~$ Going to Paris for the Wavegame cloud competition!
Tags:Information SecurityCloudDevOpsTravel
One of the random things I did this year was to undergo the qualifications for Wavestone's "Wavegame" competition (which is a thinly veiled recruitment strategy that focuses on university students only, led by a French consulting company).
Most of the teams were from French universities, and only a handful of us were joining in from Switzerland, with 2 of us (including myself) joining from the University of Geneva (UNIGE), and the 4 others joining from the Ecole Polytechnique Fédérale de Lausanne (EPFL), providing us with an overall heterogeneous group that had capabilities in Computer Science, Information Systems and Data Science.
Due to an array of circumstances, we ended up in the "Green Wavers" track, which focused on cloud environments, devops and security, as opposed to the "Blue Wavers" (Blue Teaming) and the "Yellow Wavers" (Policy). This was a bit of a rough ride, as most of us had only peripherally worked with platforms such as AWS and the like.
The competition took the shape of 3 prequalification rounds (each on the same task of a website for Paris' 2024 Olympics, but with iteratively more complex requirements):
- From a base monolithic architecture, convert it to a microservices architecture, add security groups and integrate an RDS (database) into the system;
- Configuring a CI/CD pipeline;
- Adding FinOps observations, IAM, Operations oversight, and handling resiliency.
By the end of it all, we were down to 4 team members, and had placed:
- 3rd (with 75 points)
- 1st (with 84 points)
- 2nd (with 86 points)
This enabled us to qualify to go to Paris for the finals, from the 11th to the 13th of May.
The first day was dedicated to getting from Geneva to Paris (by means of train), dropping our stuff off at the housing we had sorted, and exploring Paris a little.
On Thursday, we headed off to Wavestone's HQ in the district "de la Défense" of Paris, for the final challenge.
This is where things started to go... interestingly (to say the least).
The final challenge for us Green Wavers was to identify and patch a production system that was under attack, and "provide a report to the board".
Except, for reasons that escape me, our AWS account malfunctioned, leading the event organizers to have to reset our environments.
This was fine, as the event hadn't started yet due to the organizers wanting to make sure everyone could access the environments correctly.
What was not fine was that we ended up not having the same AWS resources, as those had also been reset. So, instead of having CloudTrail and logs we could grep through, we had graphs (except we had not figured out we were supposed to have CloudTrail).
From the graphs, I was able to figure out the attack scenario was hitting the login feature and enumerating the RDS database. We also then were able to derive that the system was being DOS'ed purposefully to limit remediation.
Whilst my colleagues were attempting to patch the systems (which is hard when you don't know what is broken), we were collating data about the attacks for the presentation.
The presentation went well, at least starting from the moment where we cleared up exactly what services we had access to and they figured out it was not a standard configuration.
Figuring that we had bungled the event, we went to the after party where we discussed and had a fun time on a dock on the Seine river, right below the Eiffel Tower.
Near the end of the event, all the participants were called to the galley, where the announcement of the rankings was to take place.
After the Blue and Yellow Wavers had their winners announced, came the time of the Green Wavers.
In 3rd place, the team 200 IQMULUS from Bordeaux's ynov campus was announced. By that time we had entirely lost any hope to landing on the podium.
In 2nd place, the team La Passoire from utc was announced.
Finally, in 1st place, to our great surprise, our team was announced.
In disbelief, we accepted the prize and were quite happy with ourselves.
As it turns out, the fact that we managed to keep cool without access to the needed resources and were still able to derive valuable information, as well as provide a cohesive presentation of the issues is what shifted the jury in our favor.
After rejoining our accommodations and sleeping off the night's events, I went for a small tour of Paris before heading back to Geneva.