At Defcon 31, I was chatting with my colleague Mickey about random stuff as he was running our CTF, and the topic of dedication and persistence came up when it came to effective hacking and solving our CTF challenges. Then Mickey said “it’s kinda like beating Dark Souls for the first time. It takes a lot of effort and some failure”. As a long time Souls fan myself, I was drawn to the comment. Dark Souls nerds like me love to talk about how different that game is and how everyone should try it.
Wait…what is Dark Souls?
For those unfamiliar, Dark Souls (as well as related titles like Demon’s Souls or Bloodborne) is a 3rd person action/RPG video game that has a reputation for difficulty. While many games give you heavy handed tutorials, easy beginning levels, short checkpoints, and other things to make the experience reasonably winnable for the average person, Dark Souls is less interested in helping the player (for better or worse).
There’s plenty more you can find if you want to look up the game. Despite its difficulty, it’s very popular and fans of the series are dedicated, so content about it is everywhere. Just check out YouTube or Twitch. But this brings me to the first way Dark Souls and Ethical Hacking are similar…
It’s not for everyone
I love Dark Souls. It’s one of my all-time favorites. It has many memorable qualities, like being carried by weird demon things to Anor Londo to get a magnificent view of a city, or when you happen to be walking in Undead Burg and a huge dragon lands in front of you and then flies off.
But lots of people drop the game very quickly. The idea of being killed instantly by one attack or being pushed off a ledge by a horde of enemies to your death suddenly, or having to go back and repeat a huge section of the game because you made one minor mistake can be heartbreaking for some. It certainly can be frustrating for me.
There is a flipside to this. To begin with, sometimes it’s just funny when you do something stupid and end up dying. There’s plenty of fun stories to share when you opened a chest to discover a mimic that ate you as large text pops on the screen that says “YOU DIED”. I think one of the reasons the game is so popular on Twitch is because people love failure.
But perhaps more meaningfully, overcoming the struggle of the game, like the multiple deaths to the same boss over and over again or discovering a shortcut that until now was unclear to you, can be intensely gratifying, especially the first time. It’s kind of like a high from a drug. he first time I fought the Gargoyles in Dark Souls at the same time, it was this enormous challenge. You mean they both attack me at the same time? They can shoot fire that I can’t block with my shield which worked against everyone else? And for me to fight them again I have to run all the way back from the bonfire and deal with a bunch of annoying enemies that I already fought? It kinda sucks, but you feel like a BAD ASS when you finally defeat them. It’s like the game knows you just had to put up with all of that stuff and knows exactly what kind of positive stimulus to feed you to make you feel like you achieved something.
This is what hackers do too. Hackers overcome obstacles that seem insurmountable. They break security on products that are supposed to be secure by looking for solutions that may not be obvious. It’s also why doing vulnerability scans alone won’t get the job done, because a persistent hacker will find security issues that scanners won’t, like chaining exploits together to beat the “boss” of defense.
An effective hacker must have the same mindset as a Souls player. The idea that a product or application can’t be hacked is wrong. If you crack at it long enough, you’ll find the vulnerability you need to break in. It requires persistence and the innate ability to push past the negative feelings associated with failure. And it’s quite satisfying once you discover that critical vulnerability that broke down the defenses in place. You defeated the boss.
Looking for unconventional solutions
Early in Dark Souls, a large door is in front of you. Once you walk in and proceed a few feet the Asylum Demon, a giant monster about 30 feet tall with a big weapon, drops into the room and starts attacking you. It can be surprising for first-time players and somewhat intimidating, particularly with the menacing music it plays. Many instinctively try to lock in and fight this boss with their weak weapon, lack of healing items, and no idea of how to even control the game…and fail.
But there is a solution to this early problem. If you look around the room, a small open door leads to another path. You can just run to the door, the gate closes behind you, and you move on. Ta-da! That wasn’t so tough after all!
I can’t think of too many other games where the solution to the first boss encounter is to…not fight the boss. But that’s what you are supposed to do. I guess you can probably just try to be perfect and fight off this boss, but it’s challenging. I’d consider myself experienced and I don’t do it.
How do you beat the Asylum Demon? After going through the rest of the dungeon, you find better items including a healing item called the Estus Flask, and eventually find another entrance into the room with a drop directly onto the boss for major damage, making the boss fight much easier.
