Netrunner: what infosec might look like in the future

Netrunner

Android: Netrunner is a two-player card game that can teach you a great deal about cyber security. It’s fun to play too.

Bad news first: although initially intended as a ‘living card game’ with constantly evolving gameplay, this game has now been discontinued, so no expansions will be published, limiting the community interest, ongoing deckbuilding and tournaments.

Now to the good news, which is pretty much the rest of this blog. None of the above can stop you from enjoying this great game. You can still acquire the initial core set which contains all you need for casual play.

The premise of this game is simple: mega corporations control all aspects of our lives and hackers (known as runners) oppose them. I know it was supposed to be set in the dystopian cyberpunk future, but some of the elements of it are coming to life sooner than expected since the original game release in 1996.

Runners

The runners vary in their abilities that closely align to their motivation: money, intellectual curiosity, disdain for corporations. Corporations have their core competencies too. Again, just like in real life. The core set I mentioned earlier consists of seven pre-built, and balanced by creators, decks: three for runners and four for corporations with their unique play styles.

The game is asymmetrical with different win conditions: runners are trying to hack into corporations’ networks to steal sensitive information (known as agendas in the game) and corporations are aiming to defend their assets to achieve their objectives (advance agendas). This masterfully highlights the red team versus blue team tension commonplace in today’s infosec community.

Troubleshooter

A corporation has to adapt to evolving threats posed by hackers installing protective devices and conducting defensive operations all the while generating revenue to fund these projects and reach their targets to win the game. It’s not only about defence for the corporation either. Today’s “hacking back” debate got apparently settled in the future, with corporations being able to trap, tag and trace hackers to inflict real damage, as an alternative win condition.

Cyberfeeder

Runners differ vastly in methods to penetrate corporation’s defences and have to take care of an economy of their own: all these cutting edge hacking consoles cost money and memory units. Example cards in runner’s toolbox sometimes closely resemble modern methods (e.g. siphoning off corp’s accounts) and sometimes gaze far into the future with brain-machine interfaces to speed up the process.

Basic rules are simple but there are plenty of intricate details that make players think about strategy and tactics. It’s a game of bluff, risk and careful calculation. There’s also an element of chance in it, which teaches you to be able to make the best use of resources you currently have and adapt accordingly.

It’s not an educational game but you can learn some interesting security concepts while playing, as you are forced to think like a hacker taking chances and exploiting weaknesses or a defender trying to protect your secrets. All you need is the deck of cards and someone to play with.


Gamification for security

Oxford dictionary defines gamification as the application of typical elements of game playing (e.g. point scoring, competition with others, rules of play) to other areas of activity to encourage engagement with a product or service:

Bringing an element of fun helps to achieve lasting change in human behaviour, as demonstrated by The Fun Theory project. Here are some videos to get an idea how gamification can drive behavioural change to address social and business challenges:

Gamification can also be a powerful learning tool when applied to information security.

For example, CyberCIEGE enhances information assurance and cyber security education and training through the use of computer gaming techniques such as those employed in SimCity™. In the CyberCIEGE virtual world, users spend virtual money to operate and defend their networks, and can watch the consequences of their choices, while under attack.

In its interactive environment, CyberCIEGE covers  significant aspects of computer and network security and defense. Players of this video game purchase and configure workstations, servers, operating systems, applications, and network devices. They make trade offs as they struggle to maintain a balance between budget, productivity, and security. In its longer scenarios, users advance through a series of stages and must protect increasingly valuable corporate assets against escalating attacks.

CyberCIEGE includes configurable firewalls, VPNs, link encryptors and access control mechanisms.  It includes identity management components such as biometric scanners and authentication servers.   Attack types include corrupt insiders, trap doors, Trojan horses, viruses, denial of service, and exploitation of weakly configured systems.   Attacker motives to compromise assets differ by asset and scenario, thereby supporting scenarios ranging from e-mail attachment awareness to cyber warfare.

More information along with introduction and demonstration movies are also available on the official website.

Cybersecure: Your Medical Practice is another example of using gamification to educate people but not in the context of the HIPAA regulation compliance.

hipaa

This web-based security training module uses a game format that requires users to respond to privacy and security challenges often faced in a typical small medical practice.  Users choosing the right response earn points and see their virtual medical practices flourish.  But users making the wrong security decisions can hurt their virtual practices.  In this version, the wrong decisions lead to floods, server outages, fire damage and other poor outcomes related to a lack of contingency planning.

Gamification can also be applied in user awareness training to change the behaviour of users in the organisation. One instance of this might be helping to recognize phishing links.

Anti-Phishing Phil is an interactive game that teaches users how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites.

phil

User studies have found that user education can help prevent people from falling for phishing attacks. However, it is hard to get users to read security tutorials, and many of the available online training materials make users aware of the phishing threat but do not provide them with enough information to protect themselves. Studies demonstrate that Anti-Phishing Phil is an effective approach to user education.

Apozy and Wombat Security Technologies also focus on gamification in raising awareness about security risks.

There is a free online course on gamification available. This course will teach you the mechanisms of gamification, why it has such tremendous potential, and how to use it effectively.