Page Options

Menu Styles:
MenuaMenubMenucMenud
Page width and font size:
Small width layoutMedium width layoutMaximum width layoutMaximum textMedium textSmall text
Search:
  GO
FAQ's Minimize
 
CyberNEXS™ Frequently Asked Questions (FAQs)

Training:
  1. Are there any training materials available for Windows and UNIX security?
Distributed Game Components:
  1. What is a virtual machine?
Preparing for the Game:
  1. How do I get started?
  2. How do I prepare my computer for the competition? How do I download an image?
  3. Can we register more than one copy of an image?
  4. May I use my own tools to compete on the images?
  5. Should we take notes as we progress?
  6. It seems as thought the download of the VM image is taking too long; should I start over?
  7. I have tried unzipping the VM image without success? What am I doing wrong?
  8. Does the CyberNEXS client require ipv6 access?        
  9. What ports does my Firewall require for communications with the CyberNEXS™ server?

Participating in the Game:

  1. How do we register the Team’s image?
  2. I have participated in Practice Rounds. Do I still need to register for the Qualification Round?
  3. Once I register, how do I log into the VM image?
  4. Once the Team’s Image is registered, how do I start scoring?
  5. Why do I need to maintain Critical Services?
  6. Can I start to harden the VM image prior to registration?
  7. How do we know when our time is up?
  8. The competition has multiple VM images to manage. Do all the VMs need to be run on the same host machine?   
  9. Are there any special instructions for before logging off and shutting down the image once our team is done?  
  10. We have achieved 100% score; do we need to keep the image running for the entire exercise period?

Troubleshooting:

  1. What are the key files that I need to avoid so that I don’t break my communications with CyberNEXS™ Server?
  2. Are there Time Limits to the Exercise?
  3. My VM image lost connectivity and shortly thereafter, regained connectivity. What might cause this?
  4. What happens when we completely corrupt a system?
  5. We are managing two different images. Both appear to be running with the same IP address; is that normal?  
  6. What do we do when we accidently disable a critical service and then can’t re-enable it because of something that we have done?
  7. We accidently changed the CyberNEXSNexsAdmin base password; how do we fix that?
  8. I can’t reboot my VM image?
  9. What is the purpose of the C:\SAIC\CyberNEXS\client.status file?
  10. We are having problems connecting with the "Get_My_Status.html" file. It shows "Your last health update was received more than 1 hour ago!”
  11. I can’t tell if the virtual image is connected to the CyberNEXS™ server?

Scoring:

  1. How do I find out how I well I am scoring?
  2. What is “Get_My_Status” page?
  3. We were not able to communicate with the CyberNEXS Scoring Server for a period of time, either due to our error or the CyberNEXS server being down. How do we confirm that our Scores are being recorded correctly?

General Guidance:

  1. Can you provide advice on which access controls I should permit, or other aids in finding vulnerabilities?
  2. How much are we able to patch a UNIX VM image?
  3. Will you tell us what the specific vulnerabilities there were in the recent exercise we completed?   

Game Types Available:

  1. Where do I find general information on the CND game?
  2. Where do I find general information on the CND Lite game?
  3. Where do I find general information on the Forensics game?
  4. Where do I find general information on the Penetration Testing Game?
  5. Where do I find general information on the Capture-the-Flag (CTF) Game?

Game Modes Available:

  1. What do you mean by “Distributed Game” and what are the minimum computing requirements?
  2. What do you mean by “Centralized Game” and what are the minimum computing requirements?
1. Q: Are there any training materials available for Windows and UNIX security?

    A: Yes, SAIC provides two Security Tips videos at: www.saic.com/cybernexs/#media-downloads.
2. Q: What is a virtual machine?

    A: A virtual machine (such as VMware®) acts as a complete operating system with services (such as print, run web pages, send email, etc.) that runs inside of a
        physical machine, such as your laptop or desktop computer. In fact, each physical machine can be capable of running multiple separate virtual machines. For
        clarity, we refer to the physical machine as the “host” machine and the virtual machines as the “images” or “targets”. When working with images, you should
        be aware of whether you are taking action within the host or image; it should be noted that only changes made within the virtual machine will be recognized by
        the scoring server.
3. Q: How do I get started?

