Nick Allan, Partner
Interactive Entertainment Group
Mishcon de Reya
Hello everyone and welcome to the latest Digital Session in our Diligence 2030 series. We’re having something of a games industry takeover for this session and I am going to be host for today. My name is Nick Allen, I am a lawyer and a partner in the Interactive Entertainment Group at Mishcon de Reya. Most of my practice is in the global games industry representing developers, publishers, licensors, tech supplies and others in the games eco-system. But this session is really all about cyber security in the games industry which has become an increasingly attractive target for cyber-attacks over recent years. As I am sure you will be aware if you read the news or you work at a games industry er, company yourself. And for those of you who may not work day-to-day in the industry, many contemporary games are really complex technological products that are both IP and data rich, you just provide their personal data in order to enable their in-game purchase, link payment methods and track their progression across multiple platforms. And multiplayer games can be online worlds and the subject of major tournaments and often a daily hobby for many players that really do not want their experience to be interrupted. And monetisation systems are often complex especially with the now dominant free to play model where the virtual currency ecosystems in this AAA live service titles can be worth several billion dollars in and of themselves. And finally, let’s not forget the underlying source code and assets of the games that are invaluable, confidential trade seekers, the companies that develop them. So we’ve called this session Game Over because we’re a law firm and are required to include a pun in all webinar titles but really for most games companies a cyber-attack doesn’t have to be the end of the road. With good preparation, quick intervention, appropriate deployment of investigations, legal tools and technical recovery, the impact of these attacks can be mitigated. I’ve been involved in helping games companies respond to a few cyber security incidents over the years but I am definitely note a cyber expert so I am therefore very pleased to be joined by two actual cyber experts who do this for a living; as such I’d love to introduce my colleagues, Mark Tibbs and Francisco Sanchez from the Mishcon Cyber Team. Mark, why don’t you go first and introduce yourself briefly?
Mark Tibbs, Partner
Cyber Team and Complex Investigations Team
Mishcon de Reya
Thanks Nick, yeah my names Mark Tibbs, I’m a partner in our Cyber Risk and Complex Investigations Team so I specialise in complex investigations. I’ve got over 15 years of experience in intelligence and investigations and I began my, my career in law enforcement where I was tracking down cyber criminals, I’ve got a passion for doing that and bring them to justice and in my career I have worked on several incidents in investigations involving games companies, usually data theft or extortion and at Mishcon we try and combine the skills of the team, so people like Francisco on the technical side and then people like Nick and other lawyers to address cyber incidents.
Nick Allan, Partner
Interactive Entertainment Group
Mishcon de Reya
How about you Francisco?
Francisco Sanchez, Director
Cyber Risk
Mishcon de Reya
I’m Francisco Sanchez, I am the Cyber Risk Director and I lead instant response on cyber security investigations at Mishcon de Reya. While I’ve support clients in the games industry from a professional perspective, helping them respond to incidents and improve their cyber resilience. My longest standing connection to the industry is actually as a player. I’ve been a gamer for years and I’m currently still wrapping up our world’s legacy. So I come to this panel both as a security specialist and as a long-time fan of the work the games industry does.
Nick Allan, Partner
Interactive Entertainment Group
Mishcon de Reya
Thanks Francisco. So yeah at Mishcon we offer a multidisciplinary approach to cyber with both lawyers and on lawyers on the team. Um so before we kick off properly just a little housekeeping, this is one of our flash webinars so it is only a 25 minutes session. We’ll see if we have some time for Q&A at the end and there is a Q&A function on your zoom window to submit a question if there is anything you want to ask and of course you can get in touch with us direction to discuss anything you like in more detail and you can find our contact details in the resources tab on your zoom window. So we are going to do this as a bit of a panel session with me asking the questions and moderating around three main topics; so first what is the nature of threats faced by games companies in cyber? Two, what happens in the event of a cyber security incident and how do you response? And three and finally, what can you do to prevent and prepare for these types of attack. I am also informed there will be a recording of the session available for everyone who has signed up. Thanks for joining us and let’s get started. Um, so topic 1, what are the nature of threats, Francisco maybe you can kick us off. What are the most common cyber threats in the games industry and what makes games companies targets?
