The Seven Sins Of Attackers

yeah so good morning everyone I'm absolutely delighted to view you all today yeah so my day job in essence is keep security advisor at Microsoft so what is one of those my role in essence to of Microsoft largest Enterprise customers across Europe so ceso CIO CTO multi sector multi country really understanding what in is keeping them up at night but I'm not here to talk about my day job I'm not here to talk about Microsoft what I am here to talk about do a little bit of a Shameless PL my new book understand the mindset and which was released at the beginning of March and has already gone number one Amazon bestseller in computer security um so

I'm going to talk a little bit about one part of that book in particular um but first and foremost give you a little bit of why I decided to write this book in the first place and want kind of what's the motivation behind it so in essence um a lot of time in cyber security we talk about the technology that's really weird someone from Microsoft sitting up here we talking about technology actually what we don't necessarily talk about is the humans behind the cyber attacks what they're doing why they're doing it in essence and so this in essence is what my book is all around it's actually thinking about those attackers what they do why they do it

and how do we counteract the human adversary in essence in particular now part of the book I have interviewed ex criminals academics law enforcement one of those people that I initially interviewed is Tony sales um so Tony um has been given the name by The Daily Mail that reputable media Outlet on Britain's uh biggest fraud star that was a ton of a tal that he had for a very long time um but since then he's actually set up we fight fraud and Dr NCA thank you um is actually Senor and so if you want to talk about we fight forward in their role and what they do um Nicol is a great Advocate but in Ence

when I was talking to Tony a couple of things really stood out for me and he to do his fraud in person and he said in ENT you have to to have some confidence let's be honest some real walls um to do a FR right in front of somebody um in front of their face and mean that says what he said to me is I'm trying to get you to do two things I'm either trying to to love me or hate me and they're either going to be blinded by love or Paralyzed by fear and I really kind of set me on this track to really kind of understand our deepest emotions and particularly from attackers perspective

how they utilize it and the reason why I've called it the seven sins of attack is it's really emulating the kind of the cardinal sins if you like the deadly sins of the Roman Catholic church and the kind of theory is if we go back hundreds of years ago these are the deepest sins which lead you into temptation and are going to be damned in essence if you don't change your wells but so the were opposite of the deadly sins the Heavenly virtues so meant to act as a counterbalance in essence but actually what I'm going to talk about is the extremes of both of these because actually as an attacker or victim you actually can feel the same level of

emotion and you can utilize it with positivity or negativity depending on where you're coming from so I want to really start off initially this is not working this is a start there we go so I really want to start with read I there a misconception in particular that most cyber attackers are financially motivated and I think that is a case to begin with and this is even what Tony sales was really talking about for him and his background and really where he wanted to come to he was motivated by money and making as much money as possible you didn't really care didn't really think about the victim in particular it was all about how do I

make as much money as possible you can really kind of think about when we think about Ransom of creators this is SE compromise a lot of those things is centered on that greed in essence but the opposite of greed today too

is Charity um in an Ence it's kind of days thinking about giving as much money away as possible now the progr H extreme level of Charity you just keep giving and giving and giving until you've got nothing left to give and the kind of attackers also take advantage of this as well in particular with regards to the fact that I know that you're going to keep no matter what I ask for no matter what I want you to do even if you got nothing left to give I'm still going to do it because this is how motivated I am in particular they really kind of interesting areas one of the people in the book that I interviewed is

our lead investigator Microsoft digital crimes unit and they really talk about the Nigerian prince like how do people fall for these things it's just so ridiculous but actually the whole point of the email is to read out everyone but the most Gable and the interesting thing even when it kind of says I promise you multi billions of dollars you're just giving me your bank account you just letting me do these things these people actually are not motivated by the money what they're motivated by is the theory that they're actually helping somebody so they kind of ignore the money they just they just turn to the actual Story the cllean behind it and they really believe that pass is genuine and that's

why they're willing to help and that's why they're willing to start small but once they hook that person in they get them for more and more and more and that in essence is kind of one of the key theories behind it wind me up so the next is gluttony kind of thing really is kind about GED in particular we take get the taste of the Finer Things in light and there's another thing that Tony said as well I wanted more I wanted more money and I want the status that goes with it and the more a status I have the more power I have the problem is when you're kind of so obsessed with that need to have