    A: As early as possible before the competition begins, please visit: http://cybernexs.saic.com/cndx /downloads.html to download the Windows and/or Linux
        system images to your team's computer, as well as a competition instructional guide. Please read this guide completely as it contains important information
        about the qualifying round and competition environment.
4. Q: How do I prepare my computer for the competition? How do I download an image?

    A: The complete process of preparing your computer, downloading images, verifying the image against MD5 checksums, unlocking the images, and
        troubleshooting instructions are contained in the following six steps.
        http://www.saic.com/cybernexs/pdfs/step1.pdf
        http://www.saic.com/cybernexs/pdfs/step2.pdf
        http://www.saic.com/cybernexs/pdfs/step3.pdf
        http://www.saic.com/cybernexs/pdfs/step4.pdf
        http://www.saic.com/cybernexs/pdfs/step5.pdf
        http://www.saic.com/cybernexs/pdfs/step6.pdf
5. Q: Can we register more than one copy of an image?

    A: Only one system image per team is allowed to be registered / connected into the challenge environment. Although you may download multiple images for
        local offline use by multiple team members on which to practice and/or investigate, only one image for each OS is allowed to connect (register) into the
        exercise environment as the "team" system for scoring purposes. Those not registered will not be scored. Multiple connections of the same system by a team
        are prohibited.
6. Q: May I use my own tools to compete on the images?

    A: Anyone may use any tool that is public, free and legally obtainable on the Internet to assist you in hardening your systems.
7. Q: Should we take notes as we progress?

    A: It is highly advantageous if you record actions that you take and the apparent consequence of those actions. When you make a successful action, the
        scoring system may not reflect it for a couple of minutes, so be patient as you apply different actions. If you believe you may have corrupted your image during
        the competition, whether you lock yourself out of the system, or can’t seem to communicate with the server, first try the Troubleshooting Techniques at:
        http://www.saic.com/cybernexs/pdfs/step6.pdf. If those don’t work, you may want to start fresh with a new image.
        (see “What happens when we completely corrupt a system?” below)
8. Q: It seems as thought the download of the VM image is taking too long; should I start over?

    A: Your download time is dependent on your connection speed, which is also dependent on the time of day. For instance, if you try downloading at home in the
        early evening, the networks may be in heavy use and therefore everyone’s speed on your network is slower. Also, you might try using one of the free Download
        Managers available on the Internet. They will some times work faster and will stabilize downloads, even when there are momentary network outages.
9. Q: I have tried unzipping the VM image without success? What am I doing wrong?

    A: You must be using a free utility called 7-Zip which can be downloaded at: http://www.7-zip.org/download.html. For additional troubleshooting tips on this topic,
        see: http://www.saic.com/cybernexs/pdfs/step2.pdf.
10. Q: Does the CyberNEXS client require IPv6 access?

      A: The CyberNEXS client uses IP version 4 to connect back to the central servers.
11. Q: What ports does my Firewall require for communications with the CyberNEXS™ server?

      A: tcp 80/443 outbound are the only ports required.
12. Q: How do we register the Team’s image?

      A: In your approved browser, enter the URL: http://www.cybernexs.saic.com/CNDX. Once on the CyberNEXS™ Blue Team Menu, select the red
          “Login Registration” button.
13. Q: I have participated in Practice Rounds. Do I still need to register for the Qualification Round?

      A: Even if you have registered a Target in past rounds, when it comes time for competition day you MUST register that Target at the beginning of each new round
          or you won’t be scored and are NOT part of the game.
14. Q: Once I register, how do I log into the VM image?

      A: UserID: <Administrator login name that was distributed for this round>
          Password: Password<The password that was distributed for this round>
15. Q: Once the Team’s Image is registered, how  does CyberNEXS start scoring?

