An Army “hacker con” goes big: The return of AvengerCon
COLUMBIA, Md.—In a business park that plays home to a number of tech and cybersecurity firms situated strategically between Washington, DC, and Baltimore, there’s a two-story building that looks externally like many other office buildings, remarkable this day only for the food trucks in the parking lot and the stream of people in camouflage swarming in and out. The building, called DreamPort, is a collaboration facility leased by US Cyber Command—and on October 18, it was the location of AvengerCon IV, the latest incarnation of a soldier-led cybersecurity training event that takes the shape of a community hacking conference.
The event also offered USCYBERCOM a chance to show off DreamPort—and a chance for me to meet with David Luber, the Executive Director of USCYBERCOM.
“AvengerCon is an event that is attracting the very best talent both from our DoD participants and also from some of the folks that are working with us outside of the DoD,” Luber said. “When you bring those very best cyber experts together, they get to learn, test out new ideas, and work in an environment that is hosted by and for DoD cyber operations community experts. They’re working in a community of peers—they get to learn together, they get to fail together. And what we’ve seen from previous activities with AvengerCon is that it’s an exhilarating, fun environment for them to work in, and they learn a ton while they’re here. And the private sector benefits because as AvengerCon shows, we’re all working on some of the same cyber challenges together.”
AvengerCon is an effort to bring the learning environment provided by security conferences such as DEFCON to a military and government community that wouldn’t otherwise be available because of cost and bureaucratic complexity. Originally a training event organized by the 781st Military Intelligence Battalion at Fort Meade involving about 100 soldiers, AvengerCon has grown to 600 attendees and has gained the backing of Army Cyber Command and USCYBERCOM.
“My job, in part, is trying to figure out how to properly train soldiers in a field that doesn’t have decades of standard operating procedures and clear paths for training to get to success,” Capt. Joseph Dooley, an organizer of AvengerCon, told Ars. He said that this type of event offered “a unique opportunity for soldiers to individually be in a more unstructured environment where they can set their own agenda”—where they can pick things that they’re interested in or feel they need training in without the usual constraints of formal Army training.
The event “complements efforts in regular unit training,” Dooley explained. “And it gives [attendees] the chance to collaborate with subject-matter experts [and] share and compare tradecraft, best practices, and ideas. This is a very good way to boost our other conventional training.”
Sgt. 1st Class Craig Seiler, another member of the AvengerCon organizing committee, said that bringing together people from across the cyber operations community in government provided a boost to the learning opportunities. “What we’ve found is mixing all these different types of people—developers, people doing operations—they all do great things separately, but when they get together later on, they say, ‘Hey, I really learned something from that analyst or that developer that I’ve picked up to bring to my current job.'”
I attended last year’s AvengerCon, held on Fort Meade, at the invitation of the unit organizing the event, the 780th Military Intelligence Brigade (Cyber). While AvengerCon III was clearly a success, this year’s expanded event puts AvengerCon on the scale of well-established regional security conferences. The keynote speaker was security researcher Daniel Cuthbert, who is Global Head of Cyber Security Research for Grupo Santander and co-author of the original Open Web Application Security Project (OWASP) Testing Guide and the OWASP Application Security Verification Standard. He spoke largely on the issues surrounding information-sharing and collaboration in the cybersecurity realm.
Beyond the base
-
Keynote speaker Daniel Cuthbert addresses attendees at AvengerCon IV.
-
The Day After: Cyber Policy Simulation was one of the exercises on day two of AvengerCon IV at the DreamPort facility in Columbia, Maryland, on October 18. Four college teams, representing the US Naval Academy, James Madison, UMBC, and American University, participated in the event, which simulated how different government agencies, the Department of Defense, and Department of State would respond to a large-scale cyberattack.780th Military Intelligence Brigade (Cyber
-
A workshop on WALKOFF, a community-driven open source automation platform, on day two of AvengerCon IV .
-
An AvengerCon workshop on using “fuzzing” tools to discover vulnerabilities in software.
-
AvengerCon’s Lockpick Village offered attendees a crack at some physical security problems.
-
A car-hacking display at AvengerCon brought in by the cybersecurity firm Grimm.
-
ICS Village cofounder Bryson Bort talks with AvengerCon attendees about industrial control system security issues.
-
Fernando Tomlinson delivers a presentation entitled “Gaining 20/20 Vision During an Incident with PowerShell” at AvengerCon.780th Military Intelligence Brigade V
-
In AvengerCons Voting Village, attendees got a walk-through of election-security issues and the opportunity to inspect election hardware.
-
Voting machines on display in AvengerCons Voting Village.
-
The “villages” at AvengerCon also included a soldier-led cryptography challenge and wireless capture-the-flag competition.