Francisco Sanchez, Director
Cyber Risk
Mishcon de Reya
Right, so from an instant responder’s point of view um I would say that some of the most common threats we see would be credential debts and account takeovers. So they typically target player database, developer tools or internal administration portals. Attackers are, are often after sensitive in-game assets or any monetisation routes they can find out. Uh, another one would be ransomware and extortion attacks where not only access to systems blocked but there is also a threat to leak source code, pre-release titles or internal communications that can damage reputation. We have for instance er, Capcon where that was hit by ransomware group that result in a leak of personal data and internal development plans. Another common risk would be insider threats which can be either malicious or negligent. Think disgruntled employee is leaking bills or abusing the administrative level access. You have a former employee of the games using that access and exfiltrated confidential data files after termination uh that lead to a legal case and industry attention on, on insider access controls. It led to property theft and espionage, uh particularly from competitors or nation state groups interested engine tech, proprietory code or any monetisation strategies. I still remember a famous CD project that suffered a breach where attackers claimed to have stolen, you know, source code for a very famous game Cyberpunk 2077 and The Witcher Three which was later put for auction on the dark web so that can be uh, the last one I would say distributed denial of service attacks especially around launches or eSport events are now quite sensitive to that. They try to disrupt operation or sometimes as part of a bigger distraction campaign. 2020 you had Blizzard’s Battle net service suffered a sustained distributor service attack and that caused major disruptions to games like World of Warcraft and Overwatch during peak hours. That, that’s quite uh damaging. Quickly on why our games companies and games industry target, I would just list three main reasons. One of them is the valuable digital assets that they hold. So that comes from as it was previously stated in game economies to source code and user data. So there’s really real world money to be made out of this. The second one it’s, I would say, the high visibility reputation and the passionate user bases, uh attack, attackers know that if you leak at the right time you can cause an outrage that would draw headlines and user backlash that can be quite damaging to companies. And last but not least, is the characteristics of the, of the industry itself. It is a fast pace, development heavy environment so companies often prioritise speed and innovation which can unintentionally expose weak spots in their security posture.
Nick Allan, Partner
Interactive Entertainment Group
Mishcon de Reya
Thanks Francisco. Yes certainly as a non cyber expert that a lot of my games clients have focussed on ransomware and DDoS attacks over the years. Mark, was there anything you wanted to add to, to this point?
Mark Tibbs, Partner
Cyber Team and Complex Investigations Team
Mishcon de Reya
Yeah, the first slightly different slant on it I suppose I’m coming from looking at the attackers themselves and you know, from, from experience um, and um just from looking at the history of cyber-attacks, there’s a, there’s a spectrum attacker and you can, you know like I say, the most serious attackers we see are organised criminal groups, so this is sort of ransomware attacks, perhaps organised data theft. This is a very organised way of achieving their aims and it may be that there are several groups involved. We see things like groups that are offering initial access, they are you know, they are actually just going in and exploiting systems and then selling that on to a third party who might do the infection or the um, encryption devices and then you might get you know, a third party that might be doing the money side of things or the communications with clients. It’s a very professionalised and financially motivated group of attackers. That’s, that’s kind of a pernicious group. I mean you also have and Francisco um, sort of alluded to it, nation states as well. So we have sort of a, a difficult, what, you know, it’s never, it’s never clear in those circumstances who and why but sometimes um, threat intelligence um companies and threat intelligence and analysts will look at attacks and they’ll say, well those have got all the hallmarks of a, a you know, this country’s way of doing their attacks and you know, that might be the, there are a set of um, attackers that have gone rogue and they’re going, they’re becoming financially motivated or they might be you know, looking for, for sort of strategic advantage, economic espionage, things like that. So I’d say, um but then on the other side of things, that’s a very pernicious side of things. That’s the higher end of the spectrum. On the other side of things you’ve got a group of people increasingly able to commit these kind of attacks because of the way that the um, cyber-criminal world has kind of evolved um you know, there’s a much lower barrier to entry. You don’t need to be a technical whiz kid to be able to do certain attacks, for example, you know DDoS attacks, you know, you don’t need to be running your own infrastructure to do that, you can hire someone to do that for you um, you give them some bitcoin and away you go. It, it, it’s becoming a lot easier for those groups to do it. It is also, I would say, um you know, familiarity through some, uh, uh um users of game, games in particular with the, with the industry. So they are you know, perhaps more inclined to launch their attacks against the more familiar targets as well. Um and you know, sort of to add to that as well you’ve got a group of attackers. There’s a sort of asymmetric um, part of this equation which means that you’ve people, individuals who are very young, they might be new into cybercrime, they might not even realise they are committing cybercrime. They are doing things for notoriety. They are social engineering conscripts, you know they’re using these kind of um not necessarily very technically sophisticated techniques to get into businesses, to get passwords, those kind of things. So we’re looking at it from, from that point of view and sometimes it’s, like I said, it’s asymmetric. So someone who is a lone wolf operating on their own, you know, can do a lot of damage um, and they’re not, they’re not the, the organised groups, they’re not the bank robbers who do this professionally, they are just kind of messing around. So there’s, there’s, there’s yeah, looking at the attackers, there’s that as well.
