Writing Strategy Guides to Defeating Cyber Security

by Senior Security Consultant Douglas Berdeaux

 

The Almighty Strategy Guide to the Rescue! 

With the end of the year approaching, I took some time to reflect on what the hell happened. This year, just like the previous two, I wrote dozens of game strategy guides. Each guide averaged about 60 pages in length, was protected by a non-disclosure agreement (NDA) and spelled out how to defeat (or my best effort to) the game designer’s networks or applications. Yup, you read that right. The “games” I was playing were actually just engagements and the dungeons were networks and applications and that’s how I will refer to them throughout this post. My job isn’t quite that cool, but this is how I like to think about it. 

Be Kind. Rewind. 

When I was young, I loved video games just as much as I do today. I have always been inspired by the artwork, music, and stories that I could seemingly just disappear into without a trace. I wasn’t blessed with a lot of opportunities to own them myself, but I cherished those that I did and spent a lot of time at friend’s houses staying up all night handing a controller of a console back and forth. “Death by death,” we called it. That’s how we took turns. SNATCHER, Flashback, Chrono Trigger, Final Fantasy, LUNAR, Friday the 13th, and Phantasy Star IV are still, to this day, at the top of my list of favorites.  

Some of the games were a bit too complex for our collective adolescent imagination and my friends and I would sometimes consult strategy guides. Knowledge wasn’t as open and free back then as it is now, so, yeah, we had actual books, if we were lucky. These strategy guides spelled out some of the best strategies to making it to the end of each game or tricks to exploit glitches and become godlike in the game. Even if they were purchased just for the (sometimes unreleased) artwork alone, thousands of people all over the world were grateful for the author’s hard work.  

Today, almost 30 years later, I find myself gaming alone (minus the bunny hopping around on the floor by my feet). I sit at my desk in front of a computer monitor instead of on a carpeted floor in front of a warm glowing CRT television. I stare at a black and white terminal instead of pretty pixelated graphics. The game designers have become clients and the games, well, they have become engagements with dungeons of networks and applications. There is no fighting against an evil force to obtain crystals or rescue the lazy king’s daughter. There is no golden coins or gems in the loot boxes, just sensitive data in network shares and on systems. There’s just a red team of penetration testers, and a blue team of dungeon masters. The biggest difference is I am now tasked with writing the strategy guides for each game I play. These strategy guides are penetration test reports and, unfortunately, they are not as appreciated as much as those written in the 80s and 90s.  

Tool Assisted Play.

I was once asked what the difference is between vulnerability scanning and penetration testing and this really got me thinking. “Why is this even a question?” Let’s face it, no matter how we look at penetration testing as consultants, we are QA testers whose goal is to become experts in whatever game we are dropped into as quickly as we can. We beat the game and write about it so that others can follow in our steps and clients can remediate glitches. We discover accidental bugs that lend us little or even godlike abilities and we run with them like Super Mario high on consuming a blinking star. We take these discoveries and give risk ratings actual meaning by laying out the strategy guide in a manner that shows real impact. Not only that, but we also do all of this while speed running through a tight budget or engagement time window. 

We are authors, system administrators, programmers, locksmiths, radio hackers, social engineers, and researchers rolled into a single introverted, black hoodie-wearing, basement dweller who spends every day grinding away at the game’s dungeons looking for the best strategies to get domain admin or access to sensitive data. Also, as consultants, we are dropped into brand new games with new challenges every two days to one month (depending on the game’s size) without breaks between. It becomes who we are and consumes us. To put it bluntly, it’s f***ing hard work 💪 

Strategy Guides for the Compliant.

You may have heard about this. What penetration testers are doing is something that clients often loathe. But, without us, the game’s only red team players become actual threat actors. And rather than having the outcome be a single strategy guide (which also provides remediation advice, mind you) and a meeting or two, it’s devastating.  

We tell clients that their precious game can be glitched to offer the player god mode (or domain admin) or often present a report with a lot of low-level findings that are seemingly annoying. We discuss defense in depth until we get Nintendo thumb. Sometimes, clients are forced into letting us do our jobs by compliance, to whom they have no control over. Then, here we come to tell them their precious baby has flaws or is straight up ugly in the nicest way possible.  

Objectively, the contempt is unwarranted. Let me explain why. See, if the network or application is even the smallest, least significant piece of the service that the client is providing to their customers, then it is part of the product and requires QA testing, period. Without us, the client’s products could have “All your Base Are Belong to Us” in their cyber security and not realize it. I mean, come on, we’re working on the same goal here kupo! 

You and Your Friends are Dead. Game Over. 

Even without the charm of a wholesome backstory and epic music, the games are still a rush, for sure. As mentioned, every dungeon is randomly generated and offers new powerups, loot, and wild challenges. We can’t deny the fact that some of the challenges that are presented to the red team are Nintendo hard. When the red team loses, and they definitely do, it’s hard on us UUOC neck beards. Sometimes, we can lose access to systems and must start over from the beginning like a rogue-lite. We can lose the game in the first few levels, such as falling in battle to endpoint detection and response (EDR) traps and attend meetings with clients to ask for hints or power ups, like in assumed breach engagements. In some scenarios, we lose so hard that we blow the cover of the entire engagement and must reveal ourselves to the blue team who was not even aware of the engagement, like stealth games such as red team engagements.

Then, there are times in which the red team adventurers absolutely cannot beat the game and the blue team rests easy knowing their dungeon layout poses a real challenge to threat actors. Our strategy guides end up being bottom heavy with meticulously laid out paths that we took in our weary travels. These types of engagements are bittersweet as they lend amazing challenges that we sadly cannot defeat but also impress a sense of safety for the client’s customers, which often includes us!  

End Credits 

There’s some good reasoning behind applying the game / strategy guide analogy here. In game theory we think of computers and humans having rational decision making. Well, a lot of cyber security processes and controls are automated and employ artificial intelligence, not unlike video games. So, challenging and analyzing these decisions (or lack of) helps to optimize (or create) them which ultimately benefits the maturity of cyber security in an environment. Also, the obvious: red team vs. blue team. The list can go on, but one thing to take away from this is to play nice with each other. We actually have the same goal when playing and that is to make the client’s environments safer for everyone to use. We are the lawful good, brave, white capped knights, rogues, and mages protecting the towns folk from the chaotic evil, black capped, rogue monster threat actors. 

About Douglas Berdeaux, Senior Security Consultant:

Douglas Berdeaux

Senior Security Consultant

Douglas was a manager of a Red Team for a consulting company and has performed penetration testing for clients with high security maturity on internal networks, internal and externally facing web applications, and desktop applications. Douglas was a full-stack enterprise-class web developer for close to a decade building, securing, and testing the security of business-critical web and mobile applications. He has taught cybersecurity as an adjunct professor for Duquesne University and has published multiple books and articles about penetration testing, hardware hacking, and programming.

Certifications:

OSWP, OSCP