For most of the year, employees of leading cyber-security firm Symantec work toward securing and managing their customers’ information.
This week, they took a break from that. They got to be the bad guys.
Four years ago, Symantec launched its annual CyberWar Games, an internal event that challenges employees to walk in the shoes of an attacker. The Games simulates an information security breach modelled after a high profile incident reported in the media, and employees experience the attack from start to finish as the malicious party.
This year, more than 1,500 Symantec employees registered. On Wednesday, February 25, the best teams of four from around the world received all-expenses-paid trips to Symantec’s world headquarters in Mountain View, California, to compete in the final objective.
The scenario: A hospital is conducting a clinical trial of a new drug. The attacker does not want that drug to go to market. In order to thwart the drug’s success, the attacker must sabotage data being collected from patients in the trial so the FDA will not approve it.
The grand prize for hacking into the hospital’s databases and creating a diversionary campaign to throw off suspicion? Company bragging rights.
Symantec’s odd training approach isn’t unique. Many businesses and government-related organisations enlist ethical hackers, or experts who systematically penetrate a computer system or network on behalf of its owners in order to discover its vulnerabilities.
Michael Garvin, a senior manager of product management at Symantec, who organizes the event, says “it’s about developing that muscle memory” for when an attacker strikes.
Employees learn how an attacker can exploit networks, applications, products, and solutions, and why they might be motivated to do so. In this year’s simulation, maybe the attacker was a disgruntled employee of the pharmaceutical company conducting the clinical trial, or an employee of a rival company that would prefer its version of the drug go to market first.
This role-reversal changes the way employees think about emerging threats and cyber-criminal tactics.
“Most of the time, you don’t use these skills,” said contestant Antonio Forzieri, from Italy. He works in Symantec’s Cyber Security Practice department, covering clients in Europe, the Middle East, and Africa. Forzieri won the Games last year and placed second two years ago. He appreciates the chance to think like an offender and cultivate his “information security IQ.”
When asked what the most difficult part of the Games is this year, he answered: “Everything.”