      A: When a new Windows Target image is started up for the first time, the guest operating system will load several startup programs, including the registration
          program. It may take several seconds, but you will eventually see a registration window that takes up the entire screen. This is the only way you should
          register your team. Attempting to register by any other means may prevent your Target from being properly registered and as a result you may not be scored.
iSight Partners

          At this point, the following “Defender Registration Page” window will appear.
iSight Partners

          Type in your name, choose a password, location, and team name and click on “Register Defender”.
16. Q: Why do I need to maintain Critical Services?

      A: Each Target will have a set of “Critical Services” associated with it. These services are representative of real life critical services you may find in production
          servers. For example, a web server must always run an HTTP or HTTPS service to serve web content to users. A mail server must run an SMTP service to
          deliver mail. Existing vulnerabilities in your system may inhibit Critical Services; therefore you need to ensure that the Critical Services remain operational.
          Also, there is a default set of network services for all Windows machines that assist the image to communicate; these must not be disabled:
  
  • CP/IP NetBIOS Helper (LmHosts)
  • Terminal Services (TermService)
  • DNS Client (Dnscache)
17. Q: Can I start to harden the VM image prior to registration?

      A: Technically you can, however, once you register, the Scoring system will tell us that someone manipulated the image prior to registration, which is grounds for
          disqualification.
18. Q: How do we know when our time is up?

      A: Your time is up 6 hours after you started. Look at your Get My Status page, it shows the time you registered. It also has the current time of the server. If the
           current time is 6+ hours past the registration time then the server freezes your score and your time is up.
19. Q: The competition has multiple VM images to manage. Do all the VMs need to be run on the same host machine?

      A: There is no requirement for them to be on the same machine
20. Q: Are there any special instructions for before logging off and shutting down the image once our team is done?

       A: No, you can just shut-down the image and then delete the VM when you are finished.
21. Q: We have achieved 100% score; do we need to keep the image running for the entire exercise period?

      A: When you are satisfied that you have done everything that you want to the image, then shut down and you will be scored on the last “Get My Status” page
          score listed. If in shutting down, you accidently cause a vulnerability to reoccur, your score will end up being less than what you saw at shutdown. So, once
          you have achieved your highest score, simply shut-down the image and discontinue play.
22. Q: What are the key files that I need to avoid so that I don’t break my communications with CyberNEXS™ Server?
      A:
  1. CyberNEXSClient - The CyberNEXSClient program runs as a service that constantly evaluates your system health and configuration.
  2. C:\Get_My_Status.html - This file appears after successful registration and contains a link personalized to your registered Target. This link redirects
    you to your team’s status page. If you are in a shell only environment, you will need to install a browser such as lynx to view the file.
  3. CNGCLIENT_CONFIG_HOME - This variable is used within the CyberNEXSClient program.
  4. C:\SAIC\CyberNEXS (Windows targets) or /usr/local/SAIC/CyberNEXS (Linux targets) - Do not remove or modify any of the files in this directory. 
    These are necessary for the CyberNEXSClient and CyberNEXSRegistration to run.
23. Q: Are there Time Limits to the Exercise?

      A: If a time limit is stated in your Competition User’s guidance, then that time limit will apply from the moment that you register your image. Once you connect
          your system into the challenge environment, you will have XX *contiguous* hours to complete work on that particular system, so plan your availability
          accordingly! Logging off will not stop your competition clock.
24. Q: My VM image lost connectivity and shortly thereafter regained connectivity. What might cause this?

      A: There is now a time-based job scheduled to periodically reset services to ensure in place that will periodically perform this action, and we will keep an eye on
           it as well.
25. Q: What happens when we completely corrupt a system?

      A: You might want to start fresh and delete the current virtual machine.
         
  1. First unpack a new copy from the 7zip archive.
  2. Register this new image with a modified (similar to the original, but with a “1” at the end) system name, and be sure to include your unique id if provided as part of the competition guidance.
          The new image will not include any changes you made to the original, so check your notes and make the successful changes to the new image.
26. Q: We are managing two different images. Both appear to be running with the same IP address; is that normal?

