d37d7487007d25a9687a71628b38006fa74f6
This data set contains all of the log data collected by the team's centralized log system. This includes Unix system logs; logs from applications such as lighttpd, squid, postfix, dovecot, and bind; Windows events; and NetFlow records. The data set contains 15,455,997 records and is formatted as comma-delimited text.
Recorded compromises
The NSA provided a time-stamped list of instances where a token agent detected token modification or the red cell reported a token back to the white cell. Much of these records are duplicate reports; nonetheless, these data should contribute to the understanding of our packet captures. We provide these records here as comma-delimited text.
DNS blacklist
We developed a heuristic during the CDX to determine which domains to blacklist in our DNS server. This list contains these domains.
Squid blacklist
We developed a heuristic during the CDX to determine which URLs to blacklist in our Squid proxy. This list contains these URLs as regular expressions.
Firewall blacklist
We developed a heuristic during the CDX to determine which URLs and IP addresses to blacklist at our firewall. This list contains these values.
Gray-cell disk images
These disk images contain malware, so you should analyze them with care. We distribute these images as QCOW2, a sparse disk image format. The qemu-img utility is one tool that can convert this format into others, such as VMDK or raw.
Host Pre- and Post-CDX links; compressed size; SHA-256
Alpha
(CentOS)
Pre-CDX; 6.6 GB; ff1f813cd1c4add99653a8ff05c1f9933d1780275b5ce1052156abacef301193
Post-CDX; 5.9 GB; 8af7d29d15b83ca223523f63c76cc576ef4ea73410e0b82701fb28e99e36291d
Beta
(Ubuntu)
Pre-CDX; 2.7 GB; e6d21c1da2038a878989eae1d9878ead8622c48bf9d2c3d6f0ec48a0cf9aa58c
Post-CDX; 2.7 GB; 7bf9cacae4470d2be09eb94c894dda74a5b1fbf3c4d71ba2f9ad6238b359784d
Delta
(Windows)
Pre-CDX; 8.6 GB; 73fad8823febd6118a9da2435796baf4a4d7069aed00f62bddd089f53074b512
Post-CDX; 49 GB; d203014b975f762b1d122495d5f8ed609a04bc0103683727c6f6e2d38da036b4
Gamma
(Windows)
Pre-CDX; 11 GB; 9ea928b82dcdd0e87d0166291c4ac84cea6e6685f786f1b162294c8d32bde6ef
Post-CDX; 53 GB; 1106f8b2d983b98868d94dc2731669be898a47e2edb0c6f4741c30e1c10c1ac5
(2016). Studying Naive Users and the Insider Threat with SimpleFlow. Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats.

PDF

(2016). The Use of Cyber-Defense Exercises in Undergraduate Computing Education. Proceedings of the 2016 USENIX Workshop on Advances in Security Education.

PDF