Teaching Strategy

…This page is work in progress…

The following page describes the teaching strategy educators can use to align the game to the course curriculum to get the best out of the game in terms of education….
If instructors want to use their own curriculum they need to adjust the teaching strategy provided here according to their course needs.

….An empirical approach, where multiple field tests are performed, seems like a good approach to accomplish this task…

The strategies currently being developed and evaluated are the following:

Strategy 1: Intrusion Attempt as part of the lectures

Once the first proof of concept is ready, the most important game cards will be incorporated into the course material (i.e. the course presentations) in the form of references or easter eggs, in such a way that it aligns with the topic being covered. This will give the instructor the opportunity to reference from within the lectures itself to the game cards.

Strategy 2: a knowledge base of well known malicious campaign and ATPs in the game app

A Dictionary of well known campaigns and APT’s is being added to the Intrussion Attempt game app. Students can use that knowledge to simulate real live attacks when playing the game.

Strategy 3: a guided gameplay

Game setup

When used in an educative setup, the game can be best played in teams of two (i.e. multiplayer cooperative mode), with a recommended maximum of two (2) students per team and under the direction of a game master.
Note that even though other gaming modes are available, they have not been tested yet in an educative environment, hence we will ignored them for now.

The game master’s role

When utilizing the game for educative purposes, a proficient student assistant or lecturer can take the role of game master. The responsibility of the game master is to guide/assist students throughout the game and help it move forward at a pace that is appropriate for the students currently playing. To accomplish this task, the game master should be able to pause the game at any given time and guide the students into profitable discussions about the different topics featured in the game.

Since with great power comes great responsibility, it is important for the game master to be an impartial/neutral party that knows the course content well, is familiar with the game and the game app and has no favoritism towards any of the teams.

Role masters are required to:

  • Help student setup/get started with the game
  • Help students navigate through the game app
  • Explain cybercrime related terminology and refer to real life examples
  • Help students who are playing the role of the corporation select appropriate defenses to counter the hacker attacking attempts
  • Help students who are playing the role of attackers select appropriate attacks to accomplish their objectives
  • Start and guide conversations about the different defense and offense strategies that can be used to achieve a specif goal. The game master can pause/stop the game at any given time to engage the students into conversations about the benefits and disadvantages of potential attacks and mitigation’s given a specific situation
  • Refer to the security frameworks (e.g. Mitre ATT&CK) that are the foundation of the game and that are part of the course content. E.g. The game master should try to engage the students into a discussion about the Mitre ATT&C classification, its advantages/disadvantages as well as its operationability and complementary projects such as the CALDERA and the ATT&CK Navigator
  • Challenge the student’s knowledge about the different vulnerabilities covered in the course and how the CVSS framework can help pentesters/red teamers

Phishing example

…This example is still work in progress… Image goes here!!!!!

In this particular example, the students playing the role of the corporation have managed to implement the necessary security controls to build a well defended network, making initial access into the corporation‘s network difficult for the students playing the role of attackers. In order to move the game forward for the attackers, the game master decides to help them deploy a more resilient phishing infrastructure (commonly used in targeted red team campaigns) as a means to get initial access into the network.

….work in progress….

The following image is OBSOLETE (gameplay has changed), replace it!!!!!!!!!!!!!!!!!

The game master can use this opportunity to touch upon the following topics:

  • The advantage of segregating assets/services in red team operations
  • The difference between Phishing and Spearphishing
  • The different types of phishing attacks according to Mitre’s ATT&CK classification
  • Let the students know that while this is a typical approach for a red teaming phishing infrastructure, it is not the only way to accomplish this goal. The game master should encourage students to find other solutions to a phishing infrastructure available in the game
  • Let the students know that it is better to send an email to a few targets (i.e. targeted attack) than to multiple targets.
  • The tradecraft behind successful phishing campaigns.
    As the game move forward and the corporation start tightening the security in an attempt to protect their workers from phishing attacks by playing cards such as Security Awareness and DMARC, the game master
    and the challenges attackers and red teamers face
    Domain age matters: if the domain is a few days or even a few months old, the mail will get penalize in terms of trustworthiness
  • If you have your own phishing domain, use DKIM, SPF and DMARC for the domain as this will give the email infrastructure more credibility!
  • Do not get filtered
  • Do not attach obvious executable files (exe, java jar, dll, hta depending on the configuration of the target email infrastructure)..Know that some attachments will get automatically more scrutiny than others
  • Be aware that most infrastructures have now a days a mail av gateway to look at attachments and identify known bads according to their scanning engine

Vulnerability example

…This example is still work in progress… Image goes here!!!!!

The following situation can lead to a discussion about CVSS, in particular, the User Interaction (UI) metric in CVSS vulnerabilities and some of the most common defense evasion techniques used by attackers to avoid defense detection.

  1. As the student playing the role of attacker is about to run an matching exploit on a vulnerability that requires user interaction, he has to perform what is called the “User Interaction Test”. This user interaction test is perform to determine whether user interaction has been successful or not, that is, whether the victim has perform the actions that will trigger the exploit to execute successfully against the vulnerability. If the exploit executes successfully, the payload will run. The game master can use this opportunity to talk about different types of user interactions (open malicious file, click specially crafted link, perform a certain action…) and the different factors that can increase user interaction.