material things and that need for power will do anything possible to get it in particular now one of the groups I talk about in the book is fin s and I'm not going to talk too much about that because our next speaker is actually going to talk about them in particular but fin s are regarded as one of the most prolific organized crime gangs in history from a cyber perspective probably a mass about billions of dollars so not only do they make money they invest that money on the stock market as well and they keep changing their am changing what they're doing the problem is when you have so much need so much greeding so much glutening this is

where they start to make mistakes in particular so the opposite of gaty is temperance um and this in essence is having that level of self-control and even if kind of the things that you want to whatever degree I'm really kind of looking myself way we take that to the m degree it's really stopping your access to every single material thing and you can kind of think about the dangers of that and how much self-control that you actually have and if I know if I know how to tweak the button and get you to do something the right way and a lot of the people that start with BL end up in Temperance end up with kind of gambling

death they go from one extreme to the other we probably have the depression built into that as well and again ver is how the attackers kind of take advantage of that now the next kind of area is really about Pride this is where we find a lot of the Cyber attackers kind of sitting in this area they want the Kudos they want a notor so one of the groups I speak about in particular lapsis arms British teenagers in essence of caus absolute Havoc absolute Mayhem and one of the cyber security researchers even went so far as calling them Rookie of the Year um and so the other person that I interviewed as well is an next number

of anonymous and they I am not financially motivated what I am motivated by is this need for social justice and I'm willing to go as far as it takes and I interviewed Lori love and he basically fored the Justice to CL for extradition um and one of the things that he talks about in particular is he has his balance between extreme arrogance and extreme humility I have I absolutely have the rights to I can go in I can deface government departments I can take them down I can get access to data not selling the data I will leak that data I'll do everything I think I need to do in the name of Justice whoever I think I'm seeking up for the P

the problem we have there is going too far going too far to make that name and keep that name in particular kind of takes you down a different path so the opposite of that is humility it's that real ability to kind of hone it in and not feel the need to shout from the highest rooftop look at me look what I can do the challenge of humility though in particular is if you have that social Justice you kind of so fixated on a specific topic against all other topics and we'll follow that to the end de gr and you'll believe people you want to follow them and you really kind of into this group so we kind of think about

anti we kind of the level of disinformation and the level of propaganda that we're seeing right now you kind of see that you have that extreme level of humility that absolutely need to believe in good you can kind of see how someone else can take advantage of that they take you on this path once you're on the path you can't get off the path and kind of you're more and more absorbed into each of these issues in particular so the next one is about lust which is not the same as love this in acence is where you're trying to control somebody at a really deep level in particular now one of the other people I interviewed from

my book is Dr Elizabeth Carter she's a criminologist and also in forensic linguist and what she's done she's actually taken um the language in essence that's utilize in Romance STS um she looks at the WhatsApp messages the timing of those messages um the emails the timing of those and what she basically says the way they cerse people the way they get people drawn in in essence is a ke to domestic abuse because people call me out exsited why are you giving that person your money why are you allowing that person to do that it's exactly the same thing in of the domestic violence perspective why don't you leave that person why do you allow them to treat

you like that you made a really interesting point if you knew you were being manipulated you would have been manipulated that's kind of the whole point and they're really try and drag you down drag you in in particular what she also identified was the fact that the attackers don't just act as one they act as a group um in particular when we think about some of those romance Hamas um they have playbooks and they're operating a shift so while you're getting messaged at 3:00 a.m. 400 a.m. answer the message do this don't that don't go there who are you talking to after them it's just a change of shift over there they're just going about

their normal day problem is as she identified they actually pick up the playbook in the wrong place sometimes they repeat the exact same message that that person's already received and then they're like that's when it clicks onto them in particular that maybe something isn't quite right um so the opposite of last is Chastity um and this is kind of abstained from everything and you see the danger of this as well so imagine that youve being scored if someone has treated you badly like that's it I'm not going to into any more relationship at all I do no longer trust women I no longer trust men then and no longer want a relationship and again this can be

