The video game market has grown to $116 billion worldwide, and that makes it a big target for cyber criminals.
Sony felt the sting of cyberattacks in 2011 when hacktivist group Anonymous took down its PlayStation Network. That forced Sony’s CEO to apologize to all of the company’s game customers. But that was hardly the only attack. Video game publishers lose up to 40 percent of their in-game revenue and microtransactions to fraud each year, and ransomware has taken off as well. In 2016, Valve disclosed that Steam Stealer malware was compromising 77,000 accounts a month.
That resulted in a huge loss of revenues and players as well. I recently joined a webinar with a couple of security experts at game companies about this problem. The panelists included Ryan Safarian, vice president of engineering at Lucktastic publisher JumpRamp Games, and Arash Haghighi, manager of infrastructure at Smilegate West, publisher of online games such as Crossfire, one of the largest first-person shooter titles in the world.
Here’s an edited transcript of our interview, including questions from our audience. The session was sponsored by Akamai. (Here’s an audio version of the session).
GamesBeat: How do we detect a cyber attack, and what are the first steps in dealing with it?
Ryan Safarian: There are a lot of healthy steps that any business can take toward threat detection. The first recommendation would be getting your baselines on a couple of following topics. The first thing I would recommend is your ingress and your egress. You want to get a solid understanding what your activity cycle looks like over a set period of time, whatever that ends up being. How is that time frame defined by your business? Whether it be a session a day, a week, a month. But just getting an understanding of your peaks, your valleys, what things look like during the day.
Another healthy step — you can do very primitive stuff. Status calls. Just get a solid understanding, simply put — how many 200s, 4xxes, 5xxes are popping up in that similar activity cycle? Whether it be programmatically or something like that. You can build some kind of logic, or not even get that far advanced. You can start having some predictions around what activity is going to look like. If you do a burst campaign, or a special promotion, you’ll be able to identify what looks normal and what doesn’t.
What kind of preventative code do you have? For all the engineers out there specifically, follow through the UML. Go through every single use case. Try to understand that preventative code and the nature — the notifications you can build around the most sensitive and critical parts of your system. Not everything needs a notification. Whether you’re doing pager duty or a Slack notification or email, you’ll drive yourself crazy. You’ll end up essentially desensitizing yourself to a lot of information. You just want to focus on the most critical systems first and start working around that.
You don’t know what you don’t know. The more detail that you have around the transactions that are going in and out of your system, the more educated and more prepared you’re going to be to detect these attacks. When you’re in the middle of an attack, you want to isolate that attack surface area. Is your application modular enough where you can temporarily disable the service, or could you try to quickly get a sense of the effect on the application as a whole? Is this bringing you down completely? Is this a game that has completely hampered all of your end users?
You want to quickly get an assessment of that. The engineer needs to report all of this information for your dev ops team. They need to bubble this information up. Your CTO, CFO, CEO are going to need this information to make those critical decisions and pull the proper levers. You guys are on the front line. You need to quickly understand what kind of hurdles you can throw up to dissuade the attackers.
Attackers are going to keep coming. You need to treat it like triage. There will be times where some really ugly code needs to make its way into the system. There have been times where, at four in the morning, I threw in some stuff I’m not proud of. But you can always refactor that and put in something a bit more elegant. You just need to stop the bleeding.
GamesBeat: Arash, do you also have an answer on this?
Arash Haghighi: To detect any attack, you’ll need different kinds of sources and tools. We can recommend to any organization, any company developing games, you need to use a different kind of monitoring tools to make sure what’s going into your network, into your servers, your throughput and bandwidth. You have to come with the tools and make sure there’s no unauthorized activity in your network and your servers. Going through the event log checking, going through servers, using IPS and IDS and different kinds of firewalls.
Regarding human behaviors and the tools, you have to monitor things like pop-ups, or any weird emails. Any weird password activities. Network bandwidth monitoring. Any kind of drive usage. Any kind of abnormal CPU or memory usage. Check the transactions, check the events. You have to have a team, or strategy and plans to always monitor your competitors. Always find out, at firms everywhere, how people are talking about your game or service. That kind of information will help you predict or detect an attack.
You have to come up with schedule change policies. You have to be careful not to share too much information. If you’re going to have a guideline of some kind for your players, you have to make sure not to put in too much info that’s related to support activities. If you have strategy plans, initial plans, you can deal with any kind of detections.
GamesBeat: What are the main risks to the business when a cyberattack occurs?
Haghighi: It depends on the service, or the region, or even the business goals involved. If you’re under attack or under threat from hackers, you have to think about what kind of risk that represents for your business. Of course you’ll have players and customers complaining in forums, even your own game forum, and that can be dangerous for your business. You have to make sure you satisfy everyone, and that’s hard.
On the other hand, if you get attacked, the company ranking may be hit, and then you have to make sure of your place in the market. Game revenue as well can be impacted by any attack. So it depends on what you can figure out about the mitigation of an attack. If it comes from competitors, maybe users will go to them. You have to make sure you keep your users as much as you can. If you’re losing IDs, passwords, account information, that’s very hard to do. You have to be able to show improvement or have compensation plans to recover lost market.
You have to make sure you can save your critical information against any leaks. Of course that kind of leak can be a disaster. Hackers might even be able to open a case against you to get more information. It’s important to be able to keep your business safe as much as you can.
Safarian: To Arash’s point, the revenue impact is going to be the biggest risk to any business, but there are other impacts to your core user base. If you start looking into your retention and your user experience, we all get an understanding of the cost-effectiveness of retaining rather than acquiring new users. If your hardcore players, application users, the ones that are dedicated, the ones whose trust you’ve earned, who are constantly coming back to your application and being a touch point — you really want to make sure that their session and their flow is completely unmolested. You want them to have a very steady and consistent experience.
The third part of that, after revenue and retention, is going to be new user acquisition. You’re going to have to constantly pull in new users. Not everyone has that viral app that’s widespread. You have to purchase new users, acquire new users through different pipelines. Think about the revenue impact as far as that’s concerned.
If there is any issue on your game, you have to do one of two things. Either completely stop the new user acquisition funnel you have, which is going to throw off all the third-party analytics and data that they’re doing, if you’re acquiring from Google or Facebook or something like that — they have algorithms around these things. If for whatever reason your application is at a standstill, now you’re triggering a series of events that will take a long time to recover from. Google will all of a sudden see the conversion rates dip, which will put you down lower on the charts, and now you have to fight an uphill battle to get back to the numbers you had originally.
You might have a healthy user acquisition funnel, but for whatever reason, if that comes to a halt, now you’re relying on your business executives and pull a bunch of levers to get out of the rut. You’re spinning your wheels in mud at that point.
Those are the three most important components as far as how it relates to the end user, but there are also deeper business impacts as far as third-party relationships. At JumpRamp we have relationships with Hasbro and MLBPA. There are efforts that we need to secure around personal identifiable information, around data storage, all that needs to be considered, because if there’s any kind of misstep, all of a sudden that relationship dissolves and it’s a major detriment to that contract. Or any kind of promotion we’re giving out within the application. We need to be considerate of that. There’s going to be an end-user impact that will directly relate to the deeper business impact.