group photo of the uah cyber club

The HuntsvilleTechSupport team is, from left, Nolan Rodgers, Will Green, Dayton Hasty, Sydney Winters and Ethan Reiland.

Courtesy UAH Cyber Club

A University of Alabama in Huntsville (UAH) student team has placed fifth out of 120 teams in nationwide virtual competition at the recent three-week-long U.S. Department of Energy CyberForce Competition.

The computer and cybersecurity students call their team HuntsvilleTechSupport. An element of the Cyber Club at UAH, a part of the University of Alabama System, HuntsvilleTechSupport has been competing in Jeopardy-style capture the flag (CTF) competitions for a little over a year.

Jeopardy-style CTFs present competitors with a set of questions that reveal clues that guide them in solving complex tasks in a specific order. By revealing clues, contestants learn the right direction regarding techniques and methodologies that are needed. CTF involves a number of true-to-life cyber challenges that each result in a text-based flag. These challenges are worth points, depending on difficulty, and they mirror the challenges professionals would face.

Advised by Dr. Tathagata Mukherjee, an assistant professor of computer science, HuntsvilleTechSupport placed in the top three in the university team category in competitions including the local National Cyber Summit Cyber Cup Challenge and BSides Huntsville.

“We have been fortunate enough to have students who are self-motivated and who work and learn on their own time,” Dr. Mukherjee says.

“Though we as faculty have tried to provide support to them, there is only so much we can do given the time that is required to prepare for these types of national competitions,” he says. “As a result, I will put the credit for this success with the students and all the faculty members that have taught them over their years at UAH. Without that solid grounding and the hard work of the students, this would not have been possible."

Team members are Sydney Winters of Catlettsburg, Ky., a sophomore in computer engineering; Will Green of Huntsville, a sophomore in cybersecurity engineering; Dayton Hasty of Shelbyville, Tenn., a senior in computer science; Nolan Rodgers of Columbia, Tenn., a junior in cybersecurity engineering; and Ethan Reiland of Downington, Pa., a sophomore in computer science.

“It feels pretty good placing so high after we have worked so hard on this competition for the past few weeks while balancing end of the year tests and projects,” says Green, who was team captain for this event. “We have had a lot of CTF practice over the past year, but defense competitions are relatively new to most of our team members.”

Though competition began three weeks beforehand, Green says the official competition day was Nov. 13.

“The competition itself was virtual this year, but our team met both virtually and in person to get the network set up and compete,” he says. “This is an annual competition, UAH competed in 2018 and 2019, but did not in 2020 because 2020’s competition was individual, not team-based.”

During the CyberForce competition, teams were given a virtual network filled with vulnerabilities and misconfigurations and had to fix and secure the entire network.

“In this year’s scenario, we were acting as the blue team of a hydropower company, tasked with hardening and securing our systems against cyberattacks – including the industrial control system controlling a dam facility – all while maintaining our required services,” Green says. “In the week leading up to the competition, we had to create security documentation which included all of the changes that we made, a network diagram and the reasons for the new mitigations we put into place.”

Teams also had to submit a video to a C-Suite Panel, presenting what would be done in a fictional merger scenario to secure the network from incoming machines and networks, says Hasty, who is the president of the UAH Cyber Club.

“On competition day, we had to make sure our network was completely secure while a red team attacked and tried to exploit known or new vulnerabilities,” Hasty says. “If the red team found a vulnerability and was able to gain access to one of our machines, we had to then mitigate that vulnerability.”

The competition’s CTF element was composed of challenges released on competition day for teams to solve while they dealt with keeping their networks secure from the red team.

“Points were awarded based on keeping up critical services, usability of those services, solving anomalies, mitigating the red team's exploited vulnerabilities, securing our network beforehand, our security documentation and our C-Suite Panel video,” Hasty says.

The future for HuntsvilleTechSupport includes more competitions.

“As far as defense-based competitions go, we plan on competing in the National Collegiate Cyber Defense Competition next year,” Hasty says. “There are fewer cyber defense competitions than there are normal Jeopardy-style CTF competitions. We normally compete in a CTF every weekend, which is a good way to practice while earning our team points on the global leaderboard.”