The Eight Iron Rules
Battle-tested principles that separate champions from competitors. These rules have been refined through years of competition and real-world enterprise security operations.
Eight Rules for Victory
Master these principles and you will transform from a reactive defender to a proactive security operator.
Service Priority is Public
Service Priority is Public
Every team member knows which services are Tier 0 (never die), Tier 1 (protect), and Tier 2 (sacrifice if needed).
Why This Matters
Without clear prioritization, teams waste resources on low-value targets while critical services fail.
Implementation
- →Create a visible priority board before competition starts
- →Assign primary and backup owners to each Tier 0 service
- →Review priorities with the entire team during kickoff
No Lone Wolf Changes
No Lone Wolf Changes
Any change affecting auth, network, AD, mail, or DB requires two-person confirmation. Most disasters are self-inflicted.
Why This Matters
Under pressure, individual mistakes become catastrophic. Dual verification prevents self-inflicted wounds.
Implementation
- →Establish change control board with Captain as final approver
- →Log all changes with timestamp, actor, and purpose
- →Require verbal confirmation before critical changes
Identity Over Surface
Identity Over Surface
With limited time, don't make things look secure—control high-privilege accounts, unknown users, and management interfaces first.
Why This Matters
Red teams target identity first. Defending identity blocks the most damaging attack paths.
Implementation
- →Change all default and shared credentials within first 30 minutes
- →Disable unknown accounts immediately
- →Lock down administrative interfaces to known IPs
Logs Are Not Decoration
Logs Are Not Decoration
If you can't see it, it didn't happen. Centralize logs, protect them, and actually watch them.
Why This Matters
Without visibility, you're blind to attacks and unable to produce quality incident reports.
Implementation
- →Centralize logs to protected SIEM or log server
- →Enable verbose logging on authentication systems
- →Assign dedicated log watcher role
Every Anomaly Gets a Ticket
Every Anomaly Gets a Ticket
No documentation = no incident. In CCDC, incident reports can reduce penalties. Record everything.
Why This Matters
Quality IR reports reduce red team penalties and demonstrate professional security operations.
Implementation
- →Use standardized incident report templates
- →Record timestamps, affected systems, and actions taken
- →Submit reports promptly even if investigation is ongoing
Contain First, Explain Later
Contain First, Explain Later
Don't wait for complete analysis. Stop the bleeding, isolate the threat, then investigate.
Why This Matters
Speed of containment determines blast radius. Analysis can happen after the threat is isolated.
Implementation
- →Disable compromised accounts immediately
- →Isolate affected systems from lateral movement paths
- →Document containment actions for later IR report
No Scorched Earth
No Scorched Earth
Blocking everything breaks scoring engines. Use surgical containment, not carpet bombing.
Why This Matters
Overly aggressive firewall rules kill services. Red team damage is points lost; service downtime is also points lost.
Implementation
- →Test firewall rules before deploying
- →Whitelist scoring engine IPs
- →Use allowlists over denylists where possible
Injects Are Not Side Quests
Injects Are Not Side Quests
Business tasks are half your score. They're not optional—they're the main event alongside services.
Why This Matters
Teams that treat injects as interruptions lose half their potential points.
Implementation
- →Assign dedicated inject lead with writing skills
- →Pre-build templates for common inject types
- →Track inject deadlines as seriously as service status
Priority Model
When time is limited, focus on what matters most. This prioritization model has proven effective across multiple championship teams.
Identity Security
Credential Access Defense
High-privilege accounts, default passwords, unknown users, authentication systems
Boundary & Segmentation
Lateral Movement Prevention
Network segmentation, management interface lockdown, inter-VLAN controls
Logging & Alerting
Visibility
Log centralization, time synchronization, anomaly detection, SIEM configuration
Service Stability
Business Continuity
Scored service health, backup configurations, quick recovery procedures
Documentation & Reporting
IR Quality
Incident reports, change logs, inject responses, evidence preservation
MITRE ATT&CK Mapping
Understanding how red team tactics map to blue team detection priorities.
Credential Access
Abnormal logins, failed auth spikes
Lateral Movement
Cross-host access pattern changes
Remote Services
Admin interface anomalies
Persistence
Config changes, new accounts
Exfiltration
Unusual outbound traffic
Impact
Service disruption attempts
MITRE D3FEND Integration
Structured defensive techniques organized by objective.
Harden
- Application Hardening
- Credential Hardening
- Platform Hardening
Detect
- Network Analysis
- Process Analysis
- User Behavior Analysis
Isolate
- Network Isolation
- Execution Isolation
Deceive
- Honeypots
- Decoy Files
Evict
- Credential Revocation
- Process Termination
- File Removal