Northeastern’s cybersecurity teams win two trophies in two months
Northeastern’s cybersecurity teams win two trophies in two months
Author: Madelaine Millar
Date: 06.09.22
Sitting on top of a fiberglass boat in a swimming pool in Fort Lauderdale, Florida, was a pile of mock cargo. Sitting in a much drier part of the building were five members of Northeastern University’s competitive cybersecurity team determined to knock it off into the water.
First, the team found a misconfigured network switch, exploited it to gain access to the boat’s private network, and traveled through to the pump controllers. By activating one pump and leaving the other switched off, the team tilted the boat — first a few degrees, then enough to dump the cargo unceremoniously into the pool. After four more days of similar performances, Northeastern beat out 31 other teams to take home first place.
It may sound like a soggier version of WarGames, but this is the world of competitive cybersecurity. The niche, highly competitive sport pits teams of students and cybersecurity professionals against one another in a race to secure, break, and re-secure computer systems. At the end of anywhere from a few hours to a few months, everyone leaves with a deeper understanding of cybersecurity and a wealth of new industry connections — but only one team leaves with the trophy.
From left to right: Guevara Noubir (coach), Kyle Sferrazza, Derek Ng, Hava Kantrowitz, Dennis Giese (captain), Carolin Gross
Hack the Port, the US Cyber Command’s five-day competition that involved flipping cargo off of the boat and other challenges related to supply chain operations, is a style called Red Team/Blue Team. Competitors are split into two sides: a “Red Team” that attempts to break into a system and a “Blue Team” that defends it. There are other competition styles too, such as Capture the Flag, a style in which Northeastern’s teams have also proven dominant.
READ: NUSec competitive cybersecurity team clinches a third — and final? — win
“This is my very first Red Teaming event; it was pretty complex,” said Hava Kantrowitz, a third-year cybersecurity major with a concentration in cyber operations. “You need to understand your attackers and be able to think like your attackers in order to protect your system, so being on the Red Team and actually thinking like an attacker [helps you go] back to your own system.”
Hack the Port began on March 21. A few days earlier, at the Collegiate Cyber Defense Competition (CCDC) Northeast Regional, Kantrowitz and her teammates had performed the defensive Blue Team role. At CCDC, industry professionals play the Red Team, working to break systems protected by student Blue Teams.
From left to right: Kyle Sferrazza (captain), Simon Bruklich, Maxwell Sebso, Dennis Giese (coach), Derek Ng, Samir Elhelw, Hava Kantrowitz, Fiona McCrae
Northeastern’s small competitive cybersecurity community is highly skilled and highly welcoming, swapping team members for different competitions depending on availability and interest, so the CCDC and Hack the Port teams share many members. For instance, the CCDC team is coached by Dennis Giese, a doctoral student who came in second last year at the 6,000-person National Cyber League competition and received an award for his creative use of hardware at this year’s Hack the Port.
Giese prepares the team by giving out weekly homework, including setting up servers and creating virtual machines which he and his teammates then try to break. He also has the team cross-train on Linux, Mac, and Windows systems so they can adapt to anything that gets thrown their way.
“It’s helpful if everyone has at least some basic knowledge of how to set up things. It would be bad if we had seven or eight machines where we needed to change the Windows password, and only two people knew how to do that,” Giese said.
The intensive prep pays off though; Northeastern placed first out of 17 teams at the CCDC Northeast Regional competition too. The team was one of ten national qualifiers out of more than 200 collegiate cybersecurity teams from around the country. Although they did not place in the top three, they described the event as a challenge where they learned a lot to carry forward into their future cybersecurity work.
But what consistently stands out to Guevara Noubir, Khoury College’s executive director of cybersecurity programs and advisor to Northeastern’s cybersecurity teams, is not necessarily the winning. It’s the passion.
“We end up having a lot of students who really dedicate themselves to learning about cybersecurity. They have a lot of expertise. Then, they get the opportunity to practice as a team,” Noubir said. “When you have a team of people who enjoy working with each other, they get very excited.”
Cybersecurity competitions have helped the competitors find their place in the working world too, as Kyle Sferrazza — who graduated in May with a master’s degree in cybersecurity and who captained the CCDC team — can attest.
“I want to make an impact in the cybersecurity industry and doing all of these different kinds of competitions is helping me learn what kinds of things I like, the kinds of things that I don’t like, and the kinds of things that I’m good at,” Sferrazza said. “[Hack the Port] was the first competition where I went somewhere and hacked into stuff and I really enjoyed it … I’d like to continue to pursue the Red Team-ing side.”
For Kantrowitz, who works in a security analyst position that began as a co-op at health tech company Hologic, the impact is even more direct. She describes a cybersecurity competition like CCDC as jamming the entirety of her job into one day, so when problems come up in her work — for instance, when a crypto miner camped out on one of the company’s servers — she can use solutions she learned at CCDC nearly verbatim.
“One of the things we do in CCDC is, we have a generalized incident response plan where we check common areas where people might have gotten into our systems,” Kantrowitz said. “I ran through the same exact checklist at work and was able to find the issue, patch it, and fix all of our systems.”
The team doesn’t do it just to nab better jobs, though; from their passionate discussion of the sport to the friendly, welcoming community they’ve worked to build, it’s evident that this is a labor of love. That doesn’t mean it’s easy, but to Giese, it’s all worth it when a tricky problem finally falls into place.
“You have planned in your head what you want to do days before, and then you do it on that day and something doesn’t work. And then it takes you a while, but you finally manage to succeed, it works, and you get the points — it’s a huge kick,” Giese said. “It’s just amazing.”