Home
Download

Open Source

Projects
Patches

System Integration

Notes
SRPMs

Cyber Defense Exercise

The CDX is an annual competition sponsored by the Information Assurance Directorate of the US National Security Agency which challenges a number of undergraduate institutions to design, implement, and defend a computer network against attack. The NSA builds the backbone exercise network and scoring infrastructure, acts as the competition referee, and fields a red cell with the task of compromising the confidentiality, integrity, and availability of the competitors' networks.

2017 Competition

Overview

The Exercise Directive describes the 2017 CDX. The 2017 CDX took place during a one-week competition in April.

EventDateTime
Availability scoring beganApril 10, 20171400
Attacks and confidentiality/integrity scoring beganApril 11, 20170900
Scoring endedApril 13, 20171600
All times are in Eastern Daylight Time (UTC−04:00).

The US Military Academy team network spanned 28 virtual machines, and it included servers, management workstations, and user workstations; four network devices; the CentOS, FreeBSD, Ubuntu, Windows 7, Windows 8, and Windows 10 operating systems; and a range of software services.

Some of these files are rather large and thus take a long time to download. We can mail this data set to you for the cost of shipping plus a 150 GB drive.

Results: 2017-CDX-USMA data set

Here you will find data collected by the US Military Academy team during the 2017 CDX. We granted these data into the public domain. Please refer to this data set collectively as 2017-CDX-USMA and consider acknowledging the authors: W. Michael Petullo, Ben Klimkowski, William Clay Moody, Joshua Bundt, and Michael Kranch. We could not have collected these data without the efforts of the cadets of the US Military Academy team, our fellow competing teams, and the NSA CDX team.

Network diagram
Noah Ogrydziak maintained our team's CDX network diagram. The first page of the diagram contains a summary of each of our team's subnets. Subsequent pages provide details such as IP addresses, gateway IP addresses, netmasks, and so on.
Packet captures; compressed size: 35 GB; MD5: 9a8d0d85d18e46ec4e2c1305bcd75d60
This data set contains packets captured by a sensor the team installed during the CDX. The capture is not complete with respect to time, but it contains all of the packets transmitted within the team's subnet during the periods the sensor was active.
Consolidated event logs; compressed size: 1.3 GB; MD5: 166852ff9644696ac9613938316c7185
This data set contains all of the log data collected by the team's centralized log system. This includes Unix system logs; logs from applications such as lighttpd, squid, postfix, dovecot, and bind; Windows events; and Bro logs.
Recorded compromises
The NSA provided a time-stamped list of instances where a token agent detected token modification or the red cell reported a token back to the white cell. We provide these records here as comma-delimited text.
DNS blacklist
We developed a heuristic during the CDX to determine which domains to blacklist in our DNS server. This list contains these domains.
Squid blacklist
We developed a heuristic during the CDX to determine which URLs to blacklist in our Squid proxy. This list contains these URLs as regular expressions.
Firewall blacklist
We developed a heuristic during the CDX to determine which URLs and IP addresses to blacklist at our firewall. This list contains these values.
Gray-cell disk images
These disk images contain malware, so you should analyze them with care. We distribute these images as QCOW2, a sparse disk image format. The qemu-img utility is one tool which can convert this format into others, such as VMDK or raw.
DescriptionPre-CDX link; compressed size; MD5Post-CDX link; compressed size; MD5
Alpha, the Ubuntu workstationPre-CDX; 7.8 GB; e584346c1cb114e4c48cf53c67f499f7Post-CDX (/); 5.8 GB; f48bbbb16c208b9f753f2a11dca10a04
Post-CDX (/home); 438 MB; 69f38c1a08f1f65ea5882bdf61f94282
Beta, the CentOS workstationPre-CDX; 17 GB; 70b02b17e38560c397b01d4085dec939Post-CDX (/); 9.9 GB; ac88db8b5a2d2bf1ec9db1f819c15556
Post-CDX (/home); 111 MB; 52a0b1809fde46b2ea93b855c604ad0d
Post-CDX (/tmp); 133 MB; 4f80bbc0d9eff5f1d83518fc63c75b6c
Delta, a Windows workstationPre-CDX; 5.7 GB; 6f5f474549fb6b67f2bfb6651a800090Post-CDX; 27 GB; f163a298be8a6691fa7e42812827abd5
Gamma, a Windows workstationPre-CDX; 5.9 GB; 3f2980138ee4b0f52d9319d45fbcaeefPost-CDX; 31 GB; b0fe8b642f813a35616bf660ae7f45c7

2016 Competition

Overview

Six documents describe the 2016 CDX:

The 2016 CDX took place during a one-week competition in April.