Nick Allan, Partner
Interactive Entertainment Group
Mishcon de Reya
Thanks Mark. Yes um so it’s uh, games come into very much targets and it’s becoming easier and easier to do it with things like DDoS. I certainly had a games client a few years ago who was the victim of repeated targeted DDoS attacks that turned out to be a, a 19 year old living with his parents in the UK that was behind it all so.
Mark Tibbs, Partner
Cyber Team and Complex Investigations Team
Mishcon de Reya
I think, I think probably, sorry just, just to add as well, that then we, we, I think Francisco alluded to that. I mean, I think you know, the big, the big attacks are very well covered by the media because they’re interesting and, and you know, obviously we’ve seen, uh supermarkets recently being, being uh, targeted. But probably less well covered by the media are things like high volume, but low, low impact attacks you know, account and, and Francisco mentioned it sort of, account takeovers on mass, you know, automated kind of attacks that are um, fuelled and kind of in game fraud. So there, there’s those things as well which I, I, I dare say are more difficult to actually deal with as a company.
Nick Allan, Partner
Interactive Entertainment Group
Mishcon de Reya
Yes, thank you Mark. Um, so in the interest of time, let’s move on to our second topic which is about the actual response. So Francisco do you want to talk to us about this first. Um, how do you go about conducting technical investigations following a cyber-attack on a games studio? And maybe tell us a bit about the key challenges you might face during one of those investigations?
Francisco Sanchez, Director
Cyber Risk
Mishcon de Reya
Well just to kind of pick up from the previous question so just remind that like traditional or more traditional industries, the value here isn’t always in data. Uh, it’s very many often on reputation, pre-release content and, and interim access to the users. Now when a game studio suffers a cyber-attack our first priority in investigation is containment, isolating the breach to stop any ongoing damage. Then we move into the forensic analysis to understand what happened, how it happened and what was affected. Now technically we look at log data from servers, end points, cloud environments and sometimes even source code platforms like uh, Github. We trace the attackers’ movements. We look for signs of data exfiltration and assess whether any internal accounts or develop tools were compromised. Some of the key particular challenges in this I would say for instance, speed versus preservation. You know, like I mentioned before, game studios move fast, especially during development cycles but investigations need evidence preserved carefully, and we often have to ask teams to pause activities to avoid overriding logs or volatile data. So a balance needs to be striking off for, between the need to investigate and the need of the studio to continue to operate. You also have very complex and sprawling environments. They might have hybrid setups, cloud platforms, third party tools, virtual control systems, development environments, the, the works. So all of these generates data in different formats that could be relevant to the investigation and so a challenge to figure out which one are relevant and, and to go through all of that. Then you might have limited visibility. Sometimes you know, the key logging, alerting, monitoring isn’t in place, especially for internal developed tools or proprietary systems when used in those environments. Um, and then you have the, the sensitive intellectual property that could be at stake so you know, leaks of unreleased content of source code can be devastating so communication and legal coordination become just as important as the technical work. I think that’s something that Mishcon really specialise in, is the ability to bring all of these different areas to really support clients instead of having to deal with multiple parties. Now, ultimately our job is not just to find the hacker, the threat hacker, but to help the studio to understand the scope, protect their assets you know, guide them through total recovery, while supporting any legal and regulatory obligations they might be under.
Nick Allan, Partner
Interactive Entertainment Group
Mishcon de Reya
Thank, thanks. Go, go ahead sorry Francisco.
Francisco Sanchez, Director
Cyber Risk
Mishcon de Reya
I was just going say that Mark’s teams typically always supports us with attribution if he wants to bring a bit, uh talk a bit about that.
