The emotions oscillate between high frustration and high jubilation as I observe cyber-attack teams’ hacking activities against an unnamed financial institution…
It’s the final day of the Symantec 2014 CyberWar Games Simulation taking place on Feb 20th in Symantec’s World Headquarters in Mountain View, California.
Almost two months ago, over 1100 Symantec employees representing 40 countries began exercises designed to train them how to think like a cyber-attacker and then act like one. Through the year’s exercises, they have been distilled down to the best they have.
The Games have been going for three years; led by Samir Kapuria, Vice President within the Information Security Services group. His vision was to create scenarios that were not contrived but taken from the headlines. Year 1 was based on scenarios from civil infrastructure. Attacking from the outside, branches of a fictitious government were infiltrated and data stolen. Year 2 attacked the oil and gas industry to control the collection, access, and distribution of the resources. The attacks were aimed at acquiring access to networks with SCADA (Supervisory Control And Data Acquisition) systems steal sensitive information and to gain control of and disable a model oil field. With the heightened attention on retail and banking institution breaches over the last year, 2014 was the year for finance.
Now I am standing quietly in a room inspired by real situation/war rooms used by emergency responders and forensic response teams. It is filled with computer hardware, network connections, a disassembled ATM, credit/debit card writers and skimmers, a bank vault with safety deposit boxes, score boards and giant TV screens and other features that elevate this competition beyond a video game creating a completely immersive experience. Adjacent to this war room is a Security Operations Center, with people working to monitor the teams and determine how they are progressing. The CyberWar Games really created a compelling environment to demonstrate how cybercriminals are working to exploit unwitting consumers and corporations.
Over the last three days, beginning on Feb 18th, 10 teams of 4 were given an attackers dreamscape, the opportunity to infiltrate a fully developed and hardened financial infrastructure to reap the rewards of successful hacking and fraudulent activities.
One of the key differences in the Symantec CyberWar Games from others I have seen is the scope. This is no mere sequential ‘capture the flag’ activity but a “choose your own adventure”, an open scenario, against a mock bank, “PVC” online banking, teller banking, Insurance division, physical facilities, HR and corporate IT infrastructure. Given a basic scenario, combatants utilize Symantec’s five stages of a cyber-attack: Reconnaissance, Incursion, Discovery, Capture and Exfiltration for each team to determine and execute on their own path to build their criminal financial empire and ultimately get physical access to the bank vault to have the opportunity to get access to the safety deposit boxes.
I had the opportunity to sit down with Mr. Kapuria for an overview of the current scenario and ask a few questions. He had some interesting answers:
- When asked why Symantec funds these exercises; what’s your goal for the games? He had some interesting comments. [Paraphrased]:
- Symantec uses the games to fuel innovation in our engineers and developers…
- He wants to help the Company’s people look at the problems out in the cyber-world from the perspective of the bad guys so they are better at identifying how the attackers do what they do.
- Help even the playing field for the good guys by educating them and increasing their passion for their work.
- Together these will help them to be better at their jobs and provide better security for Symantec’s customers and the industry as a whole.
- How you practice has a direct correlation on how effective you are. Just like law enforcement and military use as close to real-world training as they can, Symantec chooses to give the games as close to a real world feel as possible a real world activity performing these activities reinforces.
- You are spending a lot of company time and money on these games. Are you looking to monetize them directly in some way?
- Symantec is not looking to monetize the games. They have other business ventures and division to do that. This is to help drive Symantec Engineers to a higher level of thought. During the games the Symantec attackers actually devise more complex and effective attacks than have generally been seen in the wild including zero-day attacks.
- So what do you do with the findings?
- This is security research in action. Similar to other researchers, Symantec shares the findings with the manufacturers to help them improve their products against the attacks.
At the end of the day, they turn off the scoreboard with about an hour to go to maintain suspense until the awards dinner. Several teams were tied for first place and a couple were very close behind so it really was anyone’s guess on who won.
I watched the clock tick down the final 10 minutes. Not one team gave up. Some looked more intense than ever, trying to break one last control to make their last points. A true contest of wit and wills to the end. This was not trivial.
None of the teams were able to complete all of the challenges. Given the time and the sheer number of possible challenges, it would have been VERY surprising if a team had been able to do that much. We have to remember in the real world, attackers generally have all the time they want to complete their objectives while the event participants only had 3 pretty much sleepless days. None of the teams was able to complete the crowning objective which was to get enough inside information and access so they could physically access the vault. Though none was able to conquer the crown jewel, as it were, each finalist received one of the 40 custom made golden and silver coins as a memento for the event. They all gained an even more valuable insight into the minds of the people they are normally working against and honed their skills to improve Symantec’s security products and solutions.