They call themselves Lab RATs, in a nod to remote access trojans, which are malware that attempt to hijack a computer's operations. Battling teams from around the world, a team of staff members from MIT Lincoln Laboratory's Cyber Security and Information Sciences Division and Information Services Department made it all the way to the finals of this year's DEF CON Capture the Flag (CTF) hacking competition.
The laboratory's cyber researchers and analysts, joined by students from Rensselaer Polytechnic Institute and MIT, were pitted against other elite teams trying to breach each other's computers and capture "flags" — which are actually code strings — embedded within the programming. Because DEF CON CTF is an attack-and-defend tournament, competitors not only had to infiltrate opponents' systems to steal flags and earn points, they also accrued points by keeping their own services up and running against the onslaught of 14 other teams who came to DEF CON from Germany, Israel, Russia, China, Korea, and Hungary, as well as elsewhere in the U.S.
After the 52-hour contest was over, the Lab RATs had earned 10th place among the 15 teams that had qualified for the finals of DEF CON CTF, the world's premier hacking competition. Teams chosen for the coveted finals slots emerged from more than 4,000 entrants who competed in qualifying events.
This year's CTF was held in Las Vegas, and was part of the annual DEF CON hackers' convention, which attracts not only amateur codebreakers but also cybersecurity professionals from academia, governments, and businesses worldwide.
This was the first year Lab RATS qualified for the finals of the competition, which they have entered for the past three years. The team meets and practices during non-work hours at the Beaver Works facility in Cambridge, Massachusetts, and membership fluctuates between 20-30 laboratory employees and six to eight MIT students.
"Participation in DEF CON CTF is realistic cybersecurity training," says Lab RATs captain Andrew Fasano of the laboratory's Cyber System Assessments Group. "You have to develop the tools and mindset to attack and defend computer systems in a high-pressure environment."
This year's DEF CON CTF competition was a humdinger, Fasano says. The Legitimate Business Syndicate, organizer of the 2017 CTF and a previous competitor at DEF CON CTF finals, was on its last year of a multiyear contract to devise the game and was determined to make their swan song an extreme challenge.
"Just 24 hours before the competition, we were given a 75-page book explaining the never-before-seen computer architecture that our system would be using," Fasano says.
Ironically named cLEMENCy, the architecture showed no mercy to the finalist teams, who were forced to scrap the cybersecurity techniques they knew to develop new software tools on the fly.
"The architecture was specifically built so that it wouldn't work with tools that are made for a normal computer," said Lab RATs member Christine Fossaceca. "It had 9-bit bytes instead of 8-bit bytes, and it used an unusual middle-endian byte-storage scheme so the way numbers were parsed had to be completely modified. Every tool we had written in preparation for the competition had to be changed in that 24 hours beforehand to make it compatible with this weird structure."
The creative ability to respond to a new situation is just one of the skills tested in a CTF contest. Chris Connelly, assistant leader of the Cyber System Assessments Group from which most of the Lab RATs hail, said the DEF CON CTF is "outstanding training for staff," who hack "a real-world problem in a safe environment." The chance to be cyber attackers provides researchers with insight into the methods hackers use to exploit a computer network's vulnerabilities, while the demand to rapidly craft cyber countermeasures sharpens analysts' ability to identify solutions.
Learning, it seems, is what CTF participation is all about. "I always looked at good CTF players as the ultimate programmers. They are nimble developers who can spin up scripts to solve hard, unique problems in a very short period of time," Fossaceca says. "To me, CTF players were the best and smartest programmers, and I wanted to get to that level. I have already learned so much from my coworkers on the team in the past year that I’ve been at the lab."
Jeff McLamb, another Lab RAT from the Cyber System Assessments Group, noting that while DEF CON CTF itself is a "friendly" hacking competition, teams that make it to finals are using techniques that are widely employed in the real world. "Capture the Flag requires precisely the skill set of the people we want in the group," McLamb says.
While the team may never again use the tools they devised to work with the cLEMENCy architecture, they also brought back enhanced organizational skills, Fasano believes. "We created teams within the team," he says. "We specialized a bit — analyzing traffic, or identifying exploits, or watching other teams."
Lab RATs also came back with bragging rights.
"In the cybersecurity arena, there are not a lot of established credentials yet," Connelly says. "DEF CON is sort of the Olympics of Capture the Flag."