Auburn University Ethical Hacking Club participates in simultaneous cyber competitions
Published: Dec 4, 2024 10:30 AM
By Joe McAdory
How can cybersecurity professionals best mitigate threats and protect critical networks for a utility company? What are the best methods to acquire information necessary to exploit real-world cyber systems, then alert organizations to their weaknesses?
Eleven Auburn Engineering students and one business student — members of the Auburn University Ethical Hacking Club (EHC) — turned hypothetical, real-life scenarios into learning opportunities at two national cyber competitions, CyberForce, Nov. 8-9 in St. Charles, Illinois, and in the National Cyber League, a remote event held Nov. 8-10.
Matthew Pepe (computer science), Hemant Sherawat (cybersecurity engineering master’s program), Marshall Nelson (computer science with an undergraduate certificate in cyber defense), Jonathan Story (electrical engineering), Walker McGilvary (computer engineering) and Luke Robinson (computer science with an undergraduate certificate in cyber defense) represented Auburn at CyberForce, a U.S. Department of Energy program where the team stormed to a 15th place finish (improving from 41st in 2023) out of 94 entries.
Brad Bulson (computer science with an undergraduate certificate in cyber defense), Cooper Jackson (software engineering with an undergraduate certificate in cyber defense), David Foweather (information systems management), Bo Stokes (computer science), Matthew Rogers (computer science) and Eris He (computer science with an undergraduate certificate in cyber defense) competed remotely in the National Cyber League and finished 12th out of 4,894 teams.
'Real-life' experience
“Competitions like this provide real-world experience with common computer operating systems and their applications commonly used in the private and government sectors,” said Nelson, vice president of the EHC and assistant lab manager at the Auburn Cyber Research Center. “They also help students determine what fields of cybersecurity they are potentially interested in to pursue a career.”
Bulson, the EHC webmaster, said competitions such as these “see fruits of our training as we apply tools and techniques we might not have known previously.”
“As students, we only stand to gain,” he said. “If you are new to the field, applying yourself in competitions like these is a great way to see if it’s right for you. It’s one thing to know tools and techniques, but to apply them in scenarios that do not always conform to your expectations is an invaluable experience.”
Each competition presented separate challenges.
CyberForce put participants into the cyber arena after a fictitious energy company experienced an ongoing problem with its cybersecurity infrastructure.
“Malicious actors had negatively impacted its power production, preventing them from effectively providing customer services,” Nelson said. “These cyberattacks were impacting community trust in the company and the company's bottom line. We were the team assigned to resolve the ongoing cybersecurity issues and protect the network from ongoing threats.”
This competition consisted of a month's work, with submissions, before the competition weekend.
“First, teams were responsible for explaining risk, possible mitigations and cost to a C-suite consisting of non-technical business administration,” Nelson said. “We had to create, record and submit a presentation before interacting with the competition network.”
After submitting C-suite presentations, teams were given access to the competition network. Teams had to thoroughly evaluate the network and document security issues.
“With limited knowledge, we had to determine how the network was interconnected, what the critical function of the network was and suggest mitigations for the vulnerabilities found,” Nelson said. “This simulates a real-world scenario where an outside cybersecurity firm would be tasked to review a company's network.”
Teams were provided with six virtual machines – three considered ‘assume breach’ and three were not.
“It was our job to make sure that these virtual machines were protected from any threats before the competition day to ensure that our attackers cannot make the damage worse to our systems,” said Sherawat, the team captain.
Competition weekend objectives involved:
- Protecting critical services from a separate ‘red’ team, which actively worked as adversaries
- Develop a web site according to company standards and protect it from the red team
- Monitor the network’s interaction with wind turbine devices to ensure adequate power was produced
- Investigate network incidents in real time, then report them
- Solve a variety of puzzles, including software reverse engineering, obfuscated code analysis, open-source intelligence, password cracking and network forensics.
“I cannot emphasize the amount of real-world experience I gained while preparing for the competition, during the competition and even after it,” Sherawat, an EHC technical advisor, said. “As much as technical skills are valued in the industry, we also need the soft skills to succeed. Tasks like these, where we presented our work... one day you will have to report your work to your manager. Competitions like CyberForce force you to come out of your shell and communicate with your team.”
Sherawat stressed the importance of understanding fundamentals taught in classrooms and that Auburn Engineering professors ensure “we can use that knowledge as tools when a situation arrives.”
