CDX
The Cyber Defense Exercise was an annual competition sponsored by the Information Assurance Directorate of the US National Security Agency that challenged a number of undergraduate institutions to design, implement, and defend a computer network against attack. The NSA built the backbone exercise network and scoring infrastructure, acted as the competition referee, and fielded a red cell with the task of compromising the confidentiality, integrity, and availability of the competitors' networks.
2017 Competition
Overview
The Exercise Directive describes the 2017 CDX. The 2017 CDX took place during the course of one week in April.
| Event | Date | Time |
|---|---|---|
| Availability scoring began | April 10, 2017 | 1400 |
| Attacks and confidentiality/integrity scoring began | April 11, 2017 | 0900 |
| Scoring ended | April 13, 2017 | 1600 |
| All times are in Eastern Daylight Time (UTC−04:00). |
The US Military Academy team network spanned 28 virtual machines, and it included servers, management workstations, and user workstations; four network devices; the CentOS, FreeBSD, Ubuntu, Windows 7, Windows 8, and Windows 10 operating systems; and a range of software services.
Some of these files are rather large and thus take a long time to download. We can mail this data set to you for the cost of shipping plus a 150 GB drive.
Results: 2017-CDX-USMA data set
Here you will find data collected by the US Military Academy team during the 2017 CDX. We granted these data into the public domain. Please refer to this data set collectively as 2017-CDX-USMA and consider acknowledging the authors: W. Michael Petullo, Ben Klimkowski, William Clay Moody, Joshua Bundt, and Michael Kranch. We could not have collected these data without the efforts of the cadets of the US Military Academy team, our fellow competing teams, and the NSA CDX team.
- Network diagram
- Noah Ogrydziak maintained our team's CDX network diagram. The first page of the diagram contains a summary of each of our team's subnets. Subsequent pages provide details such as IP addresses, gateway IP addresses, netmasks, and so on.
- Packet captures; compressed size: 37 GB; SHA-256: e4eaec0e05d79be21ee4306f5dfe446accd138e8a5e28d20ae9d9727d92ef1a3
- This data set contains packets captured by a sensor the team installed during the CDX. The capture is not complete with respect to time, but it contains all of the packets transmitted within the team's subnet during the periods the sensor was active.
- Consolidated event logs; compressed size: 959 MB; SHA-256: 7dc9386eac72a8b10c105180e4804cd99f4b0d4a3c7989f383ecdbb0947a9754
- This data set contains all of the log data collected by the team's centralized log system. This includes VisorFlow logs; Unix system logs; logs from applications such as lighttpd, squid, postfix, dovecot, and bind; Windows events; and Bro logs.
- Recorded compromises
- The NSA provided a time-stamped list of instances where a token agent detected token modification or the red cell reported a token back to the white cell. We provide these records here as comma-delimited text.
- DNS blacklist
- We developed a heuristic during the CDX to determine which domains to blacklist in our DNS server. This list contains these domains.
- Squid blacklist
- We developed a heuristic during the CDX to determine which URLs to blacklist in our Squid proxy. This list contains these URLs as regular expressions.
- Firewall blacklist
- We developed a heuristic during the CDX to determine which URLs and IP addresses to blacklist at our firewall. This list contains these values.
- Gray-cell disk images
- These disk images contain malware, so you should analyze them with care. We distribute these images as QCOW2, a sparse disk image format. The qemu-img utility is one tool that can convert this format into others, such as VMDK or raw.
| Host | Pre- and Post-CDX links; compressed size; SHA-256 |
|---|---|
| Alpha (Ubuntu) |
Pre-CDX; 7.5 GB; e84d6be77e85cc555ab7c637e75430e4b89d582d323b46bff7b91489c04459b3 Post-CDX (/); 5.4 GB; a2d3aaac3426273699defc78916fa48c64f61c31ec12a56365325b8b622ac312 Post-CDX (/home); 353 MB; b42ae5c9c51bdc35c0c4ae0a38fdcf0cc25653e40fff6d709e61d9b3521175db |
| Beta (CentOS) |
Pre-CDX; 17 GB; 42f5fe5bdc0579a4e89677486ead0288021773aea3d27f546401494ca3363eac Post-CDX (/); 9.7 GB; cf70b6c6f5a748590f37f8b98bfc86c29fd8a8347bf7459c8b8e814c3a0199f9 Post-CDX (/home); 103 MB; 6c47f178c3d800831b25e0f099e8d9c21f07e58629cca04dc0800bae9ee1882e Post-CDX (/tmp); 128 MB; 38d469449235498367b38ed92f4b77f02701b4711dc13b4c8b4d4a0e5469e7eb |
| Delta (Windows) |
Pre-CDX; 5.4 GB; 97fbc4918840cb21f90e11dfed45cd78687e8cd2136ed3fbf053fdb2f528cd36 Post-CDX; 26 GB; 42ad8423b623131c6ec236c37a4fa736b53d77edace9ce8442fecf479753d519 |
| Gamma (Windows) |
Pre-CDX; 5.7 GB; f13b994ea91aa5a05220f357a4489a389557f5600d89b3a5eb1bd508cbf0149f Post-CDX; 31 GB; 873231111bfc7d3192dc566f122bba3d689ac12323b083e3faa629c92242c1a7 |
2016 Competition
Overview
Six documents describe the 2016 CDX:
- Exercise Directive
- Network Specification
- Gray-Cell Rules of Engagement
- Red-Cell Rules of Engagement
- White-Cell Rules of Engagement
- Scoring Specification
The 2016 CDX took place during the course of one week in April.
