Call it a whodunnit for the cyber age.
A distributed denial of service (DDoS) attack severely disrupts operations at the United Nations, including email and communications. Investigation of this event turns up additional evidence of a sophisticated targeted attack against UN infrastructure. Is a nation-state APT group behind this campaign? A hacktivist? Perhaps a hacker-for-hire enterprise? If so, who?
Here’s the good news: While the UN in the past has been the target of real-life cyberattacks, this was not one of them.
Rather, this was a fictional scenario conjured up by the Cyber Stability Simulation Game, a new capacity-building exercise devised by Kaspersky that’s designed to help cyber diplomats, policy researchers and infosec professionals who lack technical backgrounds understand the complex and sensitive challenges around attack attribution. Typically, cyber diplomats are charged the responsibility of building relationships among countries to gain a global consensus on cyber norms and responses to shared cyber threats.
In advance of the upcoming launch of this new Kaspersky Interactive Protection Simulation (KIPS) exercise, Kaspersky test-piloted the gameplay with actual cyber diplomats as well as legal and policy experts during the Kaspersky Analyst Summit. “We got a really good feedback. And we also made some amendments to the game” since then, said Anastasiya Kazakova, senior public affairs manager at Kaspersky.
Separately, the cyber firm also gave this SC Media reporter the opportunity to try out the exercise and see if I could solve the mystery of who compromised the UN’s systems.
“The goal of [the] simulation is to ensure… cyber stability through avoiding conflict and by enhancing cooperation and exchange,” said Kazakova. “It teaches all the players to build a cyber defense strategy by making choices among the best proactive and reactive controls available.”
Here’s a spoiler-free recap of my experience:
For the purposes of the game, Kaspersky’s fictional construct of UN members looks more like a Game of Thrones map than real life. Here, the UN consists of 13 countries spread across a chain of islands – from Cabia, Republic of Costa and Republia in the far west to the isolated double-island of Vulcania in the east. Among this baker’s dozen of countries, several nation-states will emerge as potential suspects.
Players (or teams of players) assume the role of a cyber diplomat or delegate serving on the United Nations General Assembly First Committee, which handles international security and disarmament matters.
“The goal of today's simulation is to ensure international stability and peace,” said Kazakova before we began.
The game starts with a DDoS incident, but over the course of this five-round exercise, players will also encounter additional malicious activity, including an APT malware infection and a phishing campaign that might lead to a ransomware infection.
While the game’s primary focus is attribution, participants are also scored for their ability to conduct appropriate incident response and intelligence sharing as these complications unfold.
At the beginning of each turn, players receive news alerts detailing the latest developments related to the various attacks. Based on this information, players must then respond by selecting one or more action cards, which include options like convening an emergency meeting with UN diplomats, requesting national IT support or hiring a firm to conduct a forensics investigation.
Each action card costs a specific amount of budget and time. Players are allowed to expend only 100 time units per turn and cannot exceed their $75,000 budget over the course of the entire game. Different choices produce varying consequences (some good, some bad), which in turn unlock new action cards and affect your final score.
For instance, some of the players I competed against experienced the aforementioned ransomware attack and had to decide whether or not to pay the ransom. But I did not experience such an attack because, after being informed of certain phishing and malware indicators, I took the necessary preemptive actions to prevent a full-fledged incident. “At the beginning of the game (turn 1 and turn 2) there [are] at least two ways to prevent the ransomware attack,” Kazakova told SC Media in a follow-up interview. (We won’t reveal them here to preserve the secrets of the gameplay.)
But not every action card I chose was the right one. Indeed, I lost points for deciding to hold a press conference too soon after the DDoS incident, before I had enough meaningful information to share with the public.
“All the action cards have been... split into two groups. We call them effective actions and ‘You Better [Not],’” said Kazakova. The effective actions “actually help you… gather more information for the technical attribution,” while the bad-decision cards “make your situation worse… As a result of playing those cards at a particular turn, you will probably get less information about the incident, and therefore there [is] higher risk for further escalation.”
“You also probably noticed that we designed several cards that promote sharing and information exchange,” Kazakova added. If you play these cards right, “you have more resources and higher chances to learn and get more technical information.”
As for the attacker, I ultimately managed to collect enough clues to correctly identify the guilty party, but my evidence wasn’t as airtight as it could have been had I made most optimal choices. For that reason, my decision to publicly name and shame the culprit was controversial and the accused entity issued an indignant denial.
Final scores among players can be compared for competitive purposes, and there are different endings of varying success depending on how well you played. But there is no official passing or failing score, and everyone receives a congratulatory certificate upon completion – “because the goal of the training is to encourage learning through failing and making security mistakes at the game and cooperation between players,” explained Kazakova. “The score has been designed as a motivating instrument, but not the end goal of the capacity-building exercise.”
Among the key takeaways for participants: “technical attribution is complex,” with “many different factors that should be taken into account,” said Kazakova, including the potential motivation of attackers, incident severity and geopolitical concerns. Moreover, she added, it is integral that cyber diplomats emphasize “cooperation with other states, international organizations and private sector.”