Mindgame

Hi everyone. Um my name is Chris Glandon. Um the title of this talk is called Mind Game and it's all about the psychology behind cyber and how perception gets shaped, how influence is used against us and how we can flip those same techniques for defensive means. Uh just a little bit about me real quick. Um founder of Barcode Security. We're a firm that uh focuses on primarily uh cyber media production and we also host some community live events as well. Um I've also been a consultant and adviser for about the past 10 years or so. I host the barcode podcast uh and co-founded the Cyber Circus Network. Um also part of the turn crew. Is the

turn crew in the house? Where's the turn crew? >> I see you. So, the turn crew is a a friend group that we developed at Defcon this year. And so, uh I printed these awesome massive 3D printed um medallions that we wear to our local events. So, in case you're wondering, um I'm also an indie filmmaker. Um hopefully you'll stick around after this session to see uh I am machine the I am machine screening. And um and there's my information on the right. Um but obviously I'm not I'm not really hard to to find. So um so what what is mentalism? So mentalism is the art of understanding, predicting and influencing thought. Um it's often classified as a subcategory

of magic and yet it shifts away from traditional illusion by focusing not on the slight of hand but on the slight of mind. It reveals how easily perception can be shaped and how awareness can break the spell. So mentalism works by guiding attention, framing information and also steering assumptions. The techniques used are so seamless that they often bypass conscious awareness entirely. Although we do recognize those techniques, the influence factor disappears and the illusion loses its mystique once we are able to sense it. And on stage it entertains and cyber security it manipulates. So if you think of an illusionist performing on stage possibly revealing a word or a sentence or something that a volunteer from the

audience is is thinking of or making an impossible prediction come through. Um on stage it may look supernatural but it's purely psychological. And those same techniques used to pull those psychological levers, although used differently, are exactly what cyber attackers rely on. The main objective being to coersse people into actions that they've never intended to take. Um, if you think about fishing, social engineering, brand impersonation, all of these are mentalism in a digital form factor. And then once we understand mentalism, we can start using its principles defensively. the adver ad adversarial mindset. So now that we know what mentalism is, let's take a look at how it translates in cyber security and and our realm. So

every exploit begins in the human mind. So whether it's clicking on a fishing link that you think is real or coding um or or a coding misconfiguration, it's almost always triggered by perception, pressure, or persuasion. It's what we call the human attack surface. Attackers weaponize attention, bias, and trust. So, in a way, attackers are themselves illusionists. They know how to capture your attention and alter or gain your trust before you ever notice. They understand how our brain is wired to fill in the voids that we notice and also our need or our craving for speed. Those are naturally embedded attributes that we all have. So, they aim to exploit it. If you think about those

urgent emails or SMS messages that seem legit because they appear to validate some aspect of what you already know or expect, that's where they hook you. Cognitive shortcuts shape decisions. Uh there was a gentleman by the name of uh Daniel Conorman um who you may have heard of. He's a psychologist and Nobel um prize winner who's also known for his research on how people make decisions. Um, and this isn't in the slide deck, but I think it's important to mention. Um, he introduced the idea of our brains using two separate systems, system one and system two. So, system one is fast, it's instinctive, it's um, emotional, and it helps us react quickly, but it often relies on

shortcuts, and that makes us easy to trick. And then system two is uh slower. It's more deliberate. It's more calculated and logical. And it's what we use when we stop and we think about something carefully. So when we talk about cognitive shortcuts, we're referencing to the moments when system one hijacks the decision before system two ever gets a chance to to process it. And here are some examples of cognitive shortcuts. So anchoring. Anchoring happens when the first piece of information that we see or hear becomes our reference point, even if it's irrelevant. So, you get an email saying, you know, your invoice for $4,900 is overdue. Even if you weren't expecting an invoice, that number anchors your

attention. Attackers know the first detail you often see or hear becomes truth by default in your in your own mind. and it's commonly seen in in fishing or social engineering attacks or uh even scam type of websites. Um urgency scarcity effect. So this is essentially acting quickly when time or resources feel limited like you're up against the clock. Um this special offer expires in 10 minutes or update your payment info immediately to avoid suspension. We've all seen that before.

