It’s hard to be prepared for a crisis. How will you react? Will your plans work? Will your strategy succeed?
One way to prepare for real security events is to simulate them through gamification. At conferences, security practitioners can compete in capture the flag (CTF) events that emulate the process of exploring a new environment and developing attack chains for it against the clock. During engagements, security consultancies can play emergency scenario card games to walk their clients through their incident response (IR) plans before a real attack.
Outside of those very literal security games, you can test your crisis management abilities and learn security lessons at home through tabletop gaming. Many board games in this post-Settlers of Catan renaissance can mimic high-pressure scenarios. Within their well-designed universes, they test player abilities in decision making, resource management, efficiency, engine building, and social deduction. (They are also a genuinely fun excuse to get around the table with friends and family. These are not Monopoly. Monopoly is a bad game and you deserve better.)
Hacker-themed board games certainly can’t replace IR scenarios or CTFs, but they’re immersive experiences, even when their dystopian cyberpunk settings aren’t realistic. Let’s talk about three very good security-themed board games and the security lessons you can learn from them.
Dan Petro and Kevin Sugihara preparing to play Magic: The Gathering during our 2018 Team Weekend
Note: I link to Board Game Geek a lot in this article because it’s basically IMDB for board games. I’ve also included a list of online gaming sites at the end so you can try playing some modern tabletop games remotely with friends. (And there are excellent tutorials and playthroughs online now so you don’t have to learn the rules on your own.)
This is the granddaddy of hacker-themed games. In it, you play as either the Corporation or the Runner (an attacker), which each have unique abilities and win conditions that clash and escalate as the game builds up. The Corporation player is trying to block the Runner’s access long enough for them to pass secret agendas through their system before the Runner can steal enough of their agendas to shut them down. Designed by the same guy who created Magic: The Gathering, do not be surprised by the intricate interplay between the cards in each deck, or the unique terms (ice, rez, data fortress, running) that populate this cyberpunk world.
The beginning of every game of Netrunner is a slow build for both sides, with the Runner building up their offensive and defensive arsenals for the next phase while avoiding the Corporation’s increasingly large tableau of potential traps. There’s never a perfect time to strike for either side. You need to watch and wait, look for holes in the other’s defense, and choose to attack when the context is right.
Security Lesson: Play to your own strengths and to your opponent’s weaknesses.
The most powerful tool you wield in any engagement is yourself, so take an inventory of your abilities and resources and know who you’re up against. The Corporation and the Runner each play from unique decks with asymmetric abilities that represent how encounters between massive corporations and individual attackers can play out: the small agile Runner can run and gun undefended areas of the Corporation’s tableau looking for agendas, but as time goes on, the Corporation’s arsenal becomes more and more difficult to overcome. Avid players of Netrunner say that alternating between playing each side gives them a better perspective and stronger overall strategy of how to win. Taking this lesson into the real world, developers can turn into excellent security researchers because having insight about the infrastructure and options that the other side is working with greatly informs which moves to choose that advance your goals without leaving you exposed.
More information on Android: Netrunner
Android: Netrunner is playable online, through unofficial sites like jinteki.net or very old websites like Magic Workstation, which was created back when the game was first released in 1997. (FYI: the 2017 edition of the game updated some rules, but the core game is in both versions.)
The best games are built from simple rules that support complex strategies — and Hack Trick is a great example of that. In it, you race against your opponent to place three blocks in a row. (Best two out of three rounds wins.) While this game sits on the basic concept of tic-tac-toe in the guise of hackers cracking a passcode, the mechanics of the game force you to make tough choices each turn. Each action determines how your next few turns will go and how much information your opponent learns about you. Every time you place cards, you open the door for your rival to take over a block you already claimed or force you to show your hand.
Security Lesson: Knowledge is power, even if it’s incomplete information.
The goal of the game is to get three in a row, but the path there is really about knowing what cards your opponent has in their hand and what they might do with them. The game uses a deck of 18 cards made of three copies of each number from 0 to 5, so if you have all three 3s, you can deduce that they must not have any. At the beginning of each round, both players must tell each other the sum of their four starting cards. Based on that number and the first card they play, you can narrow down the composition of their hand and the kinds of moves they’re likely to make that you can block, or what cards to avoid putting down that would help them.
Even when we perform white-box assessments for clients, our consultants are always working with imperfect information about a network or application. Still, there’s a lot they can deduce from the platforms in use, the layout of their physical office, and the tidbits they can learn about a company and its employees from their presence on social media. Every piece of information sets you up for better-informed moves in the future.
More information on Hack Trick
Unfortunately, this one is difficult to buy at the moment, but through BGG or board game flea markets, you may find this deceptively small box of wonder. Other great two-player tug-of-war games are Jaipur, Onitama, and Baseball Highlights: 2045.
ESCAPE TALES: LOW MEMORY
This “escape room in a box” is full of heavy themes, unreliable narrators, and dangerous technology. (In the tutorial, you’re locked in your husband’s office and the security system is about to kill you). Set in a Minority Report/Black Mirror dystopia, the first third of this game involves you moving through your own house, solving puzzles and searching for clues with a limited amount of movement tokens that quickly run out if you’re not careful.
The player count for the game is limitless since you’re cooperatively playing as one character to solve puzzles and avoid death. The game is meant to be played in three separate sessions that each take about two hours, or longer if you like to take your time making choices and solving puzzles.
Security Lesson: Keeping good records always pays off.
In Escape Tales: Low Memory, you play as a woman who is searching for answers in her own house, unsure of what her own motivations are. Whether it's monitoring system logs, writing documentation, or just taking notes during a client meeting, keeping records of what you and the system have done come in handy when urgent situations come up or inspiration strikes.
If your system logs are empty, how do you know there was a breach at all? If you take over a project for a teammate, how do you know you’re not just exploring the same dead ends they did? Just relying on your memory is not a great plan. The benefits that you gain by “losing momentum” to slow down and document your work far outweigh the time “lost” by documenting as you go. When playing through escape room board games, using scratch paper helps you work on the puzzles, avoid red herrings, and keep track of useful plot information.
Bonus Lesson: Respect the power of an attack chain.
Treat each new piece of information as a potential new foothold, no matter how insignificant it may seem. Escape rooms tell us that starting out with just a flashlight or key code can quickly snowball into a whole inventory that you can use to move through an environment. Respect the first domino in the domino effect. (For a real-world example, a casino’s internal network was accessed by attackers in 2018 through an insecure IoT thermometer in one of its aquariums.)
More information on Escape Tales: Low Memory
There are a lot of good escape rooms in board game form these days. Like real escape rooms, they can really only be played through once since the puzzles won’t change, but each one is a unique mystery (and you can pay them forward to a friend after you complete them). Base your escape room purchases on the themes that excite you (horror, dinosaurs, ancient Egypt). Each system has its own quirks, but I’ve liked Exit, and Unlock! boxes the most. T.I.M.E. Stories is not an escape room, but I’ll mention it here because it uses the same tokens-as-time mechanic that forces you to prioritize your finite exploring choices.
SO WHAT CAN SECURITY LEARN FROM BOARD GAMES?
Although these lessons are not revolutionary, playing through simulations in these games lets you feel the consequences of ignoring or following them. That means when the real crisis scenarios pop up, you’ll remember how it felt to adapt your strategies as you worked through tricky situations. To summarize:
- Play to your own strengths and to the weaknesses of your opponents.
- Knowledge is power, even if it’s imperfect information.
- Keeping good records always pays off.
- Respect the power of an attack chain.
Now go pick up some fun games at your local gaming shop! If you want to play even sooner, here’s where to play board games online:
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.