Mark Tibbs, Partner
Cyber Team and Complex Investigations Team
Mishcon de Reya
Sure, yeah. So I mean like Francisco said, the challenges we see are ability to quickly gaining the right logs, you know, finding the right data sources and, and now there’s a sort of a, you know, for, for the lay people on the call, um there’s, there’s never a complete uh, visibility of security around a network, it’s just like a building you know, you might have cctv on a doorway or on a, a window but you might not have it covered everywhere. So having you know, that ability to identify logs and you know, because those are the sources of, of information intelligence that help us and then when I’m working with, um teams, forensics teams like Francisco’s team, they’ll be doing things, they’ll be looking at the logs, they’ll be looking to see you know, have there been any unusual IP addresses? What are the, what are the tools that have been made potentially unloaded? Are there any fingerprints that we can get? Because it’s those things that, that are key to sort of being able to attribute and what, what I mean by that is working who it is that’s done it and then we can potentially understand why they’ve done it. And, and the reason for that, reason why that’s important, is it, because it helps us prioritise the next level of investigation. You know, if we can see that this group has the motif that um, er you know, or a sort of a fingerprint that corresponds to a known group, we can then look at that known group, see how they typically do things or how they’ve done things in the past and potentially predict what they are going to do next. So that’s that kind of profiling of the threat actor as we call them um and, and it’s, and it’s those forensic artefacts in, in the, in the logs in the network that are often really key to unlocking that, um that next level of investigation. But, but, but there can be you know, talk about challenges of that, there can be layers of complexity in, in that attribution, um, because you might be looking at an attacker and think, oh this is a ransomware attacker, but we’ve seen cases in the past where actually you know, there’s false flags that are laid. There’s, there’s sort of um, not misinformation, but sort of tracks have been um, deleted you know, so there’s a level of sort of operational security awareness when they’re in, in the network to try and hide their tracks and make it more difficult for the investigators to understand who they are and what they’re doing.
Nick Allan, Partner
Interactive Entertainment Group
Mishcon de Reya
So, so Mark, just staying with you on the investigation side. Can you tell us a little more about the external sources um and external investigations that are helpful in a cyber-attack?
Mark Tibbs, Partner
Cyber Team and Complex Investigations Team
Mishcon de Reya
Sure.
Nick Allan, Partner
Interactive Entertainment Group
Mishcon de Reya
Particularly in a games industry context.
Mark Tibbs, Partner
Cyber Team and Complex Investigations Team
Mishcon de Reya
As, as I was kind of, I was kind of, sort of saying around the sort of internal things that um, we can look at on the logs and on the, on the internal network, once we’ve got those, we can, we can enrich them. So that’s what we’re looking to do. We are looking to use those as pivot points to say, well what else do we know about this? And that can be, um as simple as you know, I mean sometimes it’s very straight forward. You get a ransom note that says uh, we are this group and here’s our Bitcoin address, or here’s our Ethereum address and here’s our, our way of communicating with us and here’s our leak site on the dark web. So, so uh you know, there’s, there’s ability, teams that are investigating this need to have the ability to (a) look at those sources you know, sometimes companies won’t be set up to view dark websites on their, on their network you know, they’ll be blocked and they won’t be able to look at telegram channels, etcetera, and, and just sort of stepping away from that, um incident kind of scenario where we’re in the middle of it, there’s also a value in um, these kind of investigation scenes like ours, doing some proactive searching, doing proactive referencing beforehand so, so that’s another sort of preparatory step that, that companies could take is having a team that are looking for you know, before it, before it kicks off um, looking for signs, early warning signs of, of malicious activity um, and, and in terms of sort of external things that we’re looking at which is, which is um you know, we might be doing things like social media monitoring. We might be monitoring telegram uh, channels. We might be looking for things outside of the business that can help us understand who the potential attackers are and actually if we’re in the middle of an incident, who the actual attackers are. So yeah, those are the kinds of things we’ll be looking at. I mean, threat actors you know, they operate in different ways depending on who they are. You’re not going to necessarily find many state actors in a, in a criminal forum. Although you might find one or two. Uh but you, you will find criminals uh, coalescing in certain places, private and public you know, they do, they, they often have uh, both, uh and sometimes you know, depending on who you’re dealing with, you might have a threat actor that isn’t particularly sophisticated in covering their tracks and their operational security online. So they might be great at doing their, their actual attack. They might be very technically sophisticated, but off line they’re sloppy you know, we see that so many times and that’s what gives us that kind of, uh you know, that not the upper hand, but slight strategic advantages when you’ve got that um, threat, threat actor that either isn’t concerned about their operational security or not very aware of it.
