Richard Moore makes his living literally building games.

Richard’s work as a security gamification engineer seems to be the stuff of legend, which is why he must often stress to people that it’s very much a real job. As he sees it, he’s not just playing games all day — he’s building engaging challenges to help teach the next generation of professionals about cybersecurity.

For Richard, one critical aspect of building these gamified scenarios is learning to think like a hacker. You may be picturing the Hollywood hacker stereotype, but the reality is that anyone can be a hacker in the real world. This is why understanding how threat actors work can be so intricate.

“A lot of people have this idea of a hacker in a basement in a hoodie, and it’s really dark — and they’re furiously typing away, coding,” Richard said. “That’s not quite how it happens, so being able to raise awareness through these scenarios helps people learn.”

Indeed, it’s Richard’s job to introduce this line of thinking to businesses and students at the IBM X-Force Command Center and Cyber Range in Cambridge, MA.

A Lifelong Passion for Technology

Having shown a knack for technology since childhood, Richard built his first computer at age 14 and learned a lot by continually losing data and having to start again from scratch. Those experiences taught him how to look at the whole system rather than at isolated pieces.

While he knew early on that technology was his passion, he wasn’t always sure about his focus. After briefly dabbling in web design, Richard finally found his calling when he discovered computer programming.

An opportunity at IBM arose when Richard was fresh out of college, and he seized it with open arms. He’s been at IBM ever since — getting into the minds of malicious actors and showing people how to build more robust systems through security gamification.

Unlocking the Competitive Spirit of Security

Richard wants to bring out the competitive streak in everyone and believes that competition is a “huge motivator” that adds an edge to learning.

“We’ve all seen presentations from people trying to teach us something about a subject, but there’s only so much you can consume through that method of delivery,” Richard said. “Challenging people to really think about the problem gains better results, and learning on your own does not yield as much as learning with other people.”

Richard’s seen it all at his capture the flag (CTF) challenges at IBM, where security teams compete by taking turns hacking and defending a network. During these competitions, he’s witnessed everything from competitors shouting across the room and hurling insults to name-calling — and even shushing and waving people away when they’re trying to help.

“It’s so interesting to see people who are in that mode,” he chuckled. “They are so deep into it.”

By taking on the role of a malicious actor in one of these scenarios, a security professional can gain valuable insights into the motivations and tactics of cybercriminals. In order to make the games and challenges as believable as possible, it’s Richard’s job to think of how a company would build a secure system — and how a cybercriminal would attack those systems.

“A developer might develop code and know to look out for things like Cross-Site Scripting (XSS), but they’ve never actually tried to trigger one of those exploits themselves,” Richard said. “Giving them that perspective is a really interesting way for them to learn — being able to execute the exploits, being able to see what a hacker sees when they’re hacking.”

If hacking is a battle of wits between humans and machines, Richard must outwit them all.

 Security Gamification Shows That Anyone Can Be a Hacker

At the 2018 IBM Think conference in Las Vegas, Nevada, his team ran a booth that featured a two-minute hacking challenge. Visitors were tasked with breaking into an unpatched system, and many people were amazed at how easy it was to run and execute remote commands on the target network.

“One of the major problems right now is script kiddies,” Richard said. “These are people who just download open source tools that are meant for good, and they point them at whatever they want, press ‘Go,’ and it fires a suite of exploits at a system hoping one of them will work.”

Although 99 percent of these attempts fail, Richard emphasized, a script kiddie only needs to be right once.

“These people don’t fully understand what they’re doing— they have no awareness — but they want to boast on forums that they took down this website or managed to find an exploit in this website,” he added.

Script kiddies are just a nuisance, though. The biggest problem Richard sees these days is insider threats — the fact that anyone can easily become an unwitting accomplice to cybercrime.

“A company spends millions on defensive software to stop hacks coming in through the internet, but if one guy with a USB stick walks through the door and plugs in some malware, all those millions have been bypassed, and all that software is useless,” Richard said. “Now there’s a backdoor into the network while the security monitors the front door.”

Why Lack of Cyber Awareness Is the True Enemy

While most big companies are already working to remediate these risks, it’s the smaller businesses, charities and nonprofits that most worry Richard. These organizations don’t have money to throw at user education and are more likely to assign dual roles to one person. For example, the web designer might also be responsible for security simply because he or she is well-versed in technology.

“We need more people in security, there’s no doubt about that,” Richard said. “But on top of that, it’s ordinary people with lack of awareness. Security is not taught in schools unless you’re on a specific course, so the majority of people who get into jobs don’t know how easy it is to hack things and get at data, and how easy it is to manipulate people.”

Emphasizing that being manipulated by a hacker “is not about intelligence,” Richard noted that data could be harvested from anywhere — especially in an age when we share so many personal details online. Cybercriminals can use any of that data to trick unsuspecting users into opening the door to enterprise networks, and dedicated threat actors will persist until they hit the payload.

“It’s very much a human-versus-human battle: You can’t just write something and think ‘I’m now protected,'” Richard said. “You have to think of what they’re going to do to counteract what you’ve come up with. It’s a circle of counteracting the counteraction to your counteraction.”

And here we circle back to the theme of competitiveness driving an outcome: Whether it’s in a gamified scenario or the very real cyberthreat landscape, we need more security specialists like Richard to help us arm ourselves with a battle cry.

Meet IBM Learning Services Program Director Brad Olive

More from Incident Response

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today