The gaming industry is one of the fastest entertainment industries globally. But that also makes the gaming industry a big target for hackers -- especially in the last few years. We sat down with Eden Amitai, Cyber Security Evangelist, Radware to discuss how gaming has evolved to become a target for DDoS attacks, specific security industry challenges, and the security threats of games moving to the cloud.
What pressures are gaming companies under when it comes to cybersecurity?
Gaming companies are a lucrative target for hackers and botters alike. It's a multi-billion-dollar industry and as such, attracts malicious activity like bees to honey. Gaming companies make huge investments in providing the best user gaming experience with high network performance. As these goals require much computing, network power and human resources, often gaming companies find themselves understaffed, underbudgeted and with no skilled manpower to fight cyber-attacks. They must protect the integrity of their games against botters and also protect the game itself from different application and DDoS attacks, which is not an easy skill to master. Gaming companies are on a continuous journey to have a great brand name, yet they shouldn't neglect their security posture to protect their hard work and brand reputation.
What security challenges are specific to the gaming sector?
First and foremost, they are looking to provide an uninterrupted streaming experience, which can be very hard to maintain as even the smallest unmitigated DDoS attack can cause severe service degradation. People often think that a DDoS attack can cause only a server to crash, but that is just a simple case. It does more insidious damage by slowing down the network - which can have ripple effects throughout the game without ringing any alarm bells.
Second, gaming vendors need to verify the game authenticity, as botters and hackers can disguise their work and manipulate the online game, which will lead to unfair gaming advantage and frustration of other players. Botters use bots or tools to manipulate the game in their favor and it is the most unacceptable action in the gamers community. No company wants its name in the headlines because of a tournament that got comprised and to be known as the game title where the winner was using illegitimate tools and bots.
Last, as with other industries, they need to protect their customers against account takeovers, password cracking and other ways to steal players' credentials and in-game purchases.
When moving games to the public cloud, what should game companies keep in mind about security?
Although the popular conception that public cloud vendors provide all-around DDoS protection, this is not true. Public cloud vendors will first protect their own infrastructure and only then will protect their customers. Radware has seen several cases where public cloud vendors dropped their customer traffic without even notifying them just to protect their own infrastructure. Also, layer7 DDoS, session based, and east-west attacks are left overlooked and cannot be mitigated using the vendor's protections, exposing the game to different kinds of attack vectors.
Public cloud vendors also lack the security expertise required to protect against sophisticated attacks and they do not provide deep analysis and forensics of the network performance when it comes to cyber-attacks.
Lastly and a very important hazard to bear in mind, not like with other services and applications that run on the public cloud, online games cannot auto-scale due to their unique multi-dimensional architecture so they do not have the privilege to absorb attack and compensate them with more computing powers.
With the holidays approaching and the release of some big titles, what should we expect?
Since the onset of the pandemic, the DDoS landscape has exploded. Hackers and cybercriminals know what's at stake and are willing to invest more to cause real damage, or at least to use fear tactics so that companies pay the ransom. One can imagine what will happen if a title is soon to be released and the CISO gets a ransom email the day before. As the US claims, “we do not negotiate with terrorists.” The same should be applied with ransom emails. In most cases, they will just try to scare the security team with no real repercussions, and in the other cases where they can launch a massive attack, paying the ransom won't mean avoiding the threat, just postponing it (and losing some money on the way). The best advice is to consult with leading security firms immediately when these types of emails arrive so they will advise on the next steps and how to mitigate the potential threat.
How can game companies protect their online operations and players from sophisticated, DDoS cyberattacks?
First, each gaming company needs to map their security posture in order to discover all possible access points. Unused ports and access point should be disabled at all times. Some of Radware’s gaming had not known they were attacked from unused access points which led to slower remediation and great waste of time.
Second, gaming companies need to understand and calculate their needed expected bandwidth so they will know what size of protection tools they need to put in place. There is no need for protections that are larger than the actual network bandwidth and it is better to have the most suitable protection in order to have the budget for other security solutions.
Lastly, companies need to have their own risk assessment to understand how much capital they should invest in protection solutions. Companies with successful titles should go above and beyond to protect them as they don't want to impact their brand name and potential loose of income because of an attack. Only then, gaming companies should start looking for DDoS protections.
When gaming companies are on the hunt for those gaming protections, Radware suggests considering DDoS protection can detect attacks and mitigate them while allowing legitimate users access to their desired resources and not just settle for rate-limiting technologies. This of course is tested best in labs through POCs. Companies need to choose the proper solution that guarantees the lowest false positive rate possible – it will give their customers the gaming experience they are looking for, even when under DDoS attack. DDoS protection solutions shouldn’t mitigate only volumetric layer3/4 attacks but also encrypted and layer7 attack that in many scenarios can cause major damage.
What is unique about Radware's multi-dimensional DDoS detection and protection offering?
Radware knows how to mitigate attacks specific for each of the title's architecture dimension, whether the game server & infrastructure, the lobby, and in the game, itself. Our behavioral technology can accurately identify attack traffic and mitigate it without impacting legitimate users, the game performance and the gaming experience. Radware’s recent gaming-focused protections were a result of a long R&D process with the biggest gaming companies in the world, so we have a wide understanding of their pain points and vulnerabilities. Therefore, we know how to protect them and how hackers think. We are happy to extend our gaming protections both for public cloud and legacy data centers so every type of customer can enjoy from DDoS peace of mind.