Northeastern cyber defense team wins third straight regional competition

Author: Madelaine Millar
Date: 08.13.24

Nine members of Northeastern University’s Collegiate Cyber Defense Competition team pose for a photo at the competition.

Cybersecurity is an important part of a balanced breakfast for all Khoury students. But for eight students in particular, it’s a passion that’s driven them to excel at a national level — again, and again, and again.  

Northeastern University’s Collegiate Cyber Defense Competition Team (NUCCDC) recently returned from their third consecutive trip to the National Collegiate Cyber Defense Competition, with a seventh-place distinction to add to their third straight regional gold. While the team’s members credit CCDC with helping them to develop everything from technical capabilities to leadership skills and career opportunities, what sets NUCCDC apart is the quality of its community.  

Collegiate cyber defense is a circuit of competitions in which teams of up to eight cybersecurity students defend a corporate-style computer network from cyber attacks while maintaining its functionality. Teams are given networks that mirror real-world environments, then spend two days trying to protect their network against industry professional “red team” hackers — all while fielding customer calls and answering questions from “executives” as an IT department would.  

NUCCDC’s co-captain, fourth-year cybersecurity and economics major Federico Cassano, put it even more simply: It’s like two days of running a corporate network that’s being attacked by a national state hacker. 

READ: Federico Cassano teaches AI models to correct their own mistakes 

For March’s northeastern regional competition in New York City, NUCCDC was a hydroelectric company. They received infrastructure typical of a midsized business — including an HR portal, email server, and company website — as well as more application-specific tools like a dam control board and power monitor. 

“We were holding very strong through the second day until the last hour, when the red team managed to take down our entire network through a single vulnerability we didn’t even know existed,” said Charlie, a third-year computer engineering and computer science major. “Despite being almost completely locked out — we literally couldn’t reach a single one of our machines — we still fought, frantically looking up documentation and trying everything we could to reconnect.” 

Although the team didn’t regain control, they did find the root issue the hackers had exploited and wrote a detailed incident response. It was enough; NUCCDC took first place and advanced to the national competition in Texas.  

The nine members of Northeastern University’s Collegiate Cyber Defense Competition team pose with a banner and trophy. Two students are holding a NECCDC 2024 Finalist banner, and one student is holding a glass trophy.

Nationals function a little differently than regionals. For one thing, teams work with much older equipment than at regionals, mirroring most real-world corporate cybersecurity environments. For another, they had some sense of what they were in for at regionals; at nationals, the equipment and environment are kept secret until about 20 minutes before the competition. This year, they were tasked with performing the role of an HR service provider and given — among other machines — an unconfigured Palo Alto-brand firewall. 

“We plug in all the machines, and the network doesn’t work, so we need the old network up immediately,” Cassano explained. “We plug everything back into the original switch and the switch is not giving the IPs anymore. We were stuck!” 

Three members of Nine members of Northeastern University’s Collegiate Cyber Defense Competition team sit at a large black table while working on a solution during a competition. The student on the left is writing on a piece of paper.

Because the firewall wasn’t working, their network was vulnerable to attacks by the red team hackers. But the team would not only be scored on the security of their machines; they had to maintain the secure functioning of their services, too. The process of unplugging from their original switch and rerouting through the malfunctioning firewall interrupted the flow of data through their network, causing the company’s “customers” to no longer have access to its HR services. The clock was running, and NUCCDC was losing points.  

Even with support from Palo Alto employees who were at the competition recruiting, it took about two hours of mapping out the network, digging through mountains of documentation, re-configuring equipment, and carefully scanning for abnormalities to get the network up and running again. 

“They did a fantastic job improvising in a very difficult situation and recovering even though it seemed like all of the odds were against them,” said NUCCDC alum-turned-coach Simon Bruklich. “I think that’s what we do best — just staying cool under pressure.”  

The time lost to fixing the firewall dropped the team to seventh place in a field of ten, but the chance for gold is only one of the reasons that NUCCDC team members care about their sport. 

“Prior to joining the team, I had absolutely zero experience with the Windows operating system, besides basic browsing and use cases,” said co-captain and fourth-year cybersecurity major Ali Bobi. “After my two years of competing, I have acquired the skills that could easily allow me to become a professional sysadmin. I know how to harden Windows domain controllers, configure GPO, and work with Active Directory.” 

“Incident response is one of those skills that this competition is really good for; we don’t learn it in school or even on co-op because it’s typically reserved for security management to make these decisions,” Bruklich added. “It’s sort of like professional sports; you wouldn’t put somebody who’s never played football into an NFL stadium and tell them ‘good luck.’ Practicing and having experience in the ‘minor leagues’ does a great job to prepare students for what they will face in industry.” 

CCDC helps its members to hone softer skills too.  

“The skills that I’ve built the most, almost entirely subconsciously, are delegation, leadership, and professionalism,” Charlie said. “This is a perspective that is very difficult to get in a classroom environment — there aren’t a lot of courses that give you 20 servers and tell you to get cracking!” 

Six members of Nine members of Northeastern University’s Collegiate Cyber Defense Competition team sit at large tables and work on laptops during a competition.

Both hard and soft skills are important to make the most of the professional opportunities that competitive cyber defense offers. This year, SpaceX sponsored the national competition, and employers ranging from the NSA to Scale AI to Nightwing (formerly a business unit of Raytheon) to Palo Alto sent recruiters to scout up-and-coming talent. 

“It’s even better than a job fair because employers get to see your skills. Most of the job fairs, you give them your resume and that’s it; for these competitions, they often have you fill out a very specific form with CCDC in the title,” said Bruklich, who now works as a cyber systems exploitation researcher with MIT Lincoln Laboratory. “Our members and alumni are getting jobs at top companies like Microsoft and Google — I myself worked at Apple — and I attribute a lot of that to what I’ve learned in CCDC and at Khoury College.”  

For others, the joy of solving a tricky puzzle is motivation enough. 

“I’ve been doing cybersecurity competitions since high school. They’re just very fun, because it makes you think outside of the box,” Cassano said. “We don’t shout at each other or insult each other; even in the stressful moments, we realize this is just a game.”  

Whatever the members’ personal motivations, as a team, they are already thinking about how they can prepare for next year’s attempt at that elusive national gold.  

“What I think we do really well on a technical level is threat hunting — finding viruses and malware on a computer and getting rid of them. What I’d like to focus on more for next year is preventing those viruses and malware from getting on the computers in the first place,” Bruklich said. “If we’re not secure within two or three minutes, the red team hackers are already on our machines.” 

The team is always focused on developing their talent pipeline. New members typically spend a year as alternates before joining full-time; interested students at all levels can complete a take-home test exercise at the beginning of the fall semester. Multiple team members also recommended taking “Systems Security” with Kaan Onarlioglu to learn to think about cybersecurity at a high level.  

Just as critical as any classroom skill, though, is being a team player. Between weekly practices, late nights, and competition travels, NUCCDC members go from mock-coworkers to genuine friends who support one another’s challenges and celebrate each other’s wins.  

“In our group chats, our alumni keep in touch; they’re still very active. It’s not like once you leave the team, you’re just gone,” Bruklich said. “The sense of camaraderie, just seeing how close the team was, was really awesome.” 

Newsletter Subscription

Enter your information to subscribe now.

This field is for validation purposes and should be left unchanged.