Game Theory And Training

“You’ve done what you could to get as many lords of the council on your side as possible. They have now gathered in the throne room, and there’s nothing you can do about them. Because you can’t be sure how many councilmen the other rebel forces were able to sway, it’s time to turn your attention to gathering a fighting force. The seven greatest warriors in the land are each imprisoned in separate cells. You need to release them so that they can fight on your side to arm your forces. The strongest warriors that you’ve assembled each have a special weapon hidden somewhere in the palace. Each weapon is unique to each warrior, and the warriors can only be successful when they battle with their own weapon. Complete each task to collect your arsenal piece by piece. The quicker you collect each warrior’s weapon, the quicker you can move on to gather more. Once you have amassed a full array of weapons, you’re ready to take on the council and the other rebel forces with your army. If you get stuck, ask the palace oracle for a hint.”

This is not an excerpt from a pamphlet at the Renaissance Fair, this is from the “Ultimate Lab” backstory from the McAfee/Foundstone Ultimate Hacking: Human course, called, “Shmoozapalooza”.  The Ultimate Hacking: Human course was developed as a primer for organizations on how to identify, prevent, and secure themselves from the human element of hacking.

During the development of this course, we made the decision to include lab settings that would diverge from normal training scenarios. With that in mind, this lab was developed with a medieval theme to engage the students as they learn how to work together in more of a “game theory” environment. The lab itself takes about two hours to complete and involves students picking various locks, eliciting information from strangers in public and breaking into various workstations to gather flags for points.

To prepare students for the lab, we spend two intense days covering all forms of social engineering; from phone to email, and removable media to physical.  We also cover the latest Internet based reconnaissance tools and techniques.  The module that makes this class unique is the Program Management module, where we discuss how to incorporate the techniques you learn in the class into a new or existing security awareness program and, most importantly, how to sell this new process within the organization.

We developed this class with the idea that if a company could afford to bring in professional social engineers once per month, then over the course of time, their employees would get used to being tested and would end up being on the lookout for social engineering techniques.  Then, when the real attack came along, the employees would think it was another test and react the same, appropriate, way: not falling for the ruse and reporting it to the proper area.  It really doesn’t matter if the employee knows (or thinks) it’s a test, as long as they respond the same way.  The end result is the same; a safer environment and more prepared employees.

While the students will not likely leave this class as expert social engineers, they will be armed with a complete arsenal to not only perform social engineering exercises internally, but also tips on how to sell an internal social engineering testing program within their organization.  And, after completing Shmoozapalooza, they should also have some great stories for the water cooler.

The McAfee/Foundstone Ultimate Hacking: Human course is currently being featured at the following upcoming conferences:

McAfee FOCUS 2013 – (link: )

SkyDogCon 2013 – (link:

DerbyCon 2013 – (link: )”



Leave a Comment

2 × 1 =