“Then it's our responsibility as students where we use and apply these tools,” he said. “Being able to go out of Auburn and compete gives us a chance to test our cyber skills against other universities and help us get better by pitching ourselves against other universities all over the U.S. It also provides us with networking opportunities with national labs and learn more about the work that labs do and get more face time with them to understand their work and future career opportunities as the public sector needs cyber professionals. These labs go out of their way to attend these competitions to give us a chance to learn from them.”
National Cyber League
Unlike CyberForce, where hundreds of competitors gathered in a large convention hall (Q Center), the National Cyber League competition was remote – meaning Auburn students involved operated on familiar ground – Auburn University.
Though still focused on all things cyber, the objective was somewhat different. The event was structured as a stereotypical cyber capture the flag competition (CTF), where competitors solve context-specific puzzles to acquire “flags” (i.e. hidden files or missing information in a target environment) and move forward in the competition.
Competition categories included open-source intelligence, log analysis, forensics, web application exploitation, enumeration and exploitation, cryptography, scanning and reconnaissance, network traffic analysis and password cracking.
“The nature of the competition was less oriented around ‘blue teaming’ where you defend a system and more oriented towards ‘red teaming’ where the goal is to acquire information necessary to exploit a system,” Bulson said. “CTF competitions are popular among pen-testers in the cyber security industry whose job is to break into real-world systems and alert organizations to their weaknesses.”
In other words, ethical hackers.
“In this sense, we acted like cyber security specialists by taking in benign, encrypted, or obfuscated information and extracting security critical information from it,” Bulson said.
“The professors who assist with competitions and with the Ethical Hacking Club are resources that should not be understated. Being student-led, EHC is an organization that can lack the experience that some of the great professors in the department have, so any assistance they give in the form of coaching or speaking at our weekly sessions prepares us in ways that self-training cannot. The undergraduate certificate in cyber defense is another great resource that the college provides students interested in cyber security. It lays out a roadmap of courses that guide us students towards a better understanding of the problems seen in competitions like these.”
Equipping students for careers in cyber security
“Our cybersecurity curriculum is carefully designed to equip students with critical skills required for participation in cyber competitions,” said Farah Kandah, associate professor in computer science and software engineering (CSSE) and chair of the department’s cyber programs committee. “Emphasizing hands-on experience in areas such as network security, cryptography, digital forensics, vulnerabilities and countermeasures, the curriculum ensures that students develop both foundational knowledge and advanced technical abilities. Additionally, these courses combine problem-solving, critical thinking and teamwork exercises aligning with the dynamic and collaborative challenges typically presented in cyber competitions.”
Nelson agreed that the students’ Auburn Engineering education is best preparing them for careers in the cyber industry.
“The Auburn Cyber Research Center is a major supporter of the Ethical Hacking Club,” Nelson said. “The ACRC provides access to lab space, professors computing resources, guest lecturers and funding for club events and training that align with its mission.
“Additionally, the theory we are taught in our classes provides a great starting point for approaching cybersecurity problems. For example … how can you verify that data is transported securely if you don't know how a network works? How can you extract hidden files if you don't know what files look like to computers? How can you step through a program to retrieve a flag if you don't know how debuggers work? This knowledge is offered in classes here at Auburn. Your college education only goes as far as you take it, and competitions like this are a great way to develop theory into workplace skills.”
“EHC having separate teams simultaneously compete in national cyber competitions, and perform near the top of the nation, is a great testament to our cyber students tirelessly pursuing experiential learning opportunities to complement their class learning,” said Daniel Tauritz, CSSE associate professor, ACRC interim director and chief artificial intelligence strategist, and director for national laboratory relationships at Auburn University. “EHC’s improvement from 41st in 2023 to 15th this year in the Department of Energy (DOE) CyberForce competition is particularly impressive. Our students are increasingly competing in cyber competitions put on by DOE national laboratories and seeking internships and full-time careers at the national laboratories where they contribute to national security.”
Up next for the Ethical Hacking Club is the Southeastern Collegiate Cyber Defense Competition’s (SECCDC) qualifying round, a remote event held Feb. 8. If the team qualifies, members will compete in-person at the SECCDC regionals March 21-23 at the Florida Institute of Technology in Melbourne, Florida.
Media Contact: , jem0040@auburn.edu, 334.844.3447
Students competing at CyberForce included, from left, Marshall Nelson, Jonathan Story, Hemant Sherawat, Matthew Pepe, Luke Robinson and Walker McGilvary.
