From the title (which is total clickbait, sorry not sorry!) it might sound like the Auth team at Click Travel spent the day slacking off. I can assure you that is not the case and in fact we just participated in a ‘GameDay’. It has nothing to do with Playstations or Minecraft, in fact we used it as a tool to validate some of our platform’s existing security and to see if we had any new areas of risk.
First things first, who are the Auth team at Click Travel? We are a small product engineering group whose mission is to: “Enable the Product Engineering department to seamlessly authenticate and authorise users on the platform by providing robust access control services”.
About GameDays
They are used throughout the tech industry as a tool of chaos programing to help engineering teams confirm that they are delivering resilient software. It is essentially time that you set aside in order to consider areas of risk within your system and attempt to break them to see whether it is possible and if it is, then at what threshold.
For example, you could use a GameDay to test all the strategic actions that have been implemented from the last [x] incidents, to make sure those actions would have actually stopped the same incident from happening again under similar conditions.
We love this article on a GameDays from Gremlin, head over there if you want a little more info:
https://www.gremlin.com/community/tutorials/how-to-run-a-gameday/
Our approach to the day
The Auth team wanted to take a slightly different slant on the GameDay in order to keep it more valuable to our own goals. So with this in mind we decided to change the focus of the day from strictly resilience to more of a self hack/penetration test but with a totally white-box approach. This way we could use knowledge of our services in conjunction with the industry wide security standards, such as OWASP Top 10, to make sure our platform held up under very targeted attacks.
We broke the day down into two parts which we split over one week:
- Decision on chosen targets and deep analysis of those targets.
- The actual gaming and analysis of the findings
So we planned
We took an afternoon and all got together to discuss our ideas. We used Miro (a collaborative whiteboarding platform) extensively throughout these days in order to enable visual collaboration whilst being part of a remote team.
We all presented our ideas on what we thought would be a good area to test and used a mind map to dig deeper into the expected results and value. We tried hard to time box all actions and discussions over the allotted prep days so that we could keep to the time given to us for this task. We all agreed on what should be tested and divided the targets amongst ourselves.
And we gamed
Our targets were decided so we scheduled the second part of the GameDay later that week giving us soak time on how best to hack our chosen areas. As we work in an Agile way, we allowed thinking time for GameDay during the week’s focus to ensure we could maximise the value out of the actual gaming time, whilst still delivering on other weekly objectives.
I also created a test case document that we could use to collect the results uniformly. We jumped on a group call using Zoom, with all of us having a vague plan of our individual approaches, and set the timer for two hours to get it done.
Once again Miro was used as a collaboration space so that we could visualize what the others were doing. Being on a video call helped the team share something interesting or reach out for guidance if needed. The two hours went extremely fast but we all kept focused, determined to have valuable results at the end.
We analysed
The gaming was done and results had been captured. We spent another hour and a bit going over them, sharing what we had found and critiquing our own approaches to help with the evaluation of the day. This was a bit like an incident debrief — we talked through what we found and the actions generated were given a severity rating and sub-classed as immediate or strategic. The main point was to capture everything in one place, so we could refer back to it at any point and understand what decisions we made.
Evaluation of the day
We found that this GameDay complimented our existing penetration testing process nicely. The day itself brought the Auth team together on a fun and proactive project that enabled knowledge sharing and bolstered our mindsets as security professionals.
All of the collaboration aspects worked very well but we might change it to do the actual Gaming as more of a group activity so that we can all see what is going on as it happens.
Overall, we felt it was a successful exercise and we look forward to the next one!
Could you do one?
The benefit the team saw from this outweighed the time we put aside for carrying it out. Based on that I would urge any team that found hearing about this with interest to give it a go yourself.
Top comments (1)
Great, I've never heard of GameDay. But that sounds interesting.
Is it only security related? Is it a red teaming day (basically)? Or does it go further than that?
I don't know if I can go to that in my company but that sounds definitely interesting.