For years, tech companies have turned to hackathons to rapidly build new products, foster team bonding, spur innovation—and squeeze out extra man hours from employees. But at Symantec's Mountain View, Calif., headquarters last week, the security software company hosted a different kind of hackathon: Employees were tasked with breaking into a fictitious bank.
Symantec's Cyber WarGames actually began back in January, with 1,100 employees from 33 countries. Ahead of RSA's security conference this week, 40 finalists from nine countries descended upon Symantec's campus for the three-day-long finals. The games forced the employees to think like criminals to help the security software company stay one step ahead of the bad guys.
Symantec has hosted the Cyber WarGames for three years, each with a different theme. Given the recent spate of breaches in the financial services industry, it's fitting this year's employees-turned-hackers were attacking a fictitious institution named PVC Bank, short for Public Vulneraville Charter Bank.
"In every other high-risk environment—be it race car drivers or doctors—people have a practice space to hone in on their skills and innovate," Symantec vice president of product management Samir Kapuria told Fast Company. "In our domain, where you have active adversaries trying to steal money or intellectual property, or hactivists, there's no place for us to learn and innovate in a safe environment. That was the inspiration for this."
The bank and the town Vulneraville weren't real—"I don't name these things," said Kapuria—but much of the simulation reflected real-world security protocol. Actors and set equipment were installed in the hackathon space—Symantec's company cafe—to make the room feel like a real bank, including electronic bank signs and a functioning ATM that spat out fake money that weighed, felt, and smelled like cash (the same fake money that is used to train patrol dogs).
The ultimate goal was to steal the most money, but there were many ways to accomplish this. Contestants could steal user identities, or try to steal the bank's intellectual property. Groups also manipulated interest rates, according to the electronic bank signs stationed in the hackathon space. Though the hackers were encouraged to be sneaky—a little underhanded, even—targeting the leaderboard didn't work (organizers learned that lesson last year). The holy grail was a bank vault at the end of the room.
As with real cyber criminals, the hackers employed social engineering techniques to manipulate others into helping them achieve their goals. For example, an attacker pretended to be a customer requesting a password reset. Getting into the bank vault also required social engineering. The only way in was with an access card, PIN, and two keys, one of which was held by a security guard. Coordinating all the pieces of the puzzle proved to be difficult (so much so that no one actually achieved this). A hacker needed to not only clone an access card, learn the PIN number, and somehow obtain a key, but also break into the human resource department's system to make it appear as if he were a bank employee—all this to enlist the security guard's help without raising suspicion.
In their real occupations, Symantec employees are often chasing down the bad guys. Now that they've been given a taste of the dark side, are they tempted to cross the line from protector to criminal?
"You could earn five times or 10 times more [as a hacker]," said Candid Wüest, Symantec's principal threat researcher with security response. But he can't imagine ever crossing over. "I couldn't put that on my conscience. In the end, it's wrong as we all know."
That conscience stopped Wüest's team and last year's winner, Bazinga, from emailing puzzles to distract fellow competitors after the event ended each night. But they did try another tactic to psyche out their rivals.
"In the last three hours, you can very easily demoralize other teams," explained Wüest, who traveled from Switzerland for the competition. "If you go there and say, 'Yes, yes!' everyone thinks you've solved a problem and that puts them off track."
Kapuria said he was impressed some of the hackers spent their nights learning new programming languages. Antonio Forzieri, cybersecurity and information security services lead for Europe, the Middle East, and Africa, said his team and last year's runner-up, M0nk3yI$l@nd, brushed up on languages and frameworks not used in their day-to-day work to stay on top of the competition. "When the jet lag kicks in at 5 a.m., you wake up your laptop and study for three hours," said Forzieri, who is from Italy.
Though the games are over, the hope is that it helped build a better Symantec. Many of the participants were visibly exhausted immediately afterward, but some couldn't help exchanging notes with colleagues on problems that stumped them.
It wasn't until the awards dinner held on campus that evening that they find out who won. For M0nk3yI$l@nd, the prize wasn't particularly flashy: their names were engraved on a plaque that will sit in a conference room in Mountain View. That and pride, said Kapuria.