Cyber Defence Exercise, or CDX for short, is the annual cyber warfare simulation for aspiring IT experts still studying at university. Started in 2015 and now in its fourth iteration, the event attracts around 150 students to secure and defend purpose built infrastructure accordingly to a set theme.
This is not a Hackathon or a Capture the flag, all teams get the same challenge and face the same attackers. They are tasked with defensive duties only, of course this event encourages practices of offensive security to secure the system, however during the incident response phase they are strictly tasked to passive defence as per any real world scenario.
Themes have ranged from spies and rebellious factions, to hacktivism and state-sponsored attacks. This years event is the most ambitious with teams representing fictitious countries forced to defend powerstations, financial assets and the keys to a nuclear arsenal from an aggressive nation state.
Over the years the challenge has shifted from a purely broken OS, to incorporating multiple operating systems and webapps misconfigured according to real-life mistakes in the industry. This gives as accurate an experience as possible to what students would encounter once leaving university. Even if students do not go on to a direct security role they develop a deeper understanding of the security threats any organisation they join may face be that in areas as diverse as web development to networking.
Stefano Sesia, originator of CDX said “the UK has a lot of security challenges but we wanted to give students who might not work directly in security an understanding that they have a responsibility and a role to play in keeping the country secure. With the help of our industry sponsors the event has grown and students get to spend substantial time with the professionals who simulate the attackers learning from them.”
During the event a range of side challenges are offered, aimed to keep the students enticed with intriguing aspects of cybersecurity while providing well-deserved brain-rest during the intense 48-hour event. An ethical lockpicking village, crypto puzzles, various code-breaking mini-challenges and even an escape-the-room challenge in order to defuse a daunting “device” and save the city .
The exercise is purposely built to tackle all aspects of secure development: grey cells act as the clients and stakeholders: caring about the functionality of the Minimum Viable Product while pressuring the teams with new functional requirements, deadlines and even contacting a fictional media company (the Daily Merge) on twitter.
Whilst making sure to keep the client and their public image pristine, the teams will start facing targeted social engineering attacks from a specialized team, spoofed emails, fake websites and man-in-the-middle attacks on communications between clients and the teams.
On the second day of the event teams sustain a progressively intense attack from the red cell team of industry professionals who volunteer their time, they use the tricks of the trade to put the incident-response readiness of the teams to the test.
The event was built with learning as a paramount priority: running many workshops in the months prior to the event on everything from basic linux, networking, reverse engineering, incident response, penetration testing and sys-admin skills. Students from all backgrounds come along and have a great experience, bringing some knowledge back to share with their peers and to use once joining the industry.
Managing Director of Secarma, Paul Harris said: “It’s vital we equip students looking at future careers in cybersecurity or cyber peacekeeping with skills that enable them to tackle cyber threats. CDX allows participants to spend substantial time with some of Secarma’s leading cybersecurity experts, providing them with an invaluable learning experience.”