utilized by attackers as well um but also for that person in particular they because they have such a Negative experience um this could actually lead them down a certain path as well maybe they're looking for Revenge maybe they're looking to see how do I take this out on somebody else and so this is an important thing to think about with regards to these kind of emotions and how they can use I from one side to the other how easy it is to counterbalance some of these things now Envy in particular an Shute level of jealousy and this really very interesting when we think the fact that how many westerners are actually victims of some of these

attacks in particular now you may heard about Pig butchering very unfortunate term which is actually derived from China which basically infers in essence that we are fat greedy pigs and in essence what we're trying to do is fatten us up for slau because you're so greedy um you are right for investment scams in particular now we've probably all seen the things invest a little bit of money cryptocurrency Bitcoin a little bit more by the end of the week you doubled or tripled your money so as far as that concerned you deserve this because you're a fat greedy Pig it's ter but this in essence is how they kind to see some of those from the Western

World um in particular you got so much money um I'll have a little bit of that uh in particular thank you very much so the opposite of Envy is gratitude which is really been thankful for what you have and the level of what you have in particular and you kind of I end up just kind of giving a little bit way here and there this is kind of very akin to charity in essence where you're grateful for what you have I don't need anymore which also means you have a surplus as well so you don't want that money you don't need all those material things I certainly do so if you're willing to give me some um then I can take

advantage of you as well in particular so you keep giving me and keep pulling on you to give me more and more and more of the things you don't want but I certainly do and again you can kind of see how people can get taken advantage um as a result of just the fact that you show this little bit of gratitude um this little bit of I have enough myself just give you a little bit of that in time in particular now the kind of the next thing is wrath on particular and this is you kind of think about how have no fury like a woman scoll for example this is taking it to the N degree where

you actually really hate somebody or hate a group just for the mere fact that they belong to that group got nothing to do with that individual or what they stand for and so one of the kind of the key areas that I look at in particular it's nation state actors and strategic culture so I actually interviewed somebody who's a wing Commander the military and one of the things they talked about again we see things from our Western lens so we think about what Russia is doing in Ukraine or we think about North Korea or some of those other big threat actors does it kind of makees sense to us what they do why they do it

actually we flip the script we understand their culture we understand their background and we understand why in particular it might just be gunning for the US or various other countries kind of makes sense I think this is something to be very mindful about as well it's actually when we see it from a different perspective actually one of them what they're doing why they're doing it and the way that they choose to do it maybe we agree with it but from their perspective it really kind of does make sense so I looked at the Strategic culture of Russia and strategic culture of North Korea have you've read the Lazarus H by Jeff White um I actually

interviewed him as well so I want to get an inside of you at North Korea in particular um extremely regimented routine and the interesting thing what he talks about is cyber slaves in essence and these kind of people that work in the North Korean military don't necessarily have a choice of what they're doing or why they're doing it and in part of the kind of the the mentality is actually if you work for the military if you work for the Cyber element of that you're at the top of the pecking order challenge is actually a lot of people in North Korea cannot use the internet so if I'm going to start attacking all these different Nation how

am I going to do that they actually ex sent to China where they learned to learn the internet in the Free World so to speak so now you kind of think about if you're getting s to China and it's that bad in your country just leave why don't you just defect and North Korean government kind of wi this because I ask I'm keeping your family as a hostage just to make sure that you do come back but if you do come back you're going to get a very good pat on the back for being a very good military citizen so for the most part they actually do they actually do exactly what they're told when they're told and when they come

back as well so kind of the opposite of that if you like is patience um so you think about the fact that you're so LED back nothing ever kind of comes near me I don't need to worry about anything I'm kind of cool I have this right demeanor behind me apart from when something that actually is a crisis and I actually need you to take to do something and you kind of just sat there go no this doesn't this doesn't worry me don't need to think about these things and you kind of see you get more and more laid back in essence and this is kind of takes me to sloth and now people kind of think sloth

is laisy and I'm going back to the kind of original kind of seven sins of cardinal sins from Catholic days it kind of did inire a little bit about that but actually what it really means in a modern era is that such a level of aathy I don't care anymore so you think about the inside threat in particular and you kind of think about how many of those people have kind of been downtrodden I'm worried about my job I've got all of these other things going on in my life company doesn't care about me so why do I care about you and so there kind of the inside of threat is growing in it it's where the SLO actually means the