This is one example of how Dark Souls wants you to look for solutions that are not typical. You don’t win unless you are creative. With hacking, if you want to find the most impactful vulnerabilities, creativity is essential. Would someone be a good hacker if they went to a website, clicked the log-in link, then tried a few credentials they guessed, failed, and then assumed things weren’t breakable? Of course not. SQL injection, cross-site scripting, and other attacks that go around visible defenses are far more unconventional and show the true value of a skilled hacker. Those are the kinds of hackers you need to make sure your products are truly secure.
You don't want to use conventional solutions to fight this thing.
Time and effort
There’s one problem with the Souls games. Now that I’ve been playing them for a while, it’s harder to shock and surprise me with their challenges. While it is a RPG where you “level up”, the thing that really leveled up wasn’t some statistic in the game, but my skill as a player.
Good hacking is similar. The first time you do it, you really need to experiment. You’re going to fail a lot. You’ll run into things you just don’t understand or haven’t seen before. But eventually you see the patterns. Your depth becomes greater. You’ll approach problems with the successes and failures of the past in your memory. The “new boss” gets easier.
Another thing to remember is that even the best hackers and Souls players will run up against new challenges, including things that might seem impossible at first. Elden Ring, another game in the spirit of Dark Souls, features a boss named Malenia. She’s an optional boss that is very difficult. She has multiple phases and can even heal herself while attacking. When Elden Ring came out, seasoned Souls players were spending hours trying to defeat her.
But it just took effort. Malenia wasn’t impossible to beat and neither is a hack. Maybe it seems tough. Perhaps you’re going to fail a lot. But with time and dedication, you can get it done. This goes for the bad guys as well. If they want to hack you and are willing to put in the resources, they will do it. From a defensive standpoint, you need to make it unappealing to put in the effort.
At ISE, we put in the effort we think is appropriate for the target and its assets. A sensitive asset is worth putting in the extra effort to protect, so we can’t assess the target in a limited way simply because that effort won’t get the results we are need. We must assume that the unethical hacker is willing to spend the effort to get to the asset, because it’s worth it. On the other hand, we probably wouldn’t make the same intense effort into hacking a website that is informational with limited impact from an incident. The payoff isn’t worth it.
Dark Souls doesn’t really tell you much about what the goals of the game are. One of the first people you talk to says you should ring two bells, one above and one below. That’s what you get when you arrive at Firelink Shrine. By the time you find them, you realize that this was just one step to the actual point of the game. The thing that drives the player in Dark Souls is the unknown. Some of the best content in the game is not related to the main story and often is hidden behind fake walls that will only be found by people who are dedicated enough.
Hacking is about being curious. You need to operate with the assumption that there are things that you shouldn’t take at face value. Some technology can be completely incomprehensible, and you don’t understand why it is even part of a system. A curious hacker wants the answers and more importantly wants to understand how they can exploit that answer to their benefit.
Hopefully if you are reading this and aspire to be either an Ethical Hacker or a Dark Souls expert, I didn’t turn you off by bringing up the challenges. Rather, you should look at the challenges as an opportunity for achievement and satisfaction. Working with people like Mickey, I guess I shouldn’t be surprised that I work with a bunch of hackers who like these games. It scratches the same itch.
Before I conclude, I want to say that effective hacking and security testing shouldn’t be easy. The efforts you put into any of your security controls, whether it is testing or creating policy or using tools should be significant if they are to be effective. Is someone telling you that your penetration test will be super easy, cheap and take no time at all? Maybe you should be skeptical. If security testing is so easy for them, are they really all that curious to look for unconventional attack surfaces, or use different techniques, or put in the time and effort it should take to find the most critical vulnerabilities? Probably not.
Here's what you should do next:
- Make sure the external security testing you do is performed by a real person who will care enough to push your systems to discover true vulnerabilities.
- Consider potential attack scenarios that are unconventional. Your assessments and security must be ready to deal with it by being layered and robust.
- Identify and value your assets appropriately. Once you do, you will know what kind of investment of resources and effort is appropriate for testing and security tools.
- Be curious enough to consistently re-evaluate your entire security posture. What worked in the past may not work in the future.
Bonus: Play a Souls game and tell me about it! Email me at firstname.lastname@example.org. I hope you don’t hate me for this…
Thanks for reading! If you want to learn more about the right way to do security assessments, or maybe you just want to chat with me about difficult video games, be sure to reach out! I’d love to talk with you!