EventDateTime
Availability scoring beganApril 11, 20161600
Attacks and confidentiality/integrity scoring beganApril 12, 20160900
Scoring endedApril 14, 20161600
All times are in Eastern Daylight Time (UTC−04:00).

The US Military Academy team network spanned 27 virtual machines, and it included servers, management workstations, and user workstations; four network devices; the CentOS, FreeBSD, Ubuntu, Windows 7, Windows 8, and Windows Server 2012 operating systems; and a range of software services.

Some of these files are rather large and thus take a long time to download. We can mail this data set to you for the cost of shipping plus a 300 GB drive.

Results: 2016-CDX-USMA data set

Here you will find data collected by the US Military Academy team during the 2016 CDX. We granted these data into the public domain. Please refer to this data set collectively as 2016-CDX-USMA and consider acknowledging the authors: W. Michael Petullo, Kyle Moses, Ben Klimkowski, Ryan Hand, and Karl Olson. We could not have collected these data without the efforts of the cadets of the US Military Academy team, our fellow competing teams, and the NSA CDX team.

Network diagram
Austin Herrling maintained our team's CDX network diagram. The first page of the diagram contains a summary of each of our team's subnets. Subsequent pages provide details such as IP addresses, gateway IP addresses, netmasks, and so on.
Packet captures (April 4, 2016–April 24, 2016); compressed size: 144 GB; MD5: 1aa52ff83f2d9940092783ff8058e0f7
This data set contains packet captures collected from three Security Onion sensors that the team installed during the CDX. The sensor on eth1 captured packets from outside of our core firewall (between the firewall and external network in the diagram above), the sensor on eth2 captured packets from each of the ports on our main switch (all internal subnets except for the subnet labeled gray), and the sensor on eth3 captured packets from our end-user subnet (gray subnet).
Consolidated event logs (April 8, 2016–April 14, 2016); compressed size: 253 MB; MD5: 90e03565aafe498b5b66bef1600a9f81
This data set contains all of the log data collected by the team's centralized log system. This includes Unix system logs; logs from applications such as lighttpd, squid, postfix, dovecot, and bind; Windows events; and NetFlow records. The data set contains 15,455,997 records and is formatted as comma-delimited text.
Recorded compromises
The NSA provided a time-stamped list of instances where a token agent detected token modification or the red cell reported a token back to the white cell. Much of these records are duplicate reports; nonetheless, these data should contribute to the understanding of our packet captures. We provide these records here as comma-delimited text.
DNS blacklist
We developed a heuristic during the CDX to determine which domains to blacklist in our DNS server. This list contains these domains.
Squid blacklist
We developed a heuristic during the CDX to determine which URLs to blacklist in our Squid proxy. This list contains these URLs as regular expressions.
Firewall blacklist
We developed a heuristic during the CDX to determine which URLs and IP addresses to blacklist at our firewall. This list contains these values.
Gray-cell disk images
These disk images contain malware, so you should analyze them with care. We distribute these images as QCOW2, a sparse disk image format. The qemu-img utility is one tool which can convert this format into others, such as VMDK or raw.
DescriptionPre-CDX link; compressed size; MD5Post-CDX link; compressed size; MD5
Alpha, the CentOS workstationPre-CDX; 6.9 GB; 724f0b458c89e11d8b306fea50a2a233Post-CDX; 6.2 GB; 61d048a1a48e3866d5c164317f95432a
Beta, the Ubuntu workstationPre-CDX; 2.2 GB; 2a04ba0615f1bef0a8d110f204a5ad3fPost-CDX; 2.9 GB; 280919958b3406c82ba15ca1fa708f6a
Delta, a Windows workstationPre-CDX; 8.8 GB; 61fbc91bd0286d1fcaa0cf845691af4aPost-CDX; 49 GB; ce7973e38eb42ddae9977f3df8c711ef
Gamma, a Windows workstationPre-CDX; 11 GB; d5faec313efb74cdbecdf52187bbfbcaPost-CDX; 53 GB; b19fe189ccfa6556cc8e809293fd42ef

Papers

 
Ryan Johnson, Jessie Lass, and W. Michael Petullo. Studying naïve users and the insider threat with SimpleFlow. In Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, MIST '16, pages 35-46, New York, NY, USA, October 2016. ACM. [ bib | paper ]
 
W. Michael Petullo, Kyle Moses, Ben Klimkowski, Ryan Hand, and Karl Olson. The use of cyber-defense exercises in undergraduate computing education. In Proceedings of the 2016 USENIX Workshop on Advances in Security Education, ASE '16, Washington, DC, USA, August 2016. USENIX Association. [ bib | paper ]
Email: webpage@flyn.org — ✉ 315A South Moore Loop; West Point, New York 10996; USA