Gamification of Cyber Security

McAfee released a report on the Gamification of Cyber Security for the next generation of security specialists which you can read here.

If you read the report and say “Gamers!! lazy good for nothing teenagers with long hair and listening to that god awful screech they call music on my network protecting my company!!!???!!!” then your probably missing the point.

Gamers, as this writer can attest, are a hardcore bunch of problem solvers. It doesn’t matter which platform they use as the main thrust is how the gamers approach a problem and solve it.

Think of it this way… and please bare with me as this is going into some gaming mechanics in some games that are common throughout.

I recently purchased Farcry 5 after a few days of deliberating such things as “Do i have the time anymore?” and “Have i gotten bored with Player unknowns battle ground?” as well as “Do i want to divide up my already limited time in the evenings between training/revision, research, family life and gaming?” not forgetting “Am i too old to play games now?” (I’m hopelessly addicted to Pokemon Go, but thats a different issue )

Then i though, yeah, I like the graphics and i need a new challenge and hell, I’ve been good recently so i want to treat myself.

So, 5 hours into the game i’m using tricks and tactics i already know to defeat and to avoid the AI, sometimes they work, other times they don’t. One thing they share in common however is once you know how the game works with pathing and AI driven NPC around obstacles you can reuse this trick time and again over and over till you beat the bad guys. And, i learn new things about the environment and about the subtle shifts in AI behaviour through trial and error. I was being chased by an alpha npc, he was tougher, stronger, better weapons, i can’t go toe-toe-toe, i can’t snipe from a distance, so i had to use guile and a healthy dose of know-how to lure the npc onto a proximity mine. i won, i crowed, i jeered and then carried on with my mission.

Another trick is that if the AI can’t see you, often they will stay where they are as AI’s often have a limited amount of free area to roam in, once they hit a boundary they will often go back to their spawn area and resume their patrol/stance/position. So the trick is to get close enough to bounce a few grenades off a roof or wall to detonate close enough the the npc to take it out, but not trigger its chase response. Even if you trigger the response, you just have to lead it to its boundary and it will reset itself. Very few npc’s will chase you over miles of subjective landscape in nearly all games, so its a handy trick to know.

So how do these two mechanics help a cyber security specialist? they need to rely on LUK

  1. Learning the limitations of the code arrayed against you is also very important, understanding the pattern a piece of malware uses as it evades detection is one thing, understanding how it works and what its end game results are can help in detecting the early stages of an infection.
  2. Understanding how the Bad guys want to the victim to trigger their attack helps to defeat them. Stopping them cold in their tracks because nearly every attack has to in some way shape or form, communicate with a C2 service outside of the victims network means you already know what IOC to look for.
  3. Knowing the limitation and scope of the attackers software thats been deployed can work against them, sand-boxing technologies have some a long way and the effective use of them is now almost a must have in terms of detection and response.

This is the sort of trait we need in cyber security. Nearly every security specialist i know is a gamer or was a gamer and use their game related problem solving skills in their daily lives. And its this sort of out of the box thinking that McAfee is hinting to.

Having an IT specialist cross trained into cyber security is great, but its better if that same person actively thrives on a challenge and loves hunting for more, i mean, to their very core, they feel it in their bones. They love the challenge, they go for the kill and move onto the next one hoping for a bigger and better score. Each.And.Every.Time.

This is not your 9-5 situation, cyber security does not sleep, neither to do the bad guys, so what does the balance of capabilities look like?

On the Bad guys side:

  • The Bad guys treat it as a game, as a thrill to seek, as a challenge to conquer with a monetary outcome that drives them ever onwards but they have every advantage that the good guys don’t.
  • The Bad guys can trespass on systems without worrying about breaking laws, good guys can’t trespass, even on system they know have been compromised unless asked to by the owner and then within some very tight conditions.
  • The Bad guys chief weapon with anonymity. They hide and often use cut-outs to hide their locations and identities, using compromised servers and systems to deliver the payloads, their methods are many, but they all operate in largely the same concept, no direct attacks will succeed, so they use subterfuge and obfuscation to hide their trails as best they can.
  • The Bad guys can use multiple system to shift and hide their tracks, often hiding behind legitimate cloud services like CloudFlare, AWS and Azure services which makes it harder to track and trace them.
  • The Bad guys can use the good guys intel to monitor their own activities, this is not a new situation, but one thats fast becoming a game of cat and mouse as threat intel providers are now leaning towards screening their clients more and more.

On the Good guys side:

  • The Good guys have one very important advantage however, time. Time is subjective in the cyber security world, measured in seconds, minutes, hours days months years, the vast amount of data collection that is going on and shared often leads to startling revelations months after the fact.
  • The Good guys often have a lot more resources to call upon. The community is strong, the community is often united and the good guys really have a vested interest in making sure they stop the bad guys where ever ( think about the many private individuals who scam bait at the lower end and also those who often bug hunt ).
  • The Good guys have a large corporate vendor backing. Sophos, Cisco, Symantec, McAfee, F-Secure to name but a few are on the leading edge of the detection threshold but, as always, when a new threat appears, they are usually a few steps behind, but their responses are fast becoming a royal pain for the bad guys.
  • The Good guys are always looking for actions that leave too many clues which can be used to pattern fix the bad guys with either in their code or their Opsec isn’t secure enough, many times they just make simple mistakes, reusing domains, or email addresses, using the same attack patterns, same code which can leave an evidence trail the good guys can use.

So whilst it appears the Bad guys have every advantage, they have also some handicaps that work against them as once they use a specific method, its out there, its captured, analysed and forever looked for which forces the bad guys to constantly evolve.

If i was to play devils advocate here, i’d say that the Good guys are getting free R&D from the Bad guys 😉