MITRE's Summer Cyber Competition Teaches Interns to Think Like AdversariesOctober 2015
Topics: Computer Security, Security-Protection Management, Systems Engineering-General
Sometimes the best way to learn how to build a system is to break one. At least that's what was in the minds of some of MITRE's Bedford-based interns this summer as they took on a new cybersecurity challenge.
The Embedded CTF competition—short for "embedded systems capture the flag"—was the brainchild of MITRE's Dan Walters. He reached out to Joe Ferraro, who embraced the idea and helped make it a reality.
Online capture-the-flag competitions have become common tools for training students about the ins and outs of cybersecurity, and MITRE frequently hosts or co-hosts them. But Walters and Ferraro saw a need for something more. They knew from their project work that cybersecurity issues in embedded hardware and software greatly interest MITRE and our sponsors.
One Piece of the Puzzle
What are embedded systems? Although the concept may be unfamiliar to many, embedded systems have existed for decades. They commonly work within larger pieces of technology performing specific tasks, such as operating one element of a car, medical device, aircraft, or even a musical instrument. Their security affects the security of the bigger system. (And with the growth of the "Internet of Things," embedded systems will only become more common.)
So when Walters found a notable lack of real-world training exercises for teaching embedded security concepts to our interns, he reached out to other MITRE staff and the Embedded CTF was born. Walters notes that one staffer in particular, Adam Woodbury, was instrumental in developing rules and technical requirements.
Seven of MITRE's summer interns made up the two teams; each team had a full-time technical staff mentor. The teams spent four weeks building their systems and then another four trying to break into the opposing team's system. Time spent on the competition occurred in conjunction with the interns' regularly assigned project work.
"The interns brought a lot of passion and energy to the competition," says Ferraro, a cybersecurity department head. "Our priority was to have them use a variety of security skills—hardware and cyber—at both the component level and the systems level. They really exceeded our expectations and had a blast with it."
Since the challenge required knowledge of several different disciplines, the teams consisted of students with backgrounds in electrical engineering, computer engineering, and computer science. The interns came from all different stages of their college education—from freshmen to graduate students.
MITRE's Eric Kedaigle mentored one team consisting of Julian Fuchs, Alex Kibbie, and Jeff Setter. Brennan Cozzens mentored the other team, which included Marc Green, Jonas Rogers, Jim Barry, and Rom Valme.
Hardware and Software Included
The Embedded CTF assignment required each team to design a front-door locking system for a fictional rental property. The locking system had three specific components created by the students: an embedded device (the key) that used a 5-digit passcode; a Linux machine that ran a server to accept messages and unlock the door; and a communication network between the two devices that used a secure protocol.
In phase one, each team designed its own independent system. In phase two, the teams exchanged systems and began an attack where they identified vulnerabilities and attempted to break the other team's security measures.
Intern Jeff Setter says the competition pushed him to rethink how to address the security issues involved in designing hardware and software systems. "I've never seen anything like this in classes—developing attacks on a secure system. I found thinking like an adversary and breaking into a system to be challenging, but a lot of fun."
Beyond Cybersecurity Training
Rom Valme believes the competition advanced his skills on multiple levels. "Before this summer, I hadn't spent much time working with security, cryptography, and networking. I now know more about cryptographic systems like RSA [a public key cryptosystem] and AES [Advanced Encryption Standard] and how their encryption and decryption protocols work.
"I've learned how to defend against different attacks aimed at breaking or gaining control of a device. I also know a lot more about strengthening the security of a system with two-factor authentication."
But the Embedded CTF did more than teach cybersecurity skills. Alex Kibbie found the team aspect of the competition further developed her research and communication abilities.
"I really enjoyed working with my team and seeing it all come together. It enhanced my skills in functioning collaboratively and communicating effectively. The project also influenced the way I seek help—making the most of the resources around me—and how I direct my own research."
A Training Tool for the Future?
While the summer Embedded CTF was a pilot program, Walters can easily imagine using it to train technical staff and sponsor groups and for use as a recruiting tool. He and Ferraro are helping to create a series of embedded security courses for MITRE internal training. "Ideally, we would like to make this training available as open-source software through MITRE's technology transfer office."
As part of MITRE's public-interest mission, we are deeply committed to advancing STEM (science, technology, engineering, and mathematics) education in the United States. We believe increasing the number of people with STEM expertise will help our nation continue to be innovative and maintain its competitiveness in the global market. However, as these interns found, even STEM majors can't learn everything in school.
Walters, whose "regular" work involves electronic systems development, says creating the CTF competition was a fun way to fill in the gap in embedded systems cybersecurity training.
"We've found there to be a lack of good training out there," he says. "Not many college programs have a lot of coursework in security for embedded systems. So anything MITRE can do to encourage more and better training in this important area is a good thing."
Editor's note: This October is National Cyber Security Awareness Month. MITRE joins our partners in the Department of Homeland Security in recognizing the importance of protecting our nation’s networks. Learn more about MITRE’s advances in cybersecurity.
—by Kay M. Upham