PacketWars: A cyber security sport for a cyber age
In this day and (cyber)age, hacking contests are sprouting like mushrooms after the rain – and it’s a good thing they do. For what better venue is there for exercising the offensive and defensive cyber skills of future “cyber warriors” than events such as these, where their talent can get noticed and appreciated, and inspire others?
But PacketWars differs somewhat from that formula. Its developers started it with an ambitious goal in mind – to educate people while having fun and to institute Internet’s first cyber sport that is also spectator-friendly and offers a fertile ground for establishing local and global leagues.
How the story began
“This is what we need,” thought Bryan Fite (aka Angus Blitter), the developer of PacketWars, as he witnessed Ghetto Hackers’ projection of a “geisha girl” commenting the gameplay at DefCon’s Capture the Flag contest.
“In the mid-to-late 80’s late me and my hacker crew HackSecKlan were attending any and all hacker conferences we could get to, and one of our favorite things about them was the various ‘capture the flag’ style games. We loved them,” reminisces Fite. “But, as we saw it, there were downsides to having these contests during the conference.”
He soon realized that anyone engaged in these contests would typically have to give up much of their social interaction time and missed presentations, and that most people who ran the games got burned out – whether it was because of the cost of organization or simply because it was a lot less fun to organize such events than participating in them.
Watching a variety of CTF events, he noticed that most hackers tried to attack the game platform instead of actually mastering the objectives. He realized that the game platforms should have two main characteristics: mobility and a design that couldn’t or wouldn’t be “hacked”. But, the real turning point was the “geisha girl”. “She was commenting on the game play. I was fascinated. It was so engaging. It sucked people in,” he says. “In short – it was the key to making these events ‘spectator friendly'”.
And that became the last piece of the puzzle. In order to address all of the negative aspect of this contests, he decided that the answer was to turn CTF into a proper sport. “We needed a sustainable structure, that was fun to play, easy to execute and would hold the interest of those who weren’t playing. And, with PacketWars, we think that we have accomplished this.”
PacketWars events consist of a series of “battles” that pit individual players or teams against each other in a race against time to complete a number of defined objectives. “Two of my favorite battles are “What’s My Name?” and “King of the Hill”, says Fite.
The first one is a straight up reconnaissance assignment – individuals or teams have a limited amount of time, normally 30 to 60 minutes, to “visit” numerous targets in a specified address space. They must record as many attributes about them as they can: OS, running services, versions, known vulnerabilities, etc. Whoever identifies the most accurate attributes in the shortest period of time wins the battle.
“‘King of the Hill’ is pure carnage!” recounts Fite. “Battles normally last 2 to 4 hours and create a ‘Battle Space’ within a specified address space (kill zone). The external attack surface is usually based on difficulty level of the battle and experience and skill level of the combatants. However, once the outer layer of security has been breached, combatants can leverage compromised assets inside of the Battle Space to attack internal assets or even other combatants – just like in the real world.”
Apart from being the developer, Fite is also “The Packet Master”. He facilitates the battles and serves as a commentator by explaining the attacks to the spectators. “It’s a throw back to old RPGs, when I played the role of Dungeon Master,” he says with a smile.
To participate in a public PacketWars battle all you need is a computer of your own. The organizers sanction players and teams at their discretion, but there are currently no extra fees to pay other than admission to the hosting event – typically hacker and security conventions. Event sponsors pay for the operational costs of the battles and provide prizes.
Battles can be played by individuals and teams. It is assumed all players are law-abiding citizens, and illegal activity of any kind is not tolerated. “That mainly refers to physical attacks on others or on their equipment,” he says. “In the real world, physical attacks are certainly an option, but in our simulations they are prohibited. Other than that, the battle unfolds on an isolated network, so pretty much everything else goes.”
Typical PacketWars players are security and IT professionals, students, hobbyists, and the occasional hacker. “This is a very accessible sport for beginners. In the past I would say you had to have much more experience. When it comes to organizing teams, we suggest the players to think about covering a varied skill-set,” explains Fite.
“TCP/IP and basic networking is probably the only real technological requirement. But you won’t get far without good application and OS skills,” he says. “We have introduced a player rating system. The more you play – earning league points – the better we are at rating your skill levels. Registered players can accumulate league status and be eligible for special Battle opportunities, including invitational events not open to the public.”
The basic idea is to get as many players possible involved, so that a lot of games can be played. Sometimes qualifying events are run or participation is limited due to physical constraints based on the battle venues, but other than that – everyone who intends to follow the rules is welcome.
“We try to hit as many events as possible,” Fite explains. “However, we are constrained by time and budget. In order to get more coverage, we sanction some CTF games and run remote games. In addition, we have started building regional franchises. This builds local and global teams for league play – expanding the sport in a cost effective and sustainable way.”
Private battles are also organized. The PacketWars platform is often used for training, team-building or QA/product testing sessions. It is a great environment for honing offensive and defensive computing skills and capabilities. Fite is of the opinion that PacketWars could create more and better “cyber warriors” in a shorter period of time than the current practices.
“We have players who work in government or law enforcement roles,” he says. “I know of several people who have referenced their involvement with PacketWars on their CV’s and still got hired. I like to think it is viewed as a positive indication of a candidates experience.” In this day and age when various government agencies around the world are trying to attract knowledgeable individuals that could defend the country’s cyberspace if the need arises, I must say that I think he’s right.
And PacketWars has the potential of being not only a fun and educational experience for the players, but also to inspire in spectators a wish to learn more about the techniques used and about cyber security in general. All Battles are recorded – audio, video and complete telemetry – and this content is presented to the public under a Creative Commons license.
“We are trying to expand the appeal outside of the current demographic. We want people to care about the players. So, we have experimented with different formats. Some at live events. Others post production,” Fite explains their future plans. “We think the key to taking it to the next level is attracted a non-technical audience. After all, you don’t have to drive fast to enjoy FormulaOne.”