Nick Allan, Partner
Interactive Entertainment Group
Mishcon de Reya
Thanks Mark. Um, shall we move on to our final topic which is about prevention and preparedness? Um so, Francisco, let’s go back over to you. What are the key things from your perspective that games companies should think about and implement in order to prevent and be prepared for cyber incidents?
Francisco Sanchez, Director
Cyber Risk
Mishcon de Reya
Right so as we typically say, prevention readiness are two sides of the same coin when it comes to cyber threats in, in the games industry and others. But from my perspective uh, I think one of the things definitely is that you need to protect what’s valuable. That means you need to know what is, what is data to protect. You need to identify crown jewels, be it source code and release content, player data, developer tools, and ensure they’re protected with tighter access controls and monitoring to the rest of your environment. Another one would be you need to secure the development environment. Now, DevOps and source control tools are frequent targets. You need to enforce you know, multifactor authentication, control who can push or pull code and monitor any unusual activity on those platforms. You should prepare for instance, not just try to prevent them. This means you need to have an instant response plan and you need to test it. Reaction times are critical on instances like that. Do you know who to call when something happens? Do you know how to ring? Do you have the teams and knowledge in place or the agreements of the partners that you can pull in to get the right support? Because you need to get the most um, practical intelligent advice you can get from the, from uh, the first moment so that you can guide your actions and the reaction not only internal but external. Uh you know, you, you need to know who does what and when something goes wrong, including you know, legal communications, top execs, regulators of applicable, not just IT. Uh, to others, log and monitor strategically, you cannot and you don’t need to log everything, but you do need enough visibility to be able to you know, detect and investigate speech behaviour. You need to find that balance that includes end points, clouds uh, internal tools and last but not least, I would say training to staff. You know, many attacks still start with social engineering, so staff, especially developers and community managers, they need to know how to spot phishing and what do they do if they click the wrong thing. So all in all, in short, I would say treat security not as a blocker, but as a business enabler. Um, something that protects the creative process, your intellectual property and your player community.
Nick Allan, Partner
Interactive Entertainment Group
Mishcon de Reya
Thanks Francisco and Mark, is there anything you want to add to that in terms of key takeaways for preparedness before we have to close the session?
Mark Tibbs, Partner
Cyber Team and Complex Investigations Team
Mishcon de Reya
Yeah, yeah I mean around the employee training aspect of things you know, I, I think, and there’s been a recent wave of tax and it’s increasingly familiar to see um, IT help desks and, and sort of customer service being targeted. So I, you know, if, if I was doing employee training I might be also trying to bring in those groups and make sure that they are as well-equipped as the rest of the, as the rest of the business because often they are sort of, encouraged to help and that’s why they’re, the attackers are, are trying to target them. So, so there’s this balance of like trying to help the customer, but also being aware that some people don’t have your best interests at heart. So there’s, there’s that and then I’d say in, in terms of um, having an incident response plan you know, having your clearly defined set playbooks for the most likely scenario. So for, for a games industry you know, like we said, ransomware DDoS attacks uh, dataset, those are the ones that you want to drill and you want to drill them not just with your technical security team, but you want to drill them with key decision makers in the business and also key other functions so cross function, you, you will definitely want to bring in your comms advice because they’re going to be such a big part of, of the, of the incident response escalation. You’re going to want to get legal assistance in there as well, and you want to get, you want to get the IT security as well. So, so rehearsing and actually sort of doing this, like actually getting them, getting the playbooks out, dusting them off a, and doing it, it just makes the, the heat of the moment ten times easier because you are removing all the unnecessary, or like, you don’t have to do any research, you don’t have to, so what’s the next step? Because it’s there in, in front of you and obviously it’s going to be a very dynamic environment. The idea is remove as many of the unnecessary decisions as possible so that you can protect the business you know um, and I’d say just, just one, one other thing. So yeah, so, so education, definitely uh, planning uh, planning your incident response and making sure it’s multidisciplinary. And then also you know, uh, this would be very familiar to I’m sure, to lots of the um, games companies uh, on the call and making sure you have a, a plan for DDoS attacks as well. So, so partnering with the cloud based DDoS protection provider um, and, and just building in your, in your playbook decisions about when to redirect traffic etcetera, what you’re going to do in the incident with the DDoS. So yeah, and, and just making sure after all of that, that you know, the people that are the escalation points do actually know the escalation points, because if their phone is switched off in the heat of the moment, again that’s the thing that can really just frustrate and, and, and jus, and just cause unnecessary friction in, in dealing with an incident.
I think we’re up against the clock now so thanks, thanks very much everybody.