When a team of video game developers notice that their files have been moved, they find themselves in a race against time to save the company from ransomware.
When a team of video game developers notice that their files have been moved, they find themselves in a race against time to save the company from ransomware. Adam Marrè, CISO at Arctic Wolf, explains how this cyberattack traced back to a single phishing email and unpacks the ramifications for gaming companies. Then David Adrian from Chrome lays out how leaders can use unphishable authentication methods to protect their teams.
Adam Marré: Really, it started relatively innocently; you have an engineer, who's looking at the server and looking at files on the server.
Kate Fazzini: This is a story about a cyber attack on a video game studio.
As a software engineer was hard at work on the company’s next big game, he saw one of his files had been moved… by an imposter in their network.
Adam Marré: So he immediately reaches out to the head of IT – the main IT guy – and says, "Who is this? Who owns this account?"
Kate Fazzini: This main IT guy was the super admin. So he knew right away that something was wrong, and this wasn’t a normal account.
Adam Marré: So actually what he did, just shut down all the accounts. Killed all sessions, locked everybody out, required a password change while he could dig into this because he immediately was pretty freaked out about what was happening.
What they realized was someone had come in and made a number of accounts as super admin and had been poking around and looking at everything and even exfiltrating information.
Kate Fazzini: They had no idea how long this had been going on, how much data had been extracted or what else was lurking in their network.
Adam Marré: They started digging into it and they found locker software, so ransomware software that would encrypt. And it was on the server, and it was ready to be deployed...
But it hadn't been deployed.
Kate Fazzini: Catching the ransomware didn’t mean the company was safe.
They still had to investigate all of their files and their accounts, searching for any other signs of attack… and worst of all?
They had to stop working on the new game.
Adam Marré: Those minutes count. And those days count.
So every day you can't have your employees behind keyboard are days that are going to be delayed. This is making it even worse.
And this IT guy kind of becomes a hero of the story because it was a really courageous call that he made to do this, knowing what it was going to cost the company.
They probably would have had to pay a huge ransom.
Kate Fazzini: From Bloomberg Media Studios and Chrome Enterprise — this is “Security, Bookmarked.”
I’m your host, Kate Fazzini. I’ve been a cybersecurity professional and journalist for more than 20 years. And on this podcast I’m talking with leaders in gaming, finance and manufacturing, about what security looks like… in a workplace that’s moved to the cloud.
The video game industry is a massive business, bringing in over three hundred billion dollars per year. That’s nearly ten times the size of Hollywood’s global box office revenue.
But as the gaming business keeps growing — more and more teams are accessing key systems and data, so they can do their jobs… and that means we’ve seen a rise in account takeovers.
So today I’m speaking with Adam Marrè.
Adam Marré: I am the chief information security officer at Arctic Wolf.
We are a managed detection and response company, SOC as a service, in a concierge model so that we make sure that we're not only providing them security today, but also make sure that we take them on a security journey to improve their security over time.
Kate Fazzini: I’m going to unpack Adam’s story, about helping a game studio survive a ransomware attack — to understand the account security risks that all companies need to get control of.
Then I’ll chat with David Adrian, Security Product Manager for Chrome, about why phishing attacks are so difficult to stop, and why this doesn’t have to be the case.
In 2023, ransomware attacks in the gaming industry were up more than 30%, year over year.
And they can freeze a game studio’s entire operation, causing major delays.
In this story from Adam, the game studio caught the ransomware threat early…
But then they realized the attacker had also stolen their intellectual property, including details about new releases, videos and images that they weren’t ready to share with the world.
Adam Marré: We call it double extortion where I've sealed up your code, right? And then not only am I saying, pay me the ransom where you don't have access to it. I'm saying, “I will release this to the world unless you pay me.”
So I would say video game companies are likely to be targeted by these ransomware groups mainly because…
Video games are likely to pay the ransom if you're able to successfully lock up their code and get their backups, and lock up their backups as well.
Kate Fazzini: And then finally, once they put out all the fires, they could figure out: How did this attacker get access in the first place?
Adam Marré: It was actually a phishing message, as it, you know, very often is, it was a phishing message to this I.T. individual. To this person.
Kate Fazzini: The very person who had caught the intruder and pulled the alarm.
Adam Marré: And, you know, he clicked on the link, had it take him to a web page, then a login prompt had come up, he put in his credentials.
They did NOT have MFA. So the attacker was able to get those credentials, then log in and quickly make other accounts and get off of that IT person's account, so they wouldn't notice.
Social engineering works, and it works really well, and it's why attackers use it so often.
There are lots of other protections they could have had in place, but yeah, that was how the attackers got in, and they were using the other accounts to worm their way through all of the servers and the whole environment.
Kate Fazzini: Later in the episode, I’ll share my conversation with David Adrian at Chrome. About how leaders can defend their companies against phishing.
But first Adam and I are going to unpack what this one breach shows about the cyber security risks that gaming companies face, and what they can do to be more resilient to attacks.
