CCDC Training Environments

This article will detail the kinds of team training environments we build for our competitive cyber team, part of the Clemson Cyber club. I’ve detailed how our lab environment is set up in this article.

The CCDC Training Environments we build are designed to recreate the experience teams have at competitions. They’re given a complex, inter-dependent network with vulnerabilities baked in and zero knowledge beforehand. During competition, the team must learn what their network is doing and how, while also stopping live cyber attacks from a very active red team. For our team, we host tryouts in the late spring semester to assess members’ skills and select the team members. Later on, we’d arrange scrimmages with our chosen team members to hone their abilities.

When Isaac Fletcher and I first began building environments, we did it all manually. We’d decide how many machines we’d have, what OS they’d be running (Debian, Server 2020, Ubuntu, Server 2016), and what services they’d have (HTTP, AD, DB, etc.). We’d also choose backdoors to add, but these would mostly be the same across all machines. From there, he would build out the Windows machines, and I would build the Linux machines. This involved a significant amount of manual labor and repetitive tasks, especially for tryouts, where we’d create one network and clone it several times, allowing multiple separate groups to run simultaneously. There were numerous bugs due to the need to manually change IP addresses for the cloned networks. Nonetheless, this worked.

I was introduced to Ansible through my job, which is an amazing IaC tool. What you can do with Ansible is only limited by your skill level. I began building out roles with Ansible to deploy VMs through Proxmox’s API, and then target those VMs with Ansible to provision them automatically. This was way faster and solved so many of the problems we encountered when manually deploying. We started small, writing roles as we needed for things like setting up Netcat listeners, deploying a WordPress server, setting up and linking an AD, and adding tons of users.

Building out a collection of roles lets us instantly 10x the work we put into building one role, as we can now use it against as many VMs as we want. This allowed us to build larger and more complex networks, which provided the team with a proper challenge. It made creating duplicate networks a breeze, as we could specify multiple networks with similar inventory files and have many identical networks nearly instantly.

Our Ansible repo is large and growing, and now, a year later, we have many more skilled people working on it to build and deploy networks easily. Isaac has graduated and left, but the work he put in is still helping us. Aaron Sprouce and Dylan Harvey are now our main network architects. It’s very personally rewarding to see them improve and expand the platform I’ve built.