confirmation bias. Um, so confirmation bias refers to our tendency to notice and trust information that matches what we already believe. Not because it's accurate, but because it feels familiar. So, an example here would be you getting a security alert in an email that uses the same logo or the same verbiage that your company website uses or their social media page uses, but because it fits the pattern that you expect, you instinctively accept that it's real. And in moments like that, it's not only deception that gets us, it's also the need for validation and overconfidence. So overconfidence bias makes us overestimate our ability to detect deception or control outcomes. I'd never fall for a fishing email or a

social engineering attack because I work in security. Um, we've all heard that. and and that type of mindset, that type of belief often limits uh visibility or it causes blindness. So, I think we're all susceptible in our own way. We all have that lever that if pulled, we become a victim. Uh if you have a moment, check out the research from ARPA's resend program. Uh if you've heard of that, it's um it's a program that determined that attackers themselves suffer from this too. So they become overconfident once they've been once they think they've beaten the system and that's a weakness I think that defenders can certainly exploit offensive mentalism the attacker's playbook. So now that we know how biases

shape decisions let's take a look at how attackers weaponize those same principles and turn them into their own playbooks. Uh reconnaissance. So, we've all heard this term before and every illusion is somewhat the same by beginning with observation. Mentalists call it cold reading. So, watching posture, micro reactions, uh how focused you appear to be, your tonality. And attackers do the same thing. Um using OSENT techniques, for example, studying LinkedIn profiles, dissecting social media posts or sifting through dark web breach data. And with that, they are able to essentially build psychological blueprints of their targets before the first strike occurs. Pretexting. So in other words, narrative control. It's the story that makes the impossible seem normal. Mentalists can

frame a situation how however they want. So the audience wants to comply. Attackers craft believable sorry. Um attackers craft believable scripts or runbooks like that. um such as a vendor audit, travel invoice, an urgent help desk reset, um a mispackage delivery. So the trick here isn't based on technology at all. It's more around the storytelling itself, excluding trust, reciprocity, commitment and consistency, social proof, authority, liking, and scarcity. Um, Robert Chelini is the author of 1984's book influence, the psychology of persuasion. Um, and he called these uh, persuasion levers. Um, each lever bypasses logic by appealing to instinct. So when you hear the statement, your CFO needs us ASAP, 99% of the time that you hear that it's

purely just stage direction. Bias triggers, anchoring, urgency, confirmation, overconfidence. So adversaries depend on the same shortcuts that we just discussed in the last slide. Um, but for offensive mentalism. Um, I want to mention choice framing for a second. Um, so choice framing is described as the art of shaping how decisions are presented so that a target's free choice predicted predictably leans toward a specific outcome all while they believe they acted independently. It's used everywhere. So magic, marketing, sales, negotiation, uh, and yes, social engineering as well. Um, so for example, I'm going to, um, play a video here. It's a demonstration of a concept called number forcing um using a trick called toxic force. And what it does is it sort of alters the

perception to make a decision feel free although the answer is actually fixed. So let's see if this works.

Open up the phone, go to the calculator, and you're going to type in whatever numbers you want to force on somebody. So, let's say one of your friends has got a birthday. Let's say it's the 25th of the 11th. Say it was 19 95. Let's say that was their birth the 25th of the 11th 1995. You're going to force this number on subject. Can you see that clear enough? We're going to type in press the plus sign.

Now you can shut down your phone. Turn the app off. At any point you can go back to the phone. Right. I'm just gonna I want you to give me some random numbers. Some numbers so random you don't even know what the So they give you any set numbers. Let's say they give you a date. Say 2010, a memorable date. I'm going to press the times. How much money you got in your pocket? 25* 369.

How much change? 73. How many digit number? Right. When you press equals, it will be the 25th of the 11th from 1995. The number that comes up. That's the way the app works. You just got to type in a number. Press the plus 0 times 0. There's your phone number. When you go back to it, no matter what sequence of numbers are put in, you press time each time. When you equals it will always equal your predetermined number. That's how it works. >> See, I can't play that trick tonight on anybody at the bar because now you know how it works. But uh it's not obviously it's not magic at all. It's it's um it's

decision architecture and it's uh constructing those choices so the target feels in control even when the outcome is predetermined. Um, there was a comment on this video that said, "Okay, well, if I know how a calculator works, I'll start to see the sum after every button pressed." Um, and there actually is a way to to to fix that by pulling down the scientific calculator and doing that way. But that was just too long for this demo, but nonetheless, I thought it was very interesting. Um, all right. Defensive mentalism. So, read the intent. We've all heard or we've all seen how easy it is to be influenced, but the same psychology that attackers use to manipulate can help