Adam Marré: Video games is a large industry, and so there are all kinds of companies involved, and depending on the size and the type of game, you'll have very different levels of security, and that security will be leveraged at these different problems at different levels.
Let me give you an example. With the rise of online gaming, so massive multiplayer online games, there is a huge incentive for these companies to prevent cheating.
So you have these video game companies and they're spending millions of dollars and using the latest cutting edge technology, AI, to detect and defeat cheating on their games, on their online games.
They're leveraging all of this great technology to do that... and then on their corporate side, they don't have MFA to protect their, you know, main accounts.
It is understandable that they focus on the anti-cheating because that directly goes to their bottom line.
Because if there's cheating, then players are going to go elsewhere. And there are other game companies that would love for that to happen.
So it makes sense why they do this, but you have to understand you could have a breach that costs you millions, tens of millions of dollars.
Kate Fazzini: You've said that companies shouldn't treat data breaches or ransomware attacks as, as part of the cost of doing business. Tell me a little bit more about that.
Adam Marré: I mean, I guess if you're a business, everything is the cost of doing business, right? Like everything is, is going to your bottom line, but what I mean is, there are things you can do today that will greatly lower the likelihood that you will have a breach.
And, you know, my whole job is to prevent breaches. So I think they're terrible. We should, we should all leverage security against them.
But it might be seen as, you know, a risk worth taking or a cost of doing business or, “Maybe we won't get hit with an attack.”
And, you know, “maybe I want to spend money on making my render look that much better, and the graphics look that much better. And I just don't want to see how security is hitting that.”
It's the similar thing many companies do and then when they get breached they really regret it. Because if you've been developing a game for three years, an attacker comes in and they're able to deny you access to all of your information, your source code, your art assets, all of that and get your backups?
You are in a world of hurt. That is a very bad position to be in. And the likelihood that you're going to pay the ransom is very high. I don't recommend that, obviously my stance is not to pay ransoms, but...
Kate Fazzini: Yea, it’s almost, I can't imagine not paying it in that because if you... your whole entire company is at stake. It's the entire lifeblood of your company, the reason for its existence, basically.
Adam Marré: Exactly, it is literally your entire business. And so then you, you're going to want to start thinking as an organization, and you try to say, where are attackers being successful?
Kate Fazzini: So when you think of enterprise security for game studios, what are the most critical threats that you're watching out for?
Adam Marré: You know, there are many threat or attack reports that come out or data breach reports that come out each year. Arctic Wolf has one as well. And if you look at these, you'll see that primarily attackers are successful in doing basically one of two things: either attacking accounts, so you can think username, password, MFA, attacking that and getting access through that...
...or attacking vulnerabilities. So looking at the code, looking at the configuration of cloud software, SaaS software, whatever it is and being able to exploit those vulnerabilities and get in.
So if you can really look at this and say, how do I protect identities at my company? And how do I make sure that we're patching and updating and not introducing vulnerabilities and misconfigurations...
If you can do those things to the right level, you're going to protect your company and you certainly won't be the low hanging fruit where attackers will try to attack you.
Kate Fazzini: What are some other ways that the companies can be resilient?
Adam Marré: If you want to get really technical, we can talk about "shift left." In other words, you want to, like, create games and systems that are secure, so you want to make sure you're baking security in from the very beginning, so when you're still like whiteboarding the design of what you're trying to do in the game, add a threat model to that process.
From the very beginning, thinking about, "How could somebody take advantage of this? How could it go wrong?"
And by the way, you can also add anti-cheat in there at the beginning, too, and help solve that problem at the very beginning, so you're not trying to tack it on at the end.
And then when you have your detection and prevention methodologies out there, they're going to be much more effective because the underlying system itself is resistant to attack and resistant to cheating.
Kate Fazzini: Game developers are obviously digital-first... when you think about the day-to-day work, and collaboration that goes on behind the scenes at the enterprise level, I'm interested in, how do workers collaborate?
You're in an industry where you're working with people who are specialists and extraordinarily talented, but maybe like at one thing... and that guy lives in Aspen, and then, you know, the other guy lives in the forests of Oregon, and you've got to like connect all of these teams in different areas... how do you handle collaboration across environments like that?
Adam Marré: Yeah. So it's an interesting question.
In security, we've been doing this for a long time. Collaborating across time zones, using various tools... Different SaaS apps or other applications to collaborate and communicate. And that means a lot of very sensitive information is being passed through these suites of software.
And so if you can think of one thing like the browser, so much work happens right in the browser and many companies just don't think of the security of that particular piece of software.
If we dig into that a little bit...
You know, are you hardening that, uh, piece of software? Are you making sure that everyone's using the same browser so you can have the same type of security across the entire organization?
Are you making sure they're not syncing personal accounts that can bring in different extensions that they're using at home that do backups or copy, and now you have information going places you weren't thinking of?
So really making sure that each one of those pieces of software is secured, especially the browser, is a really important consideration, especially if we're talking about companies that are collaborating, you know, with lots of remote employees and using software to do that.
There is one third aspect to this. And it's actually illustrated by the story I told. And that is, you've got to have a good security culture.
