Richard Moore makes his living literally building games.

Richard’s work as a security gamification engineer seems to be the stuff of legend, which is why he must often stress to people that it’s very much a real job. As he sees it, he’s not just playing games all day — he’s building engaging challenges to help teach the next generation of professionals about cybersecurity.

For Richard, one critical aspect of building these gamified scenarios is learning to think like a hacker. You may be picturing the Hollywood hacker stereotype, but the reality is that anyone can be a hacker in the real world. This is why understanding how threat actors work can be so intricate.

“A lot of people have this idea of a hacker in a basement in a hoodie, and it’s really dark — and they’re furiously typing away, coding,” Richard said. “That’s not quite how it happens, so being able to raise awareness through these scenarios helps people learn.”

Indeed, it’s Richard’s job to introduce this line of thinking to businesses and students at the IBM X-Force Command Center and Cyber Range in Cambridge, MA.

A Lifelong Passion for Technology

Having shown a knack for technology since childhood, Richard built his first computer at age 14 and learned a lot by continually losing data and having to start again from scratch. Those experiences taught him how to look at the whole system rather than at isolated pieces.

While he knew early on that technology was his passion, he wasn’t always sure about his focus. After briefly dabbling in web design, Richard finally found his calling when he discovered computer programming.

An opportunity at IBM arose when Richard was fresh out of college, and he seized it with open arms. He’s been at IBM ever since — getting into the minds of malicious actors and showing people how to build more robust systems through security gamification.

Unlocking the Competitive Spirit of Security

Richard wants to bring out the competitive streak in everyone and believes that competition is a “huge motivator” that adds an edge to learning.

“We’ve all seen presentations from people trying to teach us something about a subject, but there’s only so much you can consume through that method of delivery,” Richard said. “Challenging people to really think about the problem gains better results, and learning on your own does not yield as much as learning with other people.”

Richard’s seen it all at his capture the flag (CTF) challenges at IBM, where security teams compete by taking turns hacking and defending a network. During these competitions, he’s witnessed everything from competitors shouting across the room and hurling insults to name-calling — and even shushing and waving people away when they’re trying to help.

“It’s so interesting to see people who are in that mode,” he chuckled. “They are so deep into it.”

By taking on the role of a malicious actor in one of these scenarios, a security professional can gain valuable insights into the motivations and tactics of cybercriminals. In order to make the games and challenges as believable as possible, it’s Richard’s job to think of how a company would build a secure system — and how a cybercriminal would attack those systems.

“A developer might develop code and know to look out for things like Cross-Site Scripting (XSS), but they’ve never actually tried to trigger one of those exploits themselves,” Richard said. “Giving them that perspective is a really interesting way for them to learn — being able to execute the exploits, being able to see what a hacker sees when they’re hacking.”

If hacking is a battle of wits between humans and machines, Richard must outwit them all.

 Security Gamification Shows That Anyone Can Be a Hacker

At the 2018 IBM Think conference in Las Vegas, Nevada, his team ran a booth that featured a two-minute hacking challenge. Visitors were tasked with breaking into an unpatched system, and many people were amazed at how easy it was to run and execute remote commands on the target network.

“One of the major problems right now is script kiddies,” Richard said. “These are people who just download open source tools that are meant for good, and they point them at whatever they want, press ‘Go,’ and it fires a suite of exploits at a system hoping one of them will work.”

Although 99 percent of these attempts fail, Richard emphasized, a script kiddie only needs to be right once.

“These people don’t fully understand what they’re doing— they have no awareness — but they want to boast on forums that they took down this website or managed to find an exploit in this website,” he added.

Script kiddies are just a nuisance, though. The biggest problem Richard sees these days is insider threats — the fact that anyone can easily become an unwitting accomplice to cybercrime.

“A company spends millions on defensive software to stop hacks coming in through the internet, but if one guy with a USB stick walks through the door and plugs in some malware, all those millions have been bypassed, and all that software is useless,” Richard said. “Now there’s a backdoor into the network while the security monitors the front door.”

Why Lack of Cyber Awareness Is the True Enemy

While most big companies are already working to remediate these risks, it’s the smaller businesses, charities and nonprofits that most worry Richard. These organizations don’t have money to throw at user education and are more likely to assign dual roles to one person. For example, the web designer might also be responsible for security simply because he or she is well-versed in technology.

“We need more people in security, there’s no doubt about that,” Richard said. “But on top of that, it’s ordinary people with lack of awareness. Security is not taught in schools unless you’re on a specific course, so the majority of people who get into jobs don’t know how easy it is to hack things and get at data, and how easy it is to manipulate people.”

Emphasizing that being manipulated by a hacker “is not about intelligence,” Richard noted that data could be harvested from anywhere — especially in an age when we share so many personal details online. Cybercriminals can use any of that data to trick unsuspecting users into opening the door to enterprise networks, and dedicated threat actors will persist until they hit the payload.

“It’s very much a human-versus-human battle: You can’t just write something and think ‘I’m now protected,'” Richard said. “You have to think of what they’re going to do to counteract what you’ve come up with. It’s a circle of counteracting the counteraction to your counteraction.”

And here we circle back to the theme of competitiveness driving an outcome: Whether it’s in a gamified scenario or the very real cyberthreat landscape, we need more security specialists like Richard to help us arm ourselves with a battle cry.

Meet IBM Learning Services Program Director Brad Olive

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…