defenders detect. And this is an area we don't typically talk about too much when we talk about mentalism or illusion. We're we're normally talking about the offensive side. So, uh, apply perceptional awareness. Um, so our brains are built for pattern recognition, which means the fastest way to spot deception is to look for pattern breaks. Maybe the sender's tone suddenly changes or their usual sign off is missing. Um, you know, or they're texting or calling you at at 10:00 a.m. or 10 p.m. when they never do or 10 a.m. when they know you're sleeping, whatever. Um, those micro anomalies are early indicators of uh manipulation. Influence auditing. So, this is more like a selfch check. Uh, when a message

hits your inbox, don't ask, is this legitimate? Instead, ask yourself, what is this trying to make me feel? Authority, urgency, curiosity, and fear. These are the four primary persuasion levers that attackers use. If you can identify the lever, then you can uh neutralize the pull. There's a very well-known behavioral expert named Chase Hughes. If you're on TikTok late at night doom scrolling, you've probably seen him. Um, check him out when you can. It's um some people believe believe him, some people don't. Um but he basically uh calls this building self-influence immunity. He points out that awareness in your own psychological triggers is the first defense against manipulation because whatever you're unaware of tends to control you,

pattern recognition. So insecurity, intuition gets dismissed as gut feeling, but it's really just pattern recognition in disguise. The more familiar you become with how social engineering looks and feels, the faster your brain is trained to flag those patterns subconsciously. That's why crisis exercises, tabletop exercises, fishing simulations, if they're properly administered, they work and they're designed to sort of train that instinct. or at least that's what the the goal is. Pause before responding. Uh so pulling off an illusion of any type relies he heavily on speed and attackers rely on automatic system one type reactions. A deliberate pause of even two seconds shifts control to logical thinking. Um use that pause to verify the source. Check for anchors or

inconsistencies and ask a simple clarifying question or call the sender directly. So make it procedural. Pause, verify, respond. And that tiny habit is your cognitive circuit breaker. It breaks the illusion and buys you more time to act correctly. So, we've all seen manipulation techniques used across countless attack vectors and now deep fakes are pushing that manipulation even further. Um, increasing our overall susceptibility and also it it makes detection mechanisms much more difficult to design as well. Um, but take a quick listen to this example, which is um, let's just say something that you may receive via a voicemail.

Unfortunately, we're short on cash and payroll is move exactly $11,750 to vendor 5421 now using the transfer link I just due to the nature of the vendor relat. As you know, they are a high priority partner and we don't want to sacrifice that in any way. So, if you run into any issues, call me on my cell right away. So, yes, that definitely sounds robotic to us. Um, but the point of this was um using 11 Labs. If you haven't used 11 Labs, check it out. But it's you only need about 30 seconds of someone's voice to make it somewhat believable to someone that isn't knowing what's coming. So, um I still think it's free

too if you want to try it. But the point is the tech is is scalable and affordable at this point in time and and anyone can really put together a synthetic um voice deep fake when needed. Um but after hearing that and now understanding the influential uh triggers >> um we all have to kind of identify what our own vulnerabilities are. So mine is time pressure for others it could be authority. It could be ego. Um so the attackers probe at probe at those weak spots with urgency or flattery. So when you think about it, recognizing your own bias is like finding open ports before someone else does.

Sorry, we're going to skip through this one. Um, oppositional human factors. So this concept is focused on designing environments that exploit an attacker psychology and is a concept validated with ARPA and ILE E research. create intentional friction. So instead of making systems smoother for users, we make them slightly rougher for the attackers. Imagine extra verification steps, misleading file names, decoy data trails. Friction forces an adversary to stop and think, and when they think, they slow down. Exploit attacker biases. Attackers are human too. Well, mo most of them are um they suffer from curiosity, bias, overconfidence, um impatience, everything that that we do as well. Um they'll chase shiny targets or skip checks when they should,

which leads to assuming victory too early. And we can use those biases to our advantage um and make traps irresistible for them. Psychological shoots. Um, this is interesting. So, think of psychological shoots as funhouse mirrors. The attacker sees progress as it's continuing to move about. U, but everything is an illusion. So, you have false endpoints that look valuable. Uh, honeypotss, deception techniques, they all lead to some sort of intel telemetry. Um, planning fake APIs that just waste recon time. Um, each one of those techniques drains attackers momentum while also allowing you to trace their movement and adversary centered design. So, this isn't just my theory. ARPA's research noted within their recent program which I mentioned earlier that cognitive