Holding a “con” on a military post (and at Fort Meade in particular) can pose some logistical challenges—such as getting people cleared and onto the base itself, and limited space to stage the event. Fortunately, the success of AvengerCon drew the attention of US Cyber Command, and the organizers were offered the use of DreamPort for the event’s next iteration.
AvengerCon fits neatly into DreamPort’s mission to foster collaboration between US Cyber Command, the rest of the Department of Defense and intelligence community, and industry.
“We opened the facility here in Columbia, Maryland, back in the fall of 2018,” Luber said, “created under a partnership intermediary agreement between US Cyber Command and the Maryland Innovation and Security Institute [MISI]. We’ve hosted over 14,000 visitors in this 40,000-square-foot facility, and in June of 2019, MISI signed an expansion lease to double the size of DreamPort by the end of 2020. So, we’re really happy about the partnership that we’ve had so far.”
Companies and individuals can come into the unclassified facility to demonstrate capabilities during “challenges” and events hosted by the facility looking at specific cybersecurity issues. These include critical infrastructure security events simulated in “Dream Valley,” a scale model village connected to actual industrial control systems and other operational technology.
Off base
DreamPort’s planned expansion is probably a good thing, considering how AvengerCon has grown. In the past, the event was limited to Army personnel, but now it includes attendees from across the Department of Defense and other government agencies tied to cyber operations, as well as students and representatives of industry.
“We felt we needed to branch out and start making sure that we are supporting the community better each year as we expand,” said Seiler. “The growth is great, but it also brings in other woes and requirements.” The logistics of getting people onto Fort Meade was one of them, Seiler explained—while it provided a natural level of security around the event, using the base made drawing on outside resources difficult and limited who could be brought in to attend.
“We found it works better if it’s off base,” he said.
Using DreamPort opened up the opportunity to add resources provided by outside organizations that “connect to our mission,” Seiler said. Those included the “villages” at the event brought in by security community organizations—including ICS Village’s industrial control systems “capture the flag” competition (in which attendees looked for ways to compromise simulated plant hardware) and the Voting Village’s collection of voting-machine hardware and exploration of election security.
“The election thing was nice to have,” said Seiler. “I don’t know if it was our big thing, but lots of people are talking about it… it sparks conversation, which was the intent of accepting something like that. That’s the intent of all the villages—to build the conversations.”
The additional space allowed for the expansion of AvengerCon’s training workshops, which included day-long classes in reverse-engineering and software “fuzzing.” Additionally, the event hosted a simulation called “The Day After”—in which teams from the US Naval Academy, James Madison University, American University, and the University of Maryland, Baltimore County, simulated strategies for government agencies to respond to a large-scale cyberattack on the United States.
More, better cyber
The success of AvengerCon has prompted plans to replicate it in some form for the military and intelligence cyber community at Fort Gordon in Georgia. But the organizers also want to make sure that AvengerCon itself doesn’t outgrow its grassroots, community feel. They also want it to stay focused on its mission. That fits into the overall USCYBERCOM strategy for DreamPort, which has an ongoing calendar of highly focused events surrounding the command’s “Persistent Innovation” strategy.
“You know that cyberspace is under constant change,” said Luber. “It requires us to constantly innovate, and innovation just doesn’t happen in government. It’s also happening in industry, academia. We need a place to work, we need a place to meet, and we need a place to innovate, and DreamPort provides that combination for us.”
In addition to providing an environment for academic outreach to high schools and universities, Luber said DreamPort is “a mission accelerator, an incubator for US Cyber Command where projects are conducted with the goal of completing those projects within 90 days. So think of that innovation process where you’ve got an idea, you’ve got a concept, you want to run it quickly, and if you fail, you fail fast. And if you succeed, you’ve moved to the next step where you try and get it to operational capabilities.”
Conducting those projects in an unclassified environment, Luber said, encourages the sharing of ideas and speeds up the creation of new solutions to cyber security issues.
Rapid prototyping
Some of those projects include rapid-prototyping events in which “we bring industry partners in from all different sizes, small businesses, large businesses, and then have them work the problem,” Luber explained. “We’ve had six rapid-prototyping events over the course of the past year. We’ve seen even one-person companies outperform some of the bigger prime contractors that you might think that we’re dealing with on a regular basis.”
One of DreamPort’s recent rapid-prototyping events was run by USCYBERCOM in partnership with the Office of the Secretary of Defense for Small Business and Manufacturing. It focused on protecting the security of small businesses within the Defense Industrial Base (DIB) with the application of “zero trust” network security, which is an architectural approach to handling application and information security that would help protect their security regardless of the overall security of the network environment.
The project looked at ways to apply zero-trust architecture, not just to the DIB, but to Department of Defense information systems and networks as well. “By bringing together talent from DISA, NSA, USCYBERCOM, and industry, we were able to really work on some interesting prototyping activities, and it’s going to help us drive the future for the Department,” Luber said.
