Richard Moore makes his living literally building games.

Richard’s work as a security gamification engineer seems to be the stuff of legend, which is why he must often stress to people that it’s very much a real job. As he sees it, he’s not just playing games all day — he’s building engaging challenges to help teach the next generation of professionals about cybersecurity.

For Richard, one critical aspect of building these gamified scenarios is learning to think like a hacker. You may be picturing the Hollywood hacker stereotype, but the reality is that anyone can be a hacker in the real world. This is why understanding how threat actors work can be so intricate.

“A lot of people have this idea of a hacker in a basement in a hoodie, and it’s really dark — and they’re furiously typing away, coding,” Richard said. “That’s not quite how it happens, so being able to raise awareness through these scenarios helps people learn.”

Indeed, it’s Richard’s job to introduce this line of thinking to businesses and students at the IBM X-Force Command Center and Cyber Range in Cambridge, MA.

A Lifelong Passion for Technology

Having shown a knack for technology since childhood, Richard built his first computer at age 14 and learned a lot by continually losing data and having to start again from scratch. Those experiences taught him how to look at the whole system rather than at isolated pieces.

While he knew early on that technology was his passion, he wasn’t always sure about his focus. After briefly dabbling in web design, Richard finally found his calling when he discovered computer programming.

An opportunity at IBM arose when Richard was fresh out of college, and he seized it with open arms. He’s been at IBM ever since — getting into the minds of malicious actors and showing people how to build more robust systems through security gamification.

Unlocking the Competitive Spirit of Security

Richard wants to bring out the competitive streak in everyone and believes that competition is a “huge motivator” that adds an edge to learning.

“We’ve all seen presentations from people trying to teach us something about a subject, but there’s only so much you can consume through that method of delivery,” Richard said. “Challenging people to really think about the problem gains better results, and learning on your own does not yield as much as learning with other people.”

Richard’s seen it all at his capture the flag (CTF) challenges at IBM, where security teams compete by taking turns hacking and defending a network. During these competitions, he’s witnessed everything from competitors shouting across the room and hurling insults to name-calling — and even shushing and waving people away when they’re trying to help.

“It’s so interesting to see people who are in that mode,” he chuckled. “They are so deep into it.”

By taking on the role of a malicious actor in one of these scenarios, a security professional can gain valuable insights into the motivations and tactics of cybercriminals. In order to make the games and challenges as believable as possible, it’s Richard’s job to think of how a company would build a secure system — and how a cybercriminal would attack those systems.

“A developer might develop code and know to look out for things like Cross-Site Scripting (XSS), but they’ve never actually tried to trigger one of those exploits themselves,” Richard said. “Giving them that perspective is a really interesting way for them to learn — being able to execute the exploits, being able to see what a hacker sees when they’re hacking.”

If hacking is a battle of wits between humans and machines, Richard must outwit them all.

 Security Gamification Shows That Anyone Can Be a Hacker

At the 2018 IBM Think conference in Las Vegas, Nevada, his team ran a booth that featured a two-minute hacking challenge. Visitors were tasked with breaking into an unpatched system, and many people were amazed at how easy it was to run and execute remote commands on the target network.

“One of the major problems right now is script kiddies,” Richard said. “These are people who just download open source tools that are meant for good, and they point them at whatever they want, press ‘Go,’ and it fires a suite of exploits at a system hoping one of them will work.”

Although 99 percent of these attempts fail, Richard emphasized, a script kiddie only needs to be right once.

“These people don’t fully understand what they’re doing— they have no awareness — but they want to boast on forums that they took down this website or managed to find an exploit in this website,” he added.

Script kiddies are just a nuisance, though. The biggest problem Richard sees these days is insider threats — the fact that anyone can easily become an unwitting accomplice to cybercrime.

“A company spends millions on defensive software to stop hacks coming in through the internet, but if one guy with a USB stick walks through the door and plugs in some malware, all those millions have been bypassed, and all that software is useless,” Richard said. “Now there’s a backdoor into the network while the security monitors the front door.”

Why Lack of Cyber Awareness Is the True Enemy

While most big companies are already working to remediate these risks, it’s the smaller businesses, charities and nonprofits that most worry Richard. These organizations don’t have money to throw at user education and are more likely to assign dual roles to one person. For example, the web designer might also be responsible for security simply because he or she is well-versed in technology.

“We need more people in security, there’s no doubt about that,” Richard said. “But on top of that, it’s ordinary people with lack of awareness. Security is not taught in schools unless you’re on a specific course, so the majority of people who get into jobs don’t know how easy it is to hack things and get at data, and how easy it is to manipulate people.”

Emphasizing that being manipulated by a hacker “is not about intelligence,” Richard noted that data could be harvested from anywhere — especially in an age when we share so many personal details online. Cybercriminals can use any of that data to trick unsuspecting users into opening the door to enterprise networks, and dedicated threat actors will persist until they hit the payload.

“It’s very much a human-versus-human battle: You can’t just write something and think ‘I’m now protected,'” Richard said. “You have to think of what they’re going to do to counteract what you’ve come up with. It’s a circle of counteracting the counteraction to your counteraction.”

And here we circle back to the theme of competitiveness driving an outcome: Whether it’s in a gamified scenario or the very real cyberthreat landscape, we need more security specialists like Richard to help us arm ourselves with a battle cry.

Meet IBM Learning Services Program Director Brad Olive

More from Incident Response

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…