| Event | Date | Time |
|---|---|---|
| Availability scoring began | April 11, 2016 | 1600 |
| Attacks and confidentiality/integrity scoring began | April 12, 2016 | 0900 |
| Scoring ended | April 14, 2016 | 1600 |
| All times are in Eastern Daylight Time (UTC−04:00). |
The US Military Academy team network spanned 27 virtual machines, and it included servers, management workstations, and user workstations; four network devices; the CentOS, FreeBSD, Ubuntu, Windows 7, Windows 8, and Windows Server 2012 operating systems; and a range of software services.
Some of these files are rather large and thus take a long time to download. We can mail this data set to you for the cost of shipping plus a 300 GB drive.
Results: 2016-CDX-USMA data set
Here you will find data collected by the US Military Academy team during the 2016 CDX. We granted these data into the public domain. Please refer to this data set collectively as 2016-CDX-USMA and consider acknowledging the authors: W. Michael Petullo, Kyle Moses, Ben Klimkowski, Ryan Hand, and Karl Olson. We could not have collected these data without the efforts of the cadets of the US Military Academy team, our fellow competing teams, and the NSA CDX team.
- Network diagram
- Austin Herrling maintained our team's CDX network diagram. The first page of the diagram contains a summary of each of our team's subnets. Subsequent pages provide details such as IP addresses, gateway IP addresses, netmasks, and so on.
- Packet captures (April 4, 2016–April 24, 2016); compressed size: 130 GB; SHA-256: 892a4201689b025182ccb294713ef4c3ce2b3810126758e622a725ef5f4b202b
- This data set contains packet captures collected from three Security Onion sensors that the team installed during the CDX. The sensor on eth1 captured packets from outside of our core firewall (between the firewall and external network in the diagram above), the sensor on eth2 captured packets from each of the ports on our main switch (all internal subnets except for the subnet labeled gray), and the sensor on eth3 captured packets from our end-user subnet (gray subnet).
- Consolidated event logs (April 8, 2016–April 14, 2016); compressed size: 157 MB; SHA-256: 6533be7e69739f4fc2c082dfbe5d37d7487007d25a9687a71628b38006fa74f6
- This data set contains all of the log data collected by the team's centralized log system. This includes Unix system logs; logs from applications such as lighttpd, squid, postfix, dovecot, and bind; Windows events; and NetFlow records. The data set contains 15,455,997 records and is formatted as comma-delimited text.
- Recorded compromises
- The NSA provided a time-stamped list of instances where a token agent detected token modification or the red cell reported a token back to the white cell. Much of these records are duplicate reports; nonetheless, these data should contribute to the understanding of our packet captures. We provide these records here as comma-delimited text.
- DNS blacklist
- We developed a heuristic during the CDX to determine which domains to blacklist in our DNS server. This list contains these domains.
- Squid blacklist
- We developed a heuristic during the CDX to determine which URLs to blacklist in our Squid proxy. This list contains these URLs as regular expressions.
- Firewall blacklist
- We developed a heuristic during the CDX to determine which URLs and IP addresses to blacklist at our firewall. This list contains these values.
- Gray-cell disk images
- These disk images contain malware, so you should analyze them with care. We distribute these images as QCOW2, a sparse disk image format. The qemu-img utility is one tool that can convert this format into others, such as VMDK or raw.
| Host | Pre- and Post-CDX links; compressed size; SHA-256 |
|---|---|
| Alpha (CentOS) |
Pre-CDX; 6.6 GB; ff1f813cd1c4add99653a8ff05c1f9933d1780275b5ce1052156abacef301193 Post-CDX; 5.9 GB; 8af7d29d15b83ca223523f63c76cc576ef4ea73410e0b82701fb28e99e36291d |
| Beta (Ubuntu) |
Pre-CDX; 2.7 GB; e6d21c1da2038a878989eae1d9878ead8622c48bf9d2c3d6f0ec48a0cf9aa58c Post-CDX; 2.7 GB; 7bf9cacae4470d2be09eb94c894dda74a5b1fbf3c4d71ba2f9ad6238b359784d |
| Delta (Windows) |
Pre-CDX; 8.6 GB; 73fad8823febd6118a9da2435796baf4a4d7069aed00f62bddd089f53074b512 Post-CDX; 49 GB; d203014b975f762b1d122495d5f8ed609a04bc0103683727c6f6e2d38da036b4 |
| Gamma (Windows) |
Pre-CDX; 11 GB; 9ea928b82dcdd0e87d0166291c4ac84cea6e6685f786f1b162294c8d32bde6ef Post-CDX; 53 GB; 1106f8b2d983b98868d94dc2731669be898a47e2edb0c6f4741c30e1c10c1ac5 |