Symantec's third Cyber WarGames aimed to help employees think like criminals--in order to help the security software company stay one step ahead of the bad guys.

Given the spate of breaches the financial services industry has endured, it was fitting the employees-turned-hackers were attacking a fictitious institution named PVC Bank (short for Public Vulneraville Charter Bank).

The Cyber WarGames began in January. 1,100 employees from 33 countries competed to solve puzzles; the top ten teams traveled to Mountain View to compete in the finals this week.

"In every other high-risk environment--be it race car drivers or doctors--people have a practice space to hone in on their skills and innovate," says Symantec vice president of product management Samir Kapuria, left. "In our domain, where you have active adversaries trying to steal money or intellectual property or hactivists, there's no place for us to learn and innovate in a safe environment. That was the inspiration for this."

In order to replicate a bank environment, the competition featured set equipment, a functioning ATM that spits out money, and a video crew.

The ATM dispenses the same fake money that is used to train patrol dogs; it weighs, feels, and smells like cash.

The goal was to steal the most amount of money. One team targeted and emptied out an ATM.

Props included a teller stand and deposit slips.

Participants manipulated PVC Bank's interest rates.

That seems like a good mortgage rate.

A bank vault at the back of Synmantec HQ's repurposed cafe required an access card, PIN, and two keys--one of which was held by a security guard.

To get inside the vault, a hacker needed to convince the security guard holding the second bank vault key that he was an employee (this would have required breaking into the human resources' system).

Kapuria entering in his PIN. None of the teams were able to breach the vault.

Kapuria entering in his PIN. None of the teams were able to breach the vault.

The loot.

Team M0nk3yI$l@nd won the competition.

Last year's Cyber WarGames winner, Bazinga, came in second this year.

Not Your Typical Hackathon: Symantec's Cyberwar Simulation Transforms Employees Into Criminals

To help them get inside the minds of malevolent hackers, Symantec employees got a taste of the dark side during the company's third annual Cyber WarGames.

For years, tech companies have turned to hackathons to rapidly build new products, foster team bonding, spur innovation--and squeeze out extra man hours from employees. But at Symantec's Mountain View, Calif., headquarters last week, the security software company hosted a different kind of hackathon: Employees were tasked with breaking into a fictitious bank.

Symantec's Cyber WarGames actually began back in January, with 1,100 employees from 33 countries. Ahead of RSA's security conference this week, 40 finalists from nine countries descended upon Symantec's campus for the three-day-long finals. The games forced the employees to think like criminals to help the security software company stay one step ahead of the bad guys.

Symantec has hosted the Cyber WarGames for three years, each with a different theme. Given the recent spate of breaches in the financial services industry, it's fitting this year's employees-turned-hackers were attacking a fictitious institution named PVC Bank, short for Public Vulneraville Charter Bank.

"In every other high-risk environment--be it race car drivers or doctors--people have a practice space to hone in on their skills and innovate," Symantec vice president of product management Samir Kapuria told Fast Company. "In our domain, where you have active adversaries trying to steal money or intellectual property, or hactivists, there's no place for us to learn and innovate in a safe environment. That was the inspiration for this."

Symantec's hackers manipulated interest rates at the fictitious PVC Bank.Image: Alice Truong/Fast Company

The bank and the town Vulneraville weren't real--"I don't name these things," said Kapuria--but much of the simulation reflected real-world security protocol. Actors and set equipment were installed in the hackathon space--Symantec's company cafe--to make the room feel like a real bank, including electronic bank signs and a functioning ATM that spat out fake money that weighed, felt, and smelled like cash (the same fake money that is used to train patrol dogs).

The ultimate goal was to steal the most money, but there were many ways to accomplish this. Contestants could steal user identities, or try to steal the bank's intellectual property. Groups also manipulated interest rates, according to the electronic bank signs stationed in the hackathon space. Though the hackers were encouraged to be sneaky--a little underhanded, even--targeting the leaderboard didn't work (organizers learned that lesson last year). The holy grail was a bank vault at the end of the room.

As with real cyber criminals, the hackers employed social engineering techniques to manipulate others into helping them achieve their goals. For example, an attacker pretended to be a customer requesting a password reset. Getting into the bank vault also required social engineering. The only way in was with an access card, PIN, and two keys, one of which was held by a security guard. Coordinating all the pieces of the puzzle proved to be difficult (so much so that no one actually achieved this). A hacker needed to not only clone an access card, learn the PIN number, and somehow obtain a key, but also break into the human resource department's system to make it appear as if he were a bank employee--all this to enlist the security guard's help without raising suspicion.

Candid Wüest, left, of team BazingaImage: Alice Truong/Fast Company

In their real occupations, Symantec employees are often chasing down the bad guys. Now that they've been given a taste of the dark side, are they tempted to cross the line from protector to criminal?

"You could earn five times or 10 times more [as a hacker]," said Candid Wüest, Symantec's principal threat researcher with security response. But he can't imagine ever crossing over. "I couldn't put that on my conscience. In the end, it's wrong as we all know."

That conscience stopped Wüest's team and last year's winner, Bazinga, from emailing puzzles to distract fellow competitors after the event ended each night. But they did try another tactic to psyche out their rivals.

"In the last three hours, you can very easily demoralize other teams," explained Wüest, who traveled from Switzerland for the competition. "If you go there and say, 'Yes, yes!' everyone thinks you've solved a problem and that puts them off track."

Antonio Forzieri, left, of team M0nk3yI$l@ndImage: Alice Truong/Fast Company

Kapuria said he was impressed some of the hackers spent their nights learning new programming languages. Antonio Forzieri, cybersecurity and information security services lead for Europe, the Middle East, and Africa, said his team and last year's runner-up, M0nk3yI$l@nd, brushed up on languages and frameworks not used in their day-to-day work to stay on top of the competition. "When the jet lag kicks in at 5 a.m., you wake up your laptop and study for three hours," said Forzieri, who is from Italy.

Though the games are over, the hope is that it helped build a better Symantec. Many of the participants were visibly exhausted immediately afterward, but some couldn't help exchanging notes with colleagues on problems that stumped them.

It wasn't until the awards dinner held on campus that evening that they find out who won. For M0nk3yI$l@nd, the prize wasn't particularly flashy: their names were engraved on a plaque that will sit in a conference room in Mountain View. That and pride, said Kapuria.

[Photos by Alice Truong]

Add New Comment

0 Comments