In my recent posting on Cyberpunk, Commentariat(tm) Agent LykeX decided to call my bluff [stderr] regarding the question of gamifying hacking/cyberwar in a semi-realistic manner. So, in order to better explain the topic, I have arranged for the federal government to horribly face-plant its entire security strategy by suffering a devastating transitive trust attack. Seriously, the timing is remarkable.
Seriously, though, how would you? Assuming it still has to work as a proper game mechanic, not requiring any technical computer background for people to play, and still “encapsulate the challenge”?
Not being a hacker or even that computer savvy, I’m not sure how you’d go about it. I’ve just tried to think about it a bit and I’m not getting anywhere.
I think that there are a number of hard problems in representing hacking well. First and foremost, it’s not very interesting. It’s always seemed to me to be an exercise in book-keeping and patience more than anything else. A game element that is based on patience is really a tough sell.
First, let’s talk (briefly) about how the US government and a huge chunk of the private sector just discovered that they were waddling around with their pants down around their ankles. [crn] What happened was my biggest nightmare, back when I was the CSO at Tenable (my official day-job for the last 13 years of my career): a security system that distributed active software components was subverted to distribute active malware along with its updates. In other words, the security command/control management plane became the attacker’s tool.
The U.S. government late Sunday night called on all federal civilian agencies to power down SolarWinds Orion products immediately because they are being used as part of an active security exploit.
An emergency directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) comes “in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors,” according to the notice. “This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
This is a standard nightmare for a security products company. Imagine that you’re a company that offers antivirus software that includes a self-updating agent that runs on hundreds of thousands of customers’ machines. Because it’s an antivirus agent, it does its work at a system level – privileged access required. If an attacker is able to put their own logic in the distribution stream for the agent, they have just “hacked” hundreds of thousands of systems instantly and irrevocably. The holy grail/ultimate hack would be to get inside of Microsoft’s patch update system and roll some malware into a patch release, thereby controlling a significant percentage of all the systems on the planet. At that point, the hacker’s challenge would be trying to figure out what useful things they could do with all of that stuff. Imagine you had access to all the computers – that’s basically what just happened with SolarWinds: Orion is a centralized management platform, and everyone who is using it now has centralized malware. Oops. That included vendors and security vendors.
Transitive trust attacks are when A trusts B and B trusts C: you attack C, in order to gain access to A. The state of computer security is so bad that most organizations do not defend effectively against transitive trust attacks. Most of the famous breaches you’ll hear about are transitive trust attacks or insider attacks (really just another form of transitive trust attack if you think about it). Burning Microsoft’s patch update would be the big kahuna of hacks, but it’s sort of like using nuclear weapons: people would notice. Then, there would be the fascinating question, “what do we do about it?” to which the answer is: nothing. In order to make the current software economy work, it has been necessary (and convenient for Microsoft) to have everyone trust Microsoft patch update and, besides, no organization is capable of patching Microsoft’s code for them. Such an attack is such massive overkill that it’d make everyone step back for a moment and re-assess things, until they realized that there is no alternative, so “whatever!” That is what will happen with the FireEye / SolarWinds breach: they’ll say “we fixed it!” and everyone will shrug.
So, what would a hacking game look like? I’m assuming it’d be part of some larger game, because otherwise there’s no point to it. There has to be a goal. There would be a couple of different types of goal:
- Collect information about a thing
- Collect information at random (“this looks interesting…”)
- Gain control over a thing
- Damage a thing (a subset of “gain control”)
- Alter information about a thing (an overlap of “collect information” and “gain control”)
What are the tools available? Information. That’s it. So, the hacking mini-game is about using information to manipulate other information. In terms of the SolarWinds attack, the hackers had to understand SolarWinds’ corporate systems, gain control over the code update process and inject their own code, then they shifted to exploiting attacks against targets that depended on SolarWinds.