You've got to train your people to be wary of social engineering attacks like phishing, and be resistant to those.
And you know, you can have technologies to protect against it, but there's a reason why so many attackers use social engineering; it’s because it's very, very successful. Because it's pretty easy to trick human beings.
Kate Fazzini: If you’re leading a gaming company your entire product is software, and that product is constantly being accessed, tested and updated by your teams.
The same goes for your IP. Designs, assets, code, marketing trailers showing new characters, new content…
And it all lives online. So how do you keep your own accounts from being used against you?
David Adrian: So, if I'm a CISO or I'm in charge of securing an organization, the number one thing that I would be focusing on is deploying strong, unphishable authentication to all of my employees.
Kate Fazzini: That’s David Adrian, a Security Product Manager for Chrome.
David Adrian: I focus mostly on network security, but I help everything up and down the stack to make sure that we're building Chrome to be as secure as possible from the application to the network to the cloud.
Kate Fazzini: When I brought up ransomware attacks in gaming, he picked up on account security.
And how important it is to plan for what happens when an employee account is compromised.
David Adrian: Game assets or designs are, I think, the crown jewels that gaming companies are trying to protect.
And so I feel for them in this situation and that they need to figure out, like, "How do we make this run fast? How do we get access to everyone that needs it? But also how do we, you know, make sure that if someone bad gets in they don't get everything?"
When things go wrong, they go wrong bad. And you risk all of your, your game assets getting encrypted and ransomware'd.
And in many industries, the high-value accounts are sort of the administrators of the organization who might have access to create new users.
In the gaming industry, there might be a broader set of targets because any developer who can build the game likely has access to all of the assets for the game.
And so if they're able to get in and they get access, let's say as anybody who has access to the underlying game assets. There might not even need to be a lot of escalation of privileges.
Sure, if they get an administrator, they could create their own account, but if they get a game developer, they might just be able to walk away with all of the assets for the game by default because the developers already have access to it.
Kate Fazzini: And so we zeroed in on the moment when an attacker breaks into a company account through a phishing link.
David Adrian: The most common sort of attack vector is still phishing.
It's not too hard to find who's working for some company and then try and figure out what their email is. And once you know their email, you can try and start phishing them.
Kate Fazzini: I think I had somebody tell me once that teaching people to not get phished is like teaching them not to fall in love, it's never going to happen.
David Adrian: (Chuckles) I would, I would flip it around a little bit, and say that trying to solve phishing with like phishing training, fake phishing emails, that type of thing, even if it works 99.99% of the time, the .01% that it doesn't is enough for everything to go wrong, right?
We've seen one phishing attempt succeed, have impacts on everything ranging from gaming companies to elections.
And so, sure, you can try and like, get your employees to hide their emails, you can append random digits to their emails, but at the end of the day, eventually something's going to leak, and someone's going to get phished.
Kate Fazzini: So let's talk about phishing protection. Obviously these people are going to get spear phished. It will happen, so what are some of the protections available to them?
David Adrian: So, the good news is that we have effective solutions against phishing. I think if I were a CISO or a CIO, like the number one thing that I would be doing is deploying strong, unphishable authentication.
And while that seems kind of straightforward, like, "Let's just authenticate the people that work for me and make sure they work for me"... that is probably most of the challenge, um, for a lot of security engineering teams, is making sure that that can happen.
The easiest context to deploy them is web browsers for enterprise users. Where you have this source of truth, where you can say, "Hey, I know what all my employees are. I'm going to ship them all some sort of token to plug into their computers.” Making sure that every work application that every employee goes through has to use one of these authentication methods, and does it from a managed browser.
And so if you can deploy those authentication methods, and you can make all logins only go through a web browser, and only use those authentication methods, you've solved phishing.
With Chrome Enterprise Premium, organizations can access a centralized enforcement point for all of their endpoint security and controls. This allows for endpoint visibility across their entire enterprise network. IT and security teams can deploy advanced security capabilities, like advanced DLP, like context-aware access controls, and then you can get in-depth reporting for all of those features.
And so, deploying stronger authentication… that can actually be more user friendly when done right, in the sense that it lets people act how they would naturally and not have to try to treat every email adversarially, like it might be a phishing email.
Because with the right authentication, they’ll actually be protected by default. So if you send them a phishing link, and they get tricked by it, it doesn’t matter and the login won't work for the attacker.
Kate Fazzini: To learn more about how the most trusted enterprise browser can help protect your organization, visit chrome enterprise dot google.
Next time on Security, Bookmarked: I’ll talk strategy with JF Legault, Deputy Chief Information Security Officer at J.P. Morgan Chase.
J.F. Legault: So it's really, how do you think through the awareness for people with the most common types of attacks. But also how do you turn your entire workforce into early detection sensors?
Kate Fazzini: Security, Bookmarked is a podcast from Bloomberg Media Studios and Chrome Enterprise.
Subscribe in your podcast app, so you don’t miss our newest episode.
I’m Kate Fazzini. Thanks for listening.