CSUF OSS Red Team, Fall 2021 Left to right: Chris Ly, Danny Tzoc, Josiah Peedikayil, Rian Luzio, Mathias Nguyen, and Yao Lin.
CSUF’s very own cybersecurity organization, the Offensive Security Society (OSS), often competes in competitions such as the Collegiate Pentesting Competition (CPTC) to represent the university. CPTC is the world’s premier cybersecurity competition designed for college students. The competition revolves around ethically hacking a simulated professional company and then evaluates the red teams (hacking teams) in communication, hacking skills, and report writing. This year, the theme was food manufacturing and global retail in an industrial bakery, including all of its distribution channels. The competition presented a novel and impactful infrastructure that students would not see in a classroom, with the challenge being described as "high-energy" yet "grueling" by faculty coach Mikhail Gofman.
This year, the competition began November 13th, where the OSS Red Team competed against several other universities such as Stanford, Cal Poly Pomona, UC (University of California) Riverside, and San Diego State in the Western Region part of the competition.
The next day, competition officials announced the top three winners of the Western Region: Cal Poly Pomona in first, Stanford in second, and Cal State Fullerton in third. CPTC officials released more information a few weeks later on November 30: CSUF will be moving on to compete in the global final alongside 14 other of the top universities from around the world this coming January.
CPTC announcement of the Western Regional winners.
After months of preparation, these talented individuals are going to be competing in CPTC Finals: Rian Luzio (Team Captain), Josiah Peedikayil, Danny Tzoc, Yao Lin, Mathias Nguyen, and Chris Ly.
When asked about their fantastic victory, Mr. Luzio contributed it all to the team’s hard work, saying the team “met every week over summer just to train.” The training was necessary it seems, because although their quick victory might lead you to believe that they are OSS veterans, you'd be mistaken. Half of the team is still new to red teaming and were carefully mentored, Mr. Ly stating "I think the history of the CPTC team led by Josiah as well as past contenders, Yao and Rian, gave us newer members (Danny, Matthias, and myself) the resources needed to succeed. They did a good job talking about their past experiences and what they believe would show up in this year’s competition. The numerous practices and research allowed us to be prepared for anything and face any obstacle that may appear."
Mr. Nguyen further explained, "We knew what each member was responsible for, and the experienced members helped guide newcomers like me if we were stuck on a task. The team communicated very well and made sure none of us fell behind." Mr. Tzoc adding, "During the summer I was trained by another member of the OSS red team who had prior experience in competing in CPTC to teach me all there is need to know about Web Apps Exploitations."
This divide-and-conquer approach was another key reason they had such positive results, and was developed in-house by Mr. Peedikayil, who confessed "I structured the team by assigning each person "specialties". These specialties covered niche areas such as compliance, Windows Active Directory, SCADA infrastructure, database expert, etc. The goal was for everyone to be well-rounded but also be an expert in their respective specialty. This is a strategy that I have been developing and fine-tuning over the years".
Mr. Luzio emphasized the importance of collaboration, saying "Teamwork is a huge part of the competition. If you do not have cohesion and communication, then you end up with a mess." Mr. Lin adding, "We also hack together offline to create team chemistry" and revealed that he'd be competing again in next year's CPTC and would continue to help train new team members as he did this year.
Faculty coach Hernan Manabat (who has also been coaching since 2019), when asked about the teamwork shown during the competition, remarked "I believe they are determined to improve each time and to continue the progress built by previous teams... The team is such self-reliant that they host various club workshops and prepare on their own throughout the year. Some even take industry certifications and take part in bug bounty programs like Bugcrowd to see where their current skill sets stand." Gofman reflected, "There was great chemistry between the members and all were passionate about cybersecurity and the competition. They have worked tirelessly to prepare and compete. At the end of the day, it is the grit of the team and the refusal to give up in the face of difficulty and adversity that [made] things happen!"