Collegiate Cyberdefense Competition Injects Part 1 : Introduction to Business Injects

Collegiate cyberdefense competitions evaluate teams through several different metrics. While technical skills and concepts like incident response take center stage, soft skills and business knowledge are also tested. Business injects in particular, tend to test general knowledge, understanding of business policy, ability to communicate and influence non-technical superiors without technobabble and so on.

In keeping with the business scenario the team operates within, business injects often require creating policies, plans for implementing them, and giving professional recommendations to your CEO who… doesn’t speak computer geek.

For Example:

  • CEO requests a report covering what GDPR is, whether the company can become compliant within 12 months, whether they can afford to do it, whether they can afford not to do it, and a justified recommendation about how to move forward.
  • Log and Report all known breaches and countermeasures taken against them.

Some injects are purely technical, or pure business, but others require competency in both areas. Such as:

  • Report on the effectiveness of the implemented SEIM using specific examples
  • Create an incidence response policy and plan for implementing it

Because the technical injects cover a range of operating systems, and types of tasks, this post will focus on aspects of technical writing, and business documents.

There are some critical things that you need to remember when writing these reports:

  1. More likely than not, you will not have enough time but you must still be comprehensive. If you’ve been asked for A, B and C, and have 30 minutes left before submission you need to make some tough calls about where to cut your losses. If you have no understanding of how to address part C then pour your heart and soul into the rest of B. But chances are, you’re best off at least briefly addressing all parts of the request.

2. Save a substantial chunk of your allotted time for delivering injects.

Arbitrarily, you might was to save 30% for nonsense, interruptions, stopping to put out a fire, or delivery mishaps. You can rely on the USB dries remaining pure and uncorrupted, might lose email at any time, and who knows if the printer is still functional.

3. Your team captain is your best asset for data collection, task management and time management.

My team captain was invaluable, because he was always able to help me find out who was dealing with the systems I needed information on. He also helped me track time, which was super important at the National competition level.

4. This is a role you need to study for!

If you have enough work experience in a corporate setting then you may have a feel for what privacy policies, acceptable use policies and the like contain. But if you have to think about it too long you’ll get bogged down and lose time. Ideally, you shouldn’t have to google anything but new laws or specific products. Therefore, make sure you familiarize yourself with the basics of GDPR, HIPAA, memos and policy documents.

If you can outline a 10 page thesis paper reasonably well, or outline a 3-10 minute speech, then you should have little trouble organizing the reports logically.

There are a lot of resources online about technical writing. I’d recommend starting with SANS templates. Print them out, mark them up, and make sue that you understand the content and structure. I will be following this post up with a part two focused on resources for technical and policy writing, and other resources for collegiate cyberdefense competitions.

Why should I try College Cyber Defense Competitions?

If you are an information technology or cybersecurity student with the opportunity to participate in a collegiate cyber defense competition I highly recommend you take advantage of it. If you don’t have the opportunity to join an existing team I suggest you make one!

Why? Because when you are tasked with defending a network you’ve never seen before, with one hand tied behind your back, while your CIO and CEO demand extensive reports and policies be written while you respond to intrusions … a lot of things start to click. Things that you’ve learned in class, or personal experimentation, get tied together within a greater context. You’ll learn from your teammates and be forced to learn new tools or concepts on the fly. And, if you’ve never been given administrative privilege in a network, not of your own design this is an extremely useful experience.

It’s a really, really bad day at work simulator.

It will test your nerves, communication skills, technical skills, team cohesion, and organizational skills.

You might stress-break-out but you’ll get a hell of a rush when you take back machines.

At some point, you’re going to think the hackers have taken down a service or system and, if you’ve kept good enough change logs, within five minutes you’ll discover that you, or a team member, hurt yourself by overhardening. If you don’t have good enough change logs or your team isn’t gracious and humble enough to absorb mistakes you’re gonna have a bad time. This fear is affectionately and resentfully referred to as The Ghost of Red Team. And it’s a perfect example of how psychological this event is. Unlike an athletic sport, you can’t compare your team’s performance to others, and you may not be sure about your adversaries’ performance either.

Similarly, if your team doesn’t have enough respect for business injects, such as the aforementioned policy writing assignments and reports, you will lose. It’s not the cool job and nobody wants to do it but you will lose if someone doesn’t do it and do it well. Just like you need all your services up as long as possible, you need every inject turned in and done as well as possible.

These competitions are incredible learning experiences and potentially good networking opportunities. In light of that, I’d like to be able to help students who are interested in cyber defense competitions get an idea of what they’re in for and how to prepare. I can’t and won’t get into specific detail about particular competitions. But, I can and will write what I would have liked to know about preparing for competitions in general. Hopefully, it’s beneficial to you.