Lab RATs take 10th place at DEF CON Capture the Flag competition.

Calling themselves Lab RATs in a nod to remote access trojans, which are malware that attempt to hijack a computer's operations, members of Lincoln Laboratory's Cyber Security and Information Sciences Division and Information Services Department challenged the finals of the 2017 DEF CON Capture the Flag (CTF) hacking competition.

Thirty-eight Lab RATs, weary after 52 hours of hacking competitors' computer networks, posed for a team photograph at the DEF CON Capture the Flag competition held at Caesar's Palace in Las Vegas, Nevada. Photo: Wilson Wong
Thirty-eight Lab RATs, weary after 52 hours of hacking competitors' computer networks, posed for a team photograph at the DEF CON Capture the Flag competition held at Caesar's Palace in Las Vegas, Nevada. Photo: Wilson Wong

From 28 to 30 July, 25 Laboratory cyber researchers and analysts, joined by students from Rensselaer Polytechnic Institute and MIT, battled teams from around the world to breach each other's computers to capture "flags," actually code strings, embedded within the programming. Because DEF CON CTF is an attack and defend tournament, competitors not only had to infiltrate opponents' systems to steal flags and earn points but also accrued points by keeping their own services up and running against the onslaught of 14 attacking teams who came to DEF CON from Germany, Israel, Russia, China, Korea, and Hungary, as well as U.S. cities.

After the 52-hour contest was over, Lab RATs had earned 10th place among the 15 teams who had qualified for the finals of DEF CON CTF, the world's premier hacking competition. More than 4000 teams had competed in qualifying events to earn one of the coveted 15 slots in the CTF finals. The 2017 CTF was held for the 20th time in Las Vegas at the annual DEF CON hackers' convention, which attracts not only amateur codebreakers but also cybersecurity professionals from academia, governments, and businesses worldwide.

This was the first time Lab RATS qualified for the finals. The team, which meets and practices during out-of-office hours at the Beaver Works facility in Cambridge, Massachusetts, has been tackling DEF CON CTF qualifying rounds for three years, with membership fluctuating between 20 and 30 Laboratory employees and 6 to 8 MIT students. "Participation in DEF CON CTF is realistic cybersecurity training," said Lab RATs captain Andrew Fasano of the Laboratory's Cyber System Assessments Group. "You have to develop the tools and mindset to attack and defend computer systems in a high-pressure environment."

This year's DEF CON CTF competition was a humdinger, according to Fasano. The Legitimate Business Syndicate, organizer of the 2017 CTF and a previous competitor at DEF CON CTF finals, was on its last year of a multiyear stint to devise the year's game and was determined to make their swan song an extreme challenge. "Just 24 hours before the competition, we were given a 75-page book explaining the never-before-seen computer architecture that our system would be using," Fasano said.

Ironically named cLEMENCy, the architecture showed no mercy to the teams who were forced to scrap the cybersecurity techniques they knew to develop new software tools on the fly. "The architecture was specifically built so that it wouldn't work with tools that are made for a normal computer," said Lab RATs member Christine Fossaceca. "It had 9-bit bytes instead of 8-bit bytes, and it used an unusual middle-endian byte-storage scheme so the way numbers were parsed had to be completely modified. Every tool we had written in preparation for the competition had to be changed in that 24 hours beforehand to make it compatible with this weird structure."

Participation in DEF CON CTF is realistic cybersecurity training.

Andrew Fasano

This creative ability to respond to a new situation is just one of the skills tested in a CTF contest. Chris Connelly, assistant leader of the Cyber System Assessments Group, from which most of the Lab RATs hail, said the DEF CON CTF is "outstanding training for staff," who hack "a real-world problem in a safe environment." The chance to be cyber attackers provides researchers with insight into the methods of hackers attempting to exploit a computer network's vulnerabilities; the demand to rapidly craft cyber countermeasures sharpens analysts' ability to identify solutions.

It seems learning is what CTF participation is all about. "I always looked at good CTF players as the ultimate programmers. They are nimble developers who can spin up scripts to solve hard, unique problems in a very short period of time," said Fossaceca. "To me, CTF players were the best and smartest programmers, and I wanted to get to that level. I have already learned so much from my coworkers on the team in the past year that I’ve been at the Lab."

"Capture the Flag requires precisely the skill set of the people we want in the group," said Jeff McLamb, another Lab RAT from the Cyber System Assessments Group, noting that while DEF CON CTF itself is a "friendly" hacking competition, teams that make it to finals are using techniques that are widely employed in the real world.

While the team may never again use the tools they devised to work with the cLEMENCy architecture, they brought back organizational skills, according to Fasano. "We created teams within the team. We specialized a bit—analyzing traffic, or identifying exploits, or watching other teams."

Lab RATs also came back with bragging rights. According to Connelly, "In the cybersecurity arena, there are not a lot of established credentials yet. DEF CON is sort of the Olympics of Capture the Flag."