friction measurably uh alters an attacker's behavior. It's adversarial centered design meaning that if you understand how attackers think you can then design against it. Uh last lastly uh smoke and mirrors done right. So this is essentially deploying those psychological shoots that I mentioned as a defensive as defensive deception. So use deception as a tool. When implemented right, it's invisible to end users but magnetic to adversaries. Decoys blend into real environments. The illusion draws attackers in and the system learns from their behavior. Um, we touched on this in the last slide when we spoke about honeypotss. Um, and the goal is to exploit illusions in order to protect reality. Um, defensive decision uh deception patterns. So, let's just break down a

few patterns. So one is you know phantom file shares decoy data that triggers an alert when probed or accessed. Backstage pass planted fake credentials that trigger red flags when used. Identity doubleganger so lookalike accounts that only malicious actors enumerate. Hall of mirrors false infrastructure that reflects an attacker's recon attempts and breadcrumb trails which are tempting links or file paths that lead intruders straight into telemetry traps. And these are just a few techniques um I think but if you look at it they're all pretty much a controlled illusion or a u psychological trip wire if you will. Um so in conclusion um I think the real takeaway here is just recognizing that our own minds are endlessly exploitable.

Um, in fact, I think the human mind is probably the most exploitable system on the planet. And I think attackers know that as well. So, understand the illusion, master perception, defend reality. Again, we're all susceptible. We all have our mental levers that can be pulled, but strengthening our awareness weakens our vulnerability. Remember that attackers don't have to breach your network. They only have to reroute your thinking. And that's all I got. Thank you.

Here's all the references, too. I I I couldn't get them on each slide, but if you want to take a snapshot of that or I can send it to you. There's some really um cool research that I found throughout this. So, I know I finished early, so if anybody has any questions, if not, yes. So I talked about psychology a lot of thinking. I guess my question is it time as an industry that we start considering things like mental health mindfulness fatigue that affects our decision making process and how being those two steps to be aware of our perceptions be aware of our own bi time starting into our industry as part of a solution

to this. >> Yes. how how you go about that. I think that's um that's the challenge >> is trying to integrate that into number one corporate America and and number two like but I mean if if us as an industry and and community based events like this we keep pushing that forward. I think that's where we're that's a great place to start. But I completely agree with you. >> Yeah. I started thinking about like how I would encourage corporate explain

>> agreed.

>> I think it depends on the the culture of the environment as well whether they're accepting to um discuss that. So >> yes. Two things. I think one of the ways you could try to encourage that at a minimum is to encourage your executives to not communicate in a right now. >> It sounds

immediately. >> Stop stop the enabler from Yeah. My other question oddly related um so I know that research is based on external attackers so infiltrators to the network and how they operate within the network. >> Do you think the biases are any different for an insider? Um, >> if so, how would it change? >> I don't think Yeah, I don't I don't I can't see it changing that much because I think the it's just a different um attack vector. I think that it's the same mindset. Um, I can't speak for everything. I think insider threat there's different motives involved. Um, but I think you definitely as an insider have an advantage um for detection. I

mean for for not being detected. Um but I think the motive would be the same. >> So they could still be susceptible to overconidence. >> Oh yes. Yep. I believe so. >> Yep. >> Yep. >> Yeah. So you mentioned um how would you help defend your own mind against people who are trying to social engineer you or use psychology against you? >> Can you repeat that again? Sorry. >> So how would you defend against people who are psychology against you. >> So, I'm in security, so I would never get social engineered. >> Um, again, I think we all have our our our personal lever on what makes us susceptible. Um, you're saying if I if I'm able to

detect, >> like how would anyone be able to strengthen their defenses? >> I got you. Um, so I think awareness is key and just trying to be aware of those triggers that and and I don't have the answer on how you embed that into a workforce. I wish I did um through training, through education. Um, but I think awareness is probably the first and then again having that um procedural, you know, stop, respond, think, and then move forward and try to embed that into the the um the workflows that you have. Um, and then that along with, you know, technology, obviously you got to follow that up with some sort of technology that that could protect you.

>> Oh, 11 Labs. >> 11 Labs. >> Yeah, you got it. Well, thanks everyone. I appreciate it. Hope you enjoyed it.