In the context of CD Projekt Red games, The Witcher 3 includes an in-game card game called “Gwent” in which you collect Gwent cards and you can play against NPCs that are controlled by AIs. It’s pretty clever game design because the AI doesn’t have to be brilliant – it can be variously challenging based on the cards that the game scenario give the NPC; they can be overpoweringly good and a player can’t beat them until they have enough powerful cards or are brilliant or lucky Gwent players themselves. The in-game hacking mini-game would look sort of like that except the game would play out asynchronously.
The hacker picks a target and schedules “recon”. Some of the cards the hacker has represent recon tools (“Ice” in Gibson’s nomenclature) – the recon tool might take a certain amount of time, and would return:
- Fail – your tool is burned (if it was not off-the-shelf malware) and you lose that card from your deck permanently. There would be various cards that give a fail result, “Firewall” just fails your recon. “Active Defense Level XX” might fail your recon and also take time from you. I imagine there’d be a variety of defense cards, and a variety of offense recon cards.
- Bad Fail – your tool is burned and your target backtracked you; there will be a knock on your door in 5 minutes, a sleepy-eyed guy in a raincoat would very much like to talk to you about your hacking career, which just ended. I am imagining that the Bad Fail scenario was a result of attacking someone who has a seriously more powerful card in their deck, or they have a “Backtrack” Ice card that they play on you, which gives your meat-space location. Note that the player might also have “Backtrack” Ice that they can play if they are under attack.
Then you’d have “Vulnerability” cards – if your recon against the target finds a possible point of attack, you get a vulnerability card you can play against them, which gives you an exploit. Or, if they have an active defense, your vulnerability may be a trap and you just got suckered into a bad fail and they’ve played a backtrack card you didn’t know about. Worse, maybe they recon you, back and get a vulnerability card they can play against you, and they backtrack you and scramble your deck, i.e.: you just lost a few of your cards.
I must note that I am stealing some of these mechanics from Gwent, but Gwent stole from Magic The Gathering, etc. The great thing about card-powered mini-games is that you can expand them easily, and you can also have unexpected powers appear in scripted scenarios, or at random. So our in-game hacker could decided to just do a run against the porn shop down the street, which has middling defenses that they burn through with a vulnerability. When you burn through a target’s defenses you may learn something (you get a card from the loser’s deck) or you may steal some of their data or you may get something mysterious that you have to spend time researching to figure out what it is. I.e.: you downloaded a block of encrypted data and you need to let your Ice chew on it for a while, but they’re looking for you and have your home address – time to relocate ricky-tick while the Ice chews away – then you discover you just found the specs for some valuable new tech and a) you have a huge bounty on you now and b) you can sell the specs for credits. You can use the credits on the black market to buy and sell Ice – i.e.: game cards – or data which is basically convertible back and forth with credit. In this mini-game you might do an automated attack against porn stores every so often when you’re not doing anything else, and you collect data you can sell but it’s not really important stuff and your reputation gets bad in some sectors, good in the black market, and if you ever go after the wrong target and they burn you, your bad reputation results in a large army of sleepy-eyed guys in raincoats who have come to collect on you.
I imagine that a fun aspect of the game would be managing a work-queue; you’d be playing several games at once against the various targets you are exploiting, reconning, or defending against. You’d also be buying exploits on the black market and researching your own, once you had enough skills to develop your own attacks (basically, the game would randomize a card for you, at an appropriate level, with occasional rare drops). You might be researching an exploit against the porn store’s Ice and stumble over an exploit that would burn through the firewalls of a bank; oh, the fun! Oh, the mob of sleepy-eyed guys who now want to discuss that with you in person! Oh, the fun!
Or perhaps there are special cards which allow vulnerable decks to be taken over and feedback blasted through the users’ protco-prod(tm) interface. Boom! There goes your brain, or your anus, or whatever.
