In this age of the customer, there is nothing more important than the effective and safe operation of our financial system. Trillions of dollars move around the world because of a well-oiled financial services system. Most consumers take our financial services system for granted. They get paid, have the money direct deposited into their account, pay bills, use their ATM card to get cash, and put family valuables in the safety deposit box. The consumer’s assumption is that their cash, investments and valuables are safe.
Symantec’s 2014 CyberWar Games set out to prove or disprove how correct are these assumptions. Symantec’s cyberwar event is the brainchild of Samir Kapuria, a Symantec vice president within the Information Security Group. Symantec structures the event as a series of playoff events. Teams form and compete, earning points for creating and discovering exploits. Out of this process, the ten best teams travel to Symantec’s Mountain View, California headquarters to compete in the finals.
Not Just Hackers Need Apply
Over 1,100 Symantec employees participated in the competition including developers, accounting, legal, sales, and technical staff. While many different departments tried their hand at the online games, most of the finalists were engineers, developers, and sales engineers. The goal is to build cross-functional teams that understand current attacks and the threat landscape, including an industry’s underlying systems and processes. Employees that may or may not understand branch-operations, ATM networks, payment processing, capital markets, and currency exchange, as well as the technology that drives them, all had a role to play in this year’s games. The intent is to develop not only defenses from attacks against technology but also business processes. Participants consider all attack surfaces both logical and physical to determine the best way to compromise the organization.
Schooling for the Defense
The intent of the games, Samir explained, is to teach defenders how to think like attackers, so they can be better defenders. Symantec wants to change the way defenders think about defense and in many ways redefine the defense problem. The exercise also provides Symantec with valuable information on how to build better products and services and advise technology vendors and clients on hardening their businesses against attacks. The effort takes months to plan, and requires participation from bank technology vendors as well as subject matter experts both inside and outside the company. The outcome is a working bank, open for “business,” with customers, and a representative line of financial services - including checking, savings, mortgage, and investment products.
Symantec over the last three years has recreated real industry scenarios, using actual vendor systems, for other industries and scenarios. Last year Symantec focused on the oil and gas industry and the year before nation-state warfare. Unlike well-scripted capture-the-flag events, these war games are completely unscripted and teams are free to be as creative and craven as they need to be to win.
Real World Scenarios
Symantec structures the games so there are multiple predetermined solutions to the problems. The game sponsors provide very few instructions. They point the teams to the bank and say “Have fun.” Teams are free to attack any system in the bank including the credit card systems, ATM networks, interest rates, and even the bank’s physical bank vault - looting safety deposit boxes as part of a physical attack. Forexample, Symantec actually has a bank vault on site for the games. Customer box keys are “stolen” using social engineering and guards are coopted and bribed to provide access.
The intent is to make the process as real as possible. Team members clone stolen credit and debit card numbers, acquire PINs, and money mules clean out customer accounts using PVC ATMs. The list of possible exploits developed by the teams during the competition is very long.
What It Means
In sponsoring the games, Symantec’s program certainly intends to spotlight the company’s thought leadership in the information security market. This was an impressive event from a technical perspective. The scale of the event was impressive and the effort employed to build a bank, using real world systems was significant. Symantec staff social engineered and zero-dayed their way into real bank technology and in many cases did so with ease.
The practical learning derived from the event will certainly help Symantec employees be better at what they do, but will also help financial services companies understand their weaknesses as well. However, it should also give the broader industry pause. These are the good guys, and this was an exercise. Had this been an actual emergency….
Posted by Edward Ferrara