This past November, Mason Competitive Cyber (MCC) put their hacking skills to the test and participated in Hack the Building, a cybersecurity competition hosted by the U.S. Cyber Command, a division of the U.S. Department of Defense, Dreamport, and the Maryland Innovation and Security Institute.
Eight of MCC’s top members teamed up with fellow cyber competition enthusiasts at the University of Virginia to literally hack a building, but not just any building. This was a 150,000 square feet, two-story office building filled with smart devices, diesel generators, and business systems.
“This was unlike any competition we had participated in before,” says Caleb Yu, MCC’s vice president. “We encountered both traditional information technology networks and industrial control networks and hacked through both cyber and physical means.”
While most of MCC’s team hacked the building remotely from the safety of their homes, two members from each team were invited to also infiltrate the building on-site in Annapolis, Maryland. “Uniquely, this competition featured physical access control systems to attack and exploit, including badge readers, security cameras, and physical doors,” says MCC president Zaine Wilson. “This was the first time I'd ever been to a competition that has these challenges.”
Over the four-day competition, MCC’s team was given numerous scenarios in which they had to hack various components of the smart building. “Hack the Building had several challenges that required Red Team skills like lateral movement, privilege escalation, and password attacks,” says MCC competitions officer Andrew Oliveau. “We began in an IT network and hacked our way into a non-internet connected OT [industrial hardware] network.”
From there, the team reverse-engineered elevator controls, disabled heat exhaust fans, and manipulated electric power distribution units.
In one challenge the team disabled the building’s security cameras. “Some of the challenges seemed straight out of spy films,” says Yu. “It is exhilarating when we’re able to pull off a successful cyber-attack, but, at the same time, it is also frightening. Scenarios like these show how our network-connected world can be brought down by hackers.”
Facing stiff competition from security industry professionals around the country, George Mason University’s student team not only held its own but also found surprising success in many of the event’s challenges and exceeded expectations throughout the four days.
They even received a shoutout from competition officials in front of former Cybersecurity and Infrastructure Security Agency Director Chris Krebs on the Hack the Building livestream. Krebs oversaw much of the national strategy for defending critical infrastructure in cyberspace. It was a wonderful surprise to the team to be lauded in front of him.
Although Hack the Building does not formally declare a winner, team bragging rights come from getting “first blood” on various challenges, which means they were able to hack their way through the challenge before any of the other teams. Impressively, a moderator informed Mason Competitive Cyber’s team that they had the most first blood solves in the competition of any team, including the professional ones.
At the end of the four days, MCC members spoke highly of the competition and expressed eagerness to compete again in the following years. “This competition gave me experience in what it's actually like to run a full-scope penetration test, and I'm absolutely hooked,” says Wilson.
Hack the Building created the most realistic environment that the MCC team has encountered, says the team. Rather than solving isolated cybersecurity challenges, the competition’s style of scenario-based cyber-attack campaigns brought a sense of realism to the competition.
And as the U.S. Department of Defense works to raise the next generation of cyber warriors through competitions such as Hack the Building, MCC proved they are up for the challenge.
This story was written by members of the Mason Competitive Cyber club.