And, of course the mini-game would have mission profiles:
- Attack something and get whatever you can
- Defend something, usually yourself but sometimes a client
- Find something, successfully attack a target that gives you another target to attack, etc., until you get the thing you were looking for and thoroughly piss off the trail of targets you attacked (if you were not subtle)
- Destroy something or someone by taking control of specific targets to get access to real world elements (e.g.: you just took control over Badger’s bluetooth-controlled propane forge. Now you can murder Badger and everyone else in their immediate vicinity)
- Watch someone by taking control of their cameras or phones and maintaining that control (“escort mission” in most games) without getting detected or blocked
I think that’s about it. By chaining mini-game quests you could build entire plot-lines involving targeting attacks, or players could just go smash and grab to get cash. In gaming terms, I’m describing a crafting system attached to a mini game where you can buy/sell/craft cards that you use to drive the mini game forward. The whole system would be asynchronous with the other events in the game and you could be engaged in a bunch of battles at once; make it a reward/punishment system for the player depending on how well they micro-manage their resources and schedule their assets.
The last part would be a mapping function where the card-game ties to your targets so that you would be able to see the relationship between your target and your attack surface. Think how exciting that might be! You exploit a vulnerability in the porn site and discover that there’s something on that network that you can’t scan effectively and maybe there’s a link to a big conglomerate that …. uh, oh, that’s Chechen mafia, I think. Is it worth trying? So the mapping function would build a dynamic picture of the relationships between the things you know anything about, and what attacks and defenses (Ice cards) you have currently in play against them. You might open the map and suddenly that porn site you were scanning has mysteriously turned purple and you’ve never seen anything like that before, uh oh. Holy shit, that’s an AI! What is an AI doing there!? “Wintermute”? Sounds harmless enough.
OK, I think that’s probably enough. It’d take a bunch of serious design sessions and some idea-stealing but a pretty damn cool hacking game could be developed. I’ve basically described a mix of Steve Jackson’s old Illuminati game, Magic The Gathering, and Gwent. Hell, you could do like Blizzard did with Hearthstone and have a multi-player battle element where you could asynchronously battle other players to try to steal their best cards or hire sleepy eyed guys in raincoats. And, yes, Molly Kolodny would be a card that you could play, if you happened to get it, and she would seriously devastate whatever you played it against.
Above is the much-derided hacking mini-game from Cyberpunk. You have a limited amount of time (“breach time remaining”) to find the required patterns in the grid and mouse them into your “buffer” which then counts as executing a successful attack. What this has to do with hacking, I do not know. It measures how quickly you can work the janky d-pad controls and that is about it.
A high five to any of you who recognized the procto-prod reference.
Now, I have to comment on the first image that I included in this posting – the one with the hacker in the ubiquitous hoodie pointing at the map. That’s a fairly typical illustration that media dumbasses use to illustrate hacking and it shows a profound non-understanding of hacking in the sense that I’ve described it as a problem of transitive trust. Geography is irrelevant. That’s the point of computer networks! What is relevant is the topography of the network – the interconnections between nodes. You don’t care if your target is in New Jersey or in low Earth orbit! You do care if the sleepy eyed guys in raincoats know your location, and that’s about it. In my career I used to run into this all the time: security people who ought to know better, saying “the attack appears to be coming from China” or whatever. Sure, and for $30/month I can make my packets appear to be coming from someplace, too, using a VPN service. Geo-location only matters to the sleepy eyed guys or the guys with stealth drones loaded with knife missiles.
Hackers do wear hoodies, though. That is true. So do lots of people. The best hacker I ever met wore bespoke suits that were nicer than mine, which shocked the living shit out of me because my suits were really nice. But I used to wear custom Rocky Carroll cowboy boots instead of Converse All Stars (the other broad cultural stereotype I resent) so I outdid him in the footwear department. One of the other great hackers I knew wore boating shoes everywhere, even in snow and ice, and a Helly Hansen jacket. Safety green is mighty subtle.
Last point: if you’re picking a lock and you put so much pressure on your torsion bar that it breaks, you’re really doing it wrong. The torsion bar must be very gently taken up, and you use your pick in the keyway. Not a flippin’ screwdriver. If you want to see someone lose their shit about lockpicking mini-games in computer games, ask Deviant Ollam what he thinks about the mini-games and broken torsion bars. I’m kidding, don’t troll him, he’s a good guy.