This past November, Mason Competitive Cyber (MCC) put their hacking skills to the test and participated in Hack the Building, a cybersecurity competition hosted by the U.S. Cyber Command, a division of the U.S. Department of Defense, Dreamport, and the Maryland Innovation and Security Institute.
Eight of MCC鈥檚 top members teamed up with fellow cyber competition enthusiasts at the University of Virginia to literally hack a building, but not just any building. This was a 150,000 square feet, two-story office building filled with smart devices, diesel generators, and business systems.
鈥淭his was unlike any competition we had participated in before,鈥 says Caleb Yu, MCC鈥檚 vice president. 鈥淲e encountered both traditional information technology networks and industrial control networks and hacked through both cyber and physical means.鈥
While most of MCC鈥檚 team hacked the building remotely from the safety of their homes, two members from each team were invited to also infiltrate the building on-site in Annapolis, Maryland. 鈥淯niquely, this competition featured physical access control systems to attack and exploit, including badge readers, security cameras, and physical doors,鈥 says MCC president Zaine Wilson. 鈥淭his was the first time I'd ever been to a competition that has these challenges.鈥
Over the four-day competition, MCC鈥檚 team was given numerous scenarios in which they had to hack various components of the smart building. 鈥淗ack the Building had several challenges that required Red Team skills like lateral movement, privilege escalation, and password attacks,鈥 says MCC competitions officer Andrew Oliveau.聽 鈥淲e began in an IT network and hacked our way into a non-internet connected OT [industrial hardware] network.鈥
From there, the team reverse-engineered elevator controls, disabled heat exhaust fans, and manipulated electric power distribution units.
In one challenge the team disabled the building鈥檚 security cameras. 鈥淪ome of the challenges seemed straight out of spy films,鈥 says Yu. 鈥淚t is exhilarating when we鈥檙e able to pull off a successful cyber-attack, but, at the same time, it is also frightening.聽 Scenarios like these show how our network-connected world can be brought down by hackers.鈥
Facing stiff competition from security industry professionals around the country, 亚洲AV鈥檚 student team not only held its own but also found surprising success in many of the event鈥檚 challenges and exceeded expectations throughout the four days.
They even received a shoutout from competition officials in front of former Cybersecurity and Infrastructure Security Agency Director Chris Krebs on the Hack the Building livestream. Krebs oversaw much of the national strategy for defending critical infrastructure in cyberspace. It was a wonderful surprise to the team to be lauded in front of him.
Although Hack the Building does not formally declare a winner, team bragging rights come from getting 鈥渇irst blood鈥 on various challenges, which means they were able to hack their way through the challenge before any of the other teams.聽 Impressively, a moderator informed Mason Competitive Cyber鈥檚 team that they had the most first blood solves in the competition of any team, including the professional ones.
At the end of the four days, MCC members spoke highly of the competition and expressed eagerness to compete again in the following years. 鈥淭his competition gave me experience in what it's actually like to run a full-scope penetration test, and I'm absolutely hooked,鈥 says Wilson.
Hack the Building created the most realistic environment that the MCC team has encountered, says the team. Rather than solving isolated cybersecurity challenges, the competition鈥檚 style of scenario-based cyber-attack campaigns brought a sense of realism to the competition.
And as the U.S. Department of Defense works to raise the next generation of cyber warriors through competitions such as Hack the Building, MCC proved they are up for the challenge.
This story was written by members of the Mason Competitive Cyber club.