Researchers of the St. Petersburg Federal Research Center of the Russian Academy of Sciences (SPC RAS) have developed a prototype of a computer game that invites the user to play a role of malefactor and to steal valuable information from the company's office via certain common techniques used by real cybercriminals. The game goal is to increase the level of personal and corporate literacy of the company employees while dealing with a classified information, as well as to teach users to resist various types of socio-engineering attacks.
Socio-engineering attacks represent one of the types of information attacks. So, if the ordinary hacker attacks is just a penetration into the information system by means of software and technical vulnerabilities of the system, the socio-engineering attacks are executed through some interaction of the hacker with the user in order to gain access to the information system of an intended victim or to the information stored in the victim’s system. There exists a great variety of types of socio-engineering attacks: from intruders entering the office in order to steal important company’s documents and get passwords from work computers, to find out information useful for the attack, up to telephone scammers who is attempting at misleading the person at the other end of the wire and take possession of his credit card data. Currently, as a result of socio-engineering attacks, a large number of crimes occur; often they occur because people do not notice them or do not attach importance to signs that a crime is already being committed.
"Today, many large companies, for instance, banks run training on protecting users against socio-engineering attacks. However, they often exercised as video or oral lectures, in a form of talks about protection methods. These events are not always of interest, and upon the lectures completion the employees pass tests that can be written off not delving into the core of the problem. This is why, we have arrived to an idea to develop a computer game in which employees of companies or individual users can take the place of a criminal and independently launch an attack against the company's office, i. e. the game can be a sort of a simulator to form a correct conscious behavior of an employee, the necessary patterns that cannot be developed via briefings and training lectures," says Maxim Abramov, the Head of the Laboratory of theoretical and interdisciplinary problems of computer science (TiMPI) of the St. Petersburg Institute for Informatics and Automation of the Russian Academy of Sciences (a structural division of SPC RAS).
The game's interface is made in the first person. According to the plot, the user gets in the company's office, where he is asked to complete a number of quests to get corporate information. For example, he can eavesdrop on a conversation of colleagues or break into the boss's office and try to find passwords from the work computer, contact some employees, pretending to be a technical support. In case of successful completion of tasks, the gamer will receive virtual money to buy useful bonuses: for instance, turn on a fire alarm in the building to force employees to leave the office.
"We have plans to develop assessments of users' security against socio-engineering attacks based on the results of their passing the game, so that everyone has its own personal profile, particularly, accounting for the individual psychological characteristics. We hope that through the game we will manage to get people familiarized with various types of socio-engineering attacks, so that they look at what vulnerabilities were created by their behavior and, perhaps, no notice was paid to the fact," says Alexander Tulupyev, Chief Researcher of the TiMPI laboratory.
The idea of creating such a game was caused by the growing interest of large companies and government departments to protecting their data against socio-engineering attacks, so scientists of SPC RAS are ready to offer their product to the industry and get it adapted to the specifics of each individual company. Now the developers are focused on perfecting the interface, as well as introducing new scenarios of socio-engineering attacks not only to large organizations, but also to individual citizens.
Scientific publications on the topic:
[Азаров А.А., Тулупьева Т.В., Суворова А.В., Тулупьев А.Л., Абрамов М.В., Юсупов Р.М. Социоинженерные атаки. Проблемыанализа. СПб.: Наука, 2016. 352 с. ISBN 978-5-02-039592-3] [Krylov B., Abramov M., Khlobystova A. Automated player activity analysis for a serious game about social engineering // Recent Research in Control Engineering and Decision Making. ICIT 2020. Studies in Systems, Decision and Control , 2020. Vol. 2. P. 587-599.] [Krylov B.S., Abramov M.V. Automatic Hierarchical Task Network Planning System for the Unity Engine Russian // CEUR Workshop Proceedings , 2020. Vol. 2648. P. 122-133.] [Абрамов М.В., Тулупьева Т.В., Тулупьев А.Л. Социоинженерные атаки: социальные сети и оценки защищенности пользователей. СПб.: ГУАП, 2018. 266 с. ISBN 978-5-8088-1377-5]. R&D work is done in interaction with the St. Petersburg State University.