Written by Kevin Gosschalk, CEO, Arkose Labs
Gamers are very determined to beat a game,
defeat an enemy and be the best at what they do. This is the same mindset
hackers have when attempting to compromise a company's attack surface. In 2004,
the US gaming industry was worth $10.3 billion and online multiplayer gaming
was in its early stages, led by the release of the massively multiplayer online
role playing game (MMORPG) World of
Warcraft.
At the time of its release, World of Warcraft had 1.5 million
subscribers and in October 2010 the game peaked at 12 million subscribers.
Growing up, I was guiding a team of 40 players through intense virtual battles
as a member of one of the best guilds. Leading a guild at the world stage with
a team of completely remote players is very difficult and I learned valuable
lessons that prepared me to be the founder and CEO of a cybersecurity firm
fighting against real-world enemies.
Surprisingly, many of them today are targeting
the gaming industry.
In 2016, there were more than 2.5 billion gamers in the world and by 2021 the global
gaming market is expected to reach $174 billion. More people are joining the
gaming community daily - including hackers - and online games are now
threatened by sophisticated attacks. Examples of attacks the industry sees
today include account takeover and game hacking through Single Requests Attacks
(a family of protocols that attackers use to synthetically manipulate each
request they make for the explicit purpose of avoiding detection at scale).
As the CEO of Arkose Labs,
an online fraud prevention company, I leveraged my experience and passion for
video games to develop a gamified challenge-response mechanism that humans are
able to quickly solve - but bots and automated agents cannot. This technology
is now being used against real-world enemies to protect the companies who
developed the games I grew up playing. And while the enemies may have changed,
there are three skills I learned from gaming that has helped shape my career as
a cybersecurity CEO.
Understanding
the mindset of an attacker
Once a hacker succeeds in breaking into a
company to extract value, they'll continue to do so. This is especially true
when there is a monetary incentive involved - until the economic viability of
the attacks are broken. Companies today are playing a hacker's game and they
are losing, as exemplified by the 437 data breaches reported
in 2019. Our approach to beating a hacker is to force them to play by our rules
by authenticating their request with our gamified security mechanism. In doing
so, hackers must play a quick game that requires them to solve challenges they
can't complete with automation tools. The challenges we present are seamless
for humans, but demand large investments in computer vision technology from
attackers seeking to exploit them. Hackers ultimately can't afford to automate
the challenge-response mechanism at scale because the cost is higher than the
possible reward that can be extracted by way of the attack.
By making an attack more expensive, hackers
are no longer motivated to attack a game and eventually become frustrated and
move on. When this happens, it means we've succeeded in thwarting the attack in
the long-term.
Leading
separate departments to achieve a common goal
World of
Warcraft requires teams to work together toward the
goal of defeating a common enemy. Each enemy has its own unique abilities and a
different team strategy is needed to defeat them - requiring players of the
game to fill different roles and work together to be successful.
The same applies today in my role leading a
cybersecurity company in the fight against cyber criminals. Protecting
companies against hackers requires different teams within our company to
constantly communicate to be successful. For example, the data science team
continuously monitors traffic coming into our system and is watching for spikes
in suspicious traffic. The product team is working to develop proprietary
challenges that authentic traffic can solve, but inauthentic (i.e. enemy)
traffic cannot. And finally, the engineering team incorporates all of these
insights to ensure our product is better prepared for the next attack.
Leading teams of players in different roles
within a video game has prepared me to lead employees across different departments
- and regions - to make sure we are all working together to make an attack more
expensive than the value extracted.
Collaboration
across a remote workforce
Companies must be aware that hackers are
everywhere and technology has allowed hackers many channels to break through a
company's attack surface, which can happen at any time. Gamers grow up playing
with other players they've never met, who are located all over the world and
effective communication is a necessity. Leading one of the top World of Warcraft guilds has helped me -
especially as our company continues to expand - when leading teams spread
across different countries and 17 time zones.
The rise of eSports facilitated rapid growth
in the gaming industry. Companies are now tasked with protecting players from
other players who cheat in games by using bots and scripts to enhance their
performance - resulting in a poor player experience. Companies must also
simultaneously protect their ecosystem from hackers breaking into player
accounts to commit fraud for their own real-world monetary gain. I founded
Arkose Labs by combining my two passions - gaming and cybersecurity - to solve
multimillion-dollar fraud problems by protecting companies against online fraud
and automated abuse with gamification techniques. The years I spent playing
games is helping Arkose Labs stay one step ahead of cyber criminals and it's a
unique approach in the industry stopping hackers in their tracks.
##
About the Author
Kevin Gosschalk is
the CEO and Founder of Arkose Labs, where he leads a team of people focused on
telling computers and humans apart on the Internet. Before Arkose Labs, Kevin
worked on gaming hardware for the intellectually disabled at the Endeavour Foundation
and built a unique device incorporating Microsoft's Kinnect Camera technology.
Noted for his involvement in interactive development and machine vision, Kevin
then turned his expertise to automated abuse and human verification - often
regarded as the Internet's impossible problem. Today, Arkose Labs has
transformed the irritating chore of comprehension into an SLA-guaranteed
technology that prevents automated abuse for brands like Electronic Arts,
Singapore Airlines, and Roblox.