      A: It is all right if they are being managed on separate hosts (physical machines) and both of their network adapters are set to NAT?
27. Q: What do we do when we accidently disable a critical service and then can’t re-enable it because of something that we have done?

      A: If you still maintain communications with the CyberNEXS™ server, you have three choices:
      
  1. Find an ISO of that operating system somewhere on the internet, and fix your installation;
  2. Take the points hit for having the down service, but continue to harden; and/or,
  3. Un-pack another image and start over.
28. Q: We accidently changed the CyberNEXSAdmin base password; how do we fix that?

      A: If you changed the password for the user, then open up the services console and update the log on credentials for that user in the CyberNEXSClient service.
          Then stop and then restart the service.
29. Q: I can’t reboot my VM image?

      A: If you can’t reboot your VM, then you can try to stop and start the CyberNEXSClient service on the VM. This will re-initiate a connection to the scorebot.
          See the instructions at: http://www.saic.com/cybernexs/pdfs/step6.pdf
30. Q: What is the purpose of the C:\SAIC\CyberNEXS\client.status file?

      A: The client.status file allows you to view the status of your registration process. It is displayed on the CyberNEXS Registration screen while you are in the
          process of registration.  Each time you boot your system, this file will update as it attempts to re-establish connection to the CyberNEXS Scorebot.  If you
          experience any network problems and think you may be disconnected, check this file and look for any errors message.
31. Q: We are having problems connecting with the "Get_My_Status.html" file. It shows "Your last health update was received more than 1 hour ago!”

      A: Restart your virtual machine to re-establish connection, wait a few minutes, and load this page again."
32. Q: I can’t tell if the virtual image is connected to the CyberNEXS™ server?

      A: To verify Internet connectivity, Hit ‘Ctrl alt del’ and select task manager. Kill the CyberNEXSRegistration process.  This will close the registration window and
          allow you to access the machine. Then try to diagnose your network settings inside the VM. This document may help you:
          http://www.saic.com/cybernexs/pdfs/step6.pdf
33. Q: How do I find out how I well I am scoring?

      A: After you register you should see Get_My_Status.html in the C:/ or / directories. That will redirect you to your scoring page.   After you register the target, you
          will see that link in the root of the file system in the virtual machine. C:\Get_My_Status.html (windows) /Get_My_Status.html (Linux)
34. Q: What is “Get_My_Status” page?

      A: The Get_My_Status status page is a web page file that is placed in the root directory of your virtual machine (c:\ or /) once you have successfully registered
          you VM image. It provides scoring progress information as well as health status messages. If “Your last health update was” time is more than 30 minutes past
          the current “Scorebot time” in the Get My Status, then you may have disabled/broken the connectivity between the CyberNEXSClient in the Target and the
          ScoreBot server.
35. Q: We were not able to communicate with the CyberNEXS Scoring Server for a period of time, either due to our error or the CyberNEXS server
          being down. We are concerned that our Score was not properly recorded.

      A: As long as your client connects to the Scorebot before you shut the system down, then your score is automatically collected and updated. You can verify this
          on the “Get_My_Status” page.
36. Q: Can you provide advice on which access controls I should permit, or other aids in finding vulnerabilities?

      A: Unfortunately not; this is a competition and we cannot provide an unfair advantage to any one team. There are some things to consider, however, such as
          looking at the share folder and asking your self these questions. Is there anything in there that is sensitive and would require authentication so anonymous
          people can't access it? Or, are the contents something of no interest to a malicious user, and therefore authentication isn't a concern?
37. Q: How much are we able to patch a UNIX VM image?

      A: You can patch as much as you want to, including dist_upgrades.
38. Q: Will you tell us what the specific vulnerabilities there were in the recent exercise we completed?

