Open Source


System Integration


2016 Cyber Defense Exercise


The CDX is an annual competition sponsored by the Information Assurance Directorate of the US National Security Agency which challenges a number of undergraduate institutions to design, implement, and defend a computer network against attack. The NSA builds the backbone exercise network and scoring infrastructure, acts as the competition referee, and fields a red cell with the task of compromising the confidentiality, integrity, and availability of the competitors' networks.

Six documents describe the CDX:

The CDX took place during a one-week competition in April.

Availability scoring beganApril 11, 20161600
Attacks and confidentiality/integrity scoring beganApril 12, 20160900
Scoring endedApril 14, 20161600
All times are in Eastern Daylight Time (UTC−04:00).

The US Military Academy team network spanned 27 virtual machines, and it included servers, management workstations, and user workstations; four network devices; the CentOS, FreeBSD, Ubuntu, Windows 7, Windows 8, and Windows Server 2012 operating systems; and a range of software services.

Some of these files are rather large and thus take a long time to download. We can mail this data set to you for the cost of shipping plus a 300 GB drive.

Results: 2016-CDX-USMA data set

Here you will find data collected by the US Military Academy team during the 2016 CDX. We granted these data into the public domain. Please refer to this data set collectively as 2016-CDX-USMA and consider acknowledging the authors: W. Michael Petullo, Kyle Moses, Ben Klimkowski, Ryan Hand, and Karl Olson. We could not have collected these data without the efforts of the cadets of the US Military Academy team, our fellow competing teams, and the NSA CDX team.

Network diagram
Austin Herrling maintained our team's CDX network diagram. The first page of the diagram contains a summary of each of our team's subnets. Subsequent pages provide details such as IP addresses, gateway IP addresses, netmasks, and so on.
Packet captures (April 4, 2016–April 24, 2016); compressed size: 144 GB; MD5: 1aa52ff83f2d9940092783ff8058e0f7
This data set contains packet captures collected from three Security Onion sensors that the team installed during the CDX. The sensor on eth1 captured packets from outside of our core firewall (between the firewall and external network in the diagram above), the sensor on eth2 captured packets from each of the ports on our main switch (all internal subnets except for the subnet labeled gray), and the sensor on eth3 captured packets from our end-user subnet (gray subnet).
Consolidated event logs (April 8, 2016–April 14, 2016); compressed size: 253 MB; MD5: 90e03565aafe498b5b66bef1600a9f81
This data set contains all of the log data collected by the team's centralized log system. This includes Unix system logs; logs from applications such as lighttpd, squid, postfix, dovecot, and bind; Windows events; and NetFlow records. The data set contains 15,455,997 records and is formatted as comma-delimited text.
Recorded compromises
The NSA provided a time-stamped list of instances where a token agent detected token modification or the red cell reported a token back to the white cell. Much of these records are duplicate reports; nonetheless, these data should contribute to the understanding of our packet captures. We provide these records here as comma-delimited text.
DNS blacklist
We developed a heuristic during the CDX to determine which domains to blacklist in our DNS server. This list contains these domains.
Squid blacklist
We developed a heuristic during the CDX to determine which URLs to blacklist in our Squid proxy. This list contains these URLs as regular expressions.
Firewall blacklist
We developed a heuristic during the CDX to determine which URLs and IP addresses to blacklist at our firewall. This list contains these values.
Gray-cell disk images
These disk images contain malware, so you should analyze them with care. We distribute these images as QCOW2, a sparse disk image format. The qemu-img utility is one tool which can convert this format into others, such as VMDK or raw.
DescriptionPre-CDX link; compressed size; MD5Post-CDX link; compressed size; MD5
Alpha, the CentOS workstationPre-CDX; 6.9 GB; 724f0b458c89e11d8b306fea50a2a233Post-CDX; 6.2 GB; 61d048a1a48e3866d5c164317f95432a
Beta, the Ubuntu workstationPre-CDX; 2.2 GB; 2a04ba0615f1bef0a8d110f204a5ad3fPost-CDX; 2.9 GB; 280919958b3406c82ba15ca1fa708f6a
Delta, a Windows workstationPre-CDX; 8.8 GB; 61fbc91bd0286d1fcaa0cf845691af4aPost-CDX; 49 GB; ce7973e38eb42ddae9977f3df8c711ef
Gamma, a Windows workstationPre-CDX; 11 GB; d5faec313efb74cdbecdf52187bbfbcaPost-CDX; 53 GB; b19fe189ccfa6556cc8e809293fd42ef


Ryan Johnson, Jessie Lass, and W. Michael Petullo. Studying naïve users and the insider threat with SimpleFlow. In Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, MIST '16, pages 35-46, New York, NY, USA, October 2016. ACM. [ bib | paper ]
W. Michael Petullo, Kyle Moses, Ben Klimkowski, Ryan Hand, and Karl Olson. The use of cyber-defense exercises in undergraduate computing education. In Proceedings of the 2016 USENIX Workshop on Advances in Security Education, ASE '16, Washington, DC, USA, August 2016. USENIX Association. [ bib | paper ]
Email: webpage@flyn.org — ✉ 315A South Moore Loop; West Point, New York 10996; USA