       A: Many people ask if we will tell them which vulnerabilities they missed when the round concludes. We do not do this for one important reason --- that would
          condition you into thinking that a given vulnerability can only "look" like one you missed and thus confine your thinking to looking only at that particular set-up
          in the future.  We want you to always be cognizant of the "big picture" and know that vulnerabilities come in all shapes and sizes.  In fact, the ones that do
          not conform to a cookie-cutter template are the ones that tend to cause the most damage in reality.
39. Q: CyberNEXS™-CND (Computer Network Defense-Centralized)
A: Description: CyberNEXS™-CND is a realistic cyber defense exercise in which the participants are tasked with defending a network while being attacked by a live Red Team. The participants are required to maintain their critical services and secure the hosts they are tasked to manage. They are also tasked with detecting and mitigating Red Team hacker activity and other misuse, while communicating their findings to the White Team.

Objective of game: The goal for CyberNEXS™-CND exercise is to train the participants in Cyber Defense skills, while measuring their ability to effectively communicate their findings.

Scoring: Each host is configured with a pre-determined set of vulnerabilities that represent the different skills for Cyber Defense. As the participant fixes these vulnerabilities, their score increases. If however, the Red Team is successful in attacking the hosts, then the respective scores for those hosts decrease. If the participants are successful in identifying the intrusion, resolve the vulnerability, and removing the actions done by the Red Team, they can regain the points lost.
40. Q:
 CyberNEXS™-CND Lite (Computer Network Defense-Distributed)

A: Description: CyberNEXS™-CND Lite is a more limited version of CND from the standpoint that the participants are only required to maintain their critical services and secure the hosts. Its benefit is that it can scale to thousands of simultaneous participants. Large numbers of people can download misconfigured virtual machines (targets), which, when they begin their session, will connect to the central training system.

Objective of game: The goal for CyberNEXS™-CND Lite exercise is to train the participants in Cyber Defense skills, and is used for routine practice of cyber defense techniques and for competition qualification rounds.

Scoring: Each host is configured with a pre-determined set of vulnerabilities that represent the different skills for Cyber Defense. As the participant fixes these vulnerabilities, and maintains critical services, their score increases and is reported to them directly.
41. Q:
 CyberNEXS™-Forensics
A:
 Description: CyberNEXS™-Forensics is a trainer in which a series of cyber forensics challenges are presented to the participants. These challenges include finding evidence of intrusions, discovery of malware, analysis of payloads, log analysis, network analysis, and tracking of attackers across multiple systems. The participants are tasked with discovering the artifacts of these events and communicating their findings to the White Team. The White Team will then adjust the automated score of their tickets based on explanations and expositions in the tickets from the participants.

Objective of game: The goal for the CyberNEXS™-Forensics exercise to train the participants in Cyber Forensics skills while measuring their effectiveness in discovery and analysis of their findings.

Scoring: Each artifact in the exercise has an associated value that corresponds to the level of knowledge or capability. For example, finding the file name of a piece of malware on a suspect system is worth 500 points, but finding the IP address to which the malware is exfiltrating the data is worth 2,500 points. Based on the discovery of these artifacts, the participants are then graded on their analysis and reporting of their findings.
42. Q:
 CyberNEXS™- Computer Network Attack (CNA) (aka Penetration Testing)

A:
 Description: CyberNEXS™-CNA is a trainer in which the participants are permitted to use whatever network assessment tools are available to them to analyze and report their findings. There are artifacts that are seeded for the participants to find, which include system administration details, credit card information, trust relationships, along with system and application misconfigurations, as well as patching issues.

Objective of game: The goal for the CyberNEXS™-CNA exercise is to train the participants to assess a network of computers for vulnerabilities, discover improperly protected valuable data, and successfully exploit the vulnerabilities to gain user-level or administrative control of the computers themselves.

Scoring: Each artifact in the exercise has an associated value that corresponds to the level of knowledge or capability required to successfully discover that information. For example, finding the name of the system administrator in the SNMP information is worth 50 points, but compromising the server via an exploit and gaining administrative control is worth 2,000 points.
43. Q:
 CyberNEXS™-CTF (Capture the Flag)
A:
 Description: CyberNEXS™-CTF is an exercise in which the participants are permitted to use whatever network assessment tools are available to them to be able to compromise and control a series of target hosts. Once a host is controlled, that participant is now required to defend that host against other participants. That is, the participants are required to protect the targets they control, while maintaining their critical services.

Objective of game: The goal for CyberNEXS™-CTF exercise is to offer a fun, exciting head-to-head challenge for Cyber Offensive and Defensive players.

Scoring: The only scoring opportunity in this exercise is to plant or remove a flag. When a flag is planted, that participant is granted points for that action. For as long as the participant maintains control of that host, they accrue additional points at each scoring cycle. When their flag is removed by another participant, the participant who lost control is penalized, while the new controlling participant is awarded points; they will also accrue additional points at each scoring cycle until their flag is stolen.
44. Q: What do you mean by “Distributed Game”?
A: The first mode is called the Distributed Game, which is used for routine practice and qualification purposes. Large numbers of people can download misconfigured virtual machines (targets), which, when they begin their session, will connect to the central training system. As students make correct actions to maintain critical services and remove vulnerabilities, the central server is notified of the changes and sends the revised score to the connected user(s). Through this mode, hundreds of students can simultaneously rehearse or compete without significant intervention by the central training system and therefore train at any hour of the day. In CP III, we are starting with a field of 500 teams.

iSight Partners

Distributed Game

What are the MINIMUM computing requirements for the Distributed Game?

Distributed Game:
Hardware Requirements are as follows:
1 Ghz Intel compatible processor (AMD processors have had issues with VMware and are not recommended);
2 GB RAM;
10 GB of free disk space;
Keyboard & Mouse;
1024x768 or higher display;
(Optional) It is recommended to use a projector or large display to share the screen output with the rest of the team, but not required; and,
Network connection from computer(s) to Internet.
 
Software Requirements are as follows:
Operating System (Windows 2000 or newer, recent VMware supported Linux, or Macintosh 10.4.11 or later);
Web Browser;
SSH Client;
VPN Client; and,
VMware Player.

Internet Connectivity Requirements are as follows:
Minimum of 256kb uplink/downlink; and,
Network firewalls and/or Web Proxies should permit un-filtered HTTPS (TCP/443) out-bound from your network from each of the computer(s) involved in the competition to the SAIC CyberNEXS server, cybernexs.saic.com.

We recommend that you use a Windows PC to compete, as there is no VMware player available for Mac Operating system at this time. However, if you will be competing using a Macintosh computer, then you will need to purchase your own version of “VMware Fusion” to run the Windows inside the Mac OS.
45. Q: What do you mean by “Centralized Game”?
A: The second mode is called the Centralized Game, which provides user(s) with their own complete cyber defense live networked environment, including Windows and UNIX operating systems, switches and router, firewalls and intrusion detection devices. It is during this exercise that the game introduces the two key skills of thwarting attacks and communications. This game requires additional staff, in the form of White (support and scoring support) and the Red (hackers) Team interactions. This mode is reserved for small numbers of user(s) and is normally conducted during normal working hours.

iSight Partners

Centralized Game

What are the MINIMUM computing requirements for the Centralized Game?

Centralized Game:
Hardware Requirements are as follows:
Windows/Macintosh/Linux computer that is supported by the SSL VPN server
1 Ghz or higher processor;
1 GB RAM minimum;
Keyboard & Mouse;
1024x768 or higher display; and,
Network connection from computer(s) to Internet. (As specified below)

Software Requirements are as follows:
Web Browser (JavaScript capable)
SSH Client;
VPN Client;
Telnet;
RDC (Remote Desktop Connection); and,
VNC (Virtual Network Computing).

Network Requirements are as follows:
Each user needs a network connection with a minimum of 256Kbps internet connectivity (uplink and downlink) and under 150 ms response time to SAIC VPN
Network firewalls and/or Web Proxies should permit out-bound SSL VPN connections to cybernexs-vpn.saic.com.






Copyright 2012 EC-Council Privacy Statement|Terms Of Use Xhtml 1.0 CSS 2.1