apathy and kind of the opposite of that in particular is diligence um where I kind go to the m degree um where I'm so super focused on everything what I'm doing and I kind of and I follow the process I do it to the letter but you keep doing this time and time and time again to the point where you can't just take it anymore this is where you get to the point where I told you so many times this process doesn't work I'm trying to follow the right path but I'm not listening you're not doing all the things and this is where you kind of get the Whistleblower and this is where you get

the super malicious user in particular because that person absolutely understands all your processes they might even work in it they might even work in security now one of the other stories I talk about in the book is is Jack tiir if you're aware of him I'm disgraced us a um who basically took to Discord and various other social media 21 years years old um have full unfettered access to the deepest levels US military intelligence it's not just looking at what's going on in Ukraine what's going on in China what's going to do all these things he not only wanted complete apathy um but he was also a cyber expert he was also an IT technician and he was able to utilize he

does he wanted all of these things almost combined apart from the financial element to basically show off in front of his friends look what I got look what I can do in essence so something we have to be very mindful of in particular so kind of where do we go from this it's really about understanding the extreme levels of those emotions and being compnent of how those emotions in particular can lead to a change in Behavior so I really wanted to kind of really think about whether you're an attacker or a victim we're kind of in this ying and yang if like so any one of us um at any point of time can feel some

of these emotions you're going through a stressful time you get married you get divorced you children whatever the case stuff's going on in your life at different points can make you vulnerable in irrespective of who you are what you choose to do next is is up to you whether you choose something positive or something negative and then how do you actually show the motions to the world um in particular actually go back here sorry to click my TR now the problem that we also find the inside when something goes wrong we look to someone to blame convenience scapegoat in essence um and this tends to be someone who can't defend themselves very well so the scapegoat is never anyone in power

never anyone with a lot of money and never anyone in leadership and there's a real reason for that because the skate goat in essence it becomes the sacrificial lamb um and this is the kind of thing well we've kind of dealt with the issue we dealt with the reason behind we had the Cyber attack yeah was that person that CLI on the L it was the intern blame the SE so we blame everyone else apart from looking at ourselves and what we did wrong what we attacker did right the problem skapegoat actually didn't change anything um so yes we kind of blame this past we discipline them we Su them maybe we even try to convict

them of a crime or something like that did it actually make any difference whatsoever to the organization no so actually we have to be very careful of scapegoating victim blaming and various different things where we kind of push it on to the other person in particular the kind of the other thing is then really thinking oh go I went way too quick then um this thing is not my friend just

go uh so this is really about the Case in essence for human Centric security it's about turning people much we talk about the technology much do we talk about the process it's really about the people because we really have to have a good hard look at ourselves and why we do something we're not doing it for people what in essence is the point of this so we need to kind of think about the most critical and the most vulnerable people in our organization is people this from the ATT perspective as the technology gets better and better identifying anomali blocking PRS kind of doing all of these things the att's perspective I'll just try a different

meth does it care for me this malware fishing ransomware whatever exploit it is long as I can meet my objective I don't don't care and so actually I'm going to go to the Pap I'm going to socially manipulate them I'm going to utilize them in particular and that in essence is where we really need to put our effort in particular I the challenge I really get people to think about it's really how well do you know your business how well do you know your people good into caner is how many Shadow processes there are now we you think about Shadow it the fact that people can just really nearly download stuff off the internet and I don't care

about processes I don't care about sanctions technology I have a need to do something and I'm going to do it that in essence is what we're saying to people and so the shadow process is the fact that most people are just trying to do their job they're just trying to do it the best way they know how but if I can find a work around then soak can attacker inocent and that's the kind of the point that we need to think about they're looking for the point at least uh resistance and again if I'm a super malicious user I know exactly what the process is and I know exactly how to get around it I know

how you're monitoring I know not monitoring um to the point in particular so we need to have a very very good hard look at ourselves in particular and how do we counteract the adversary the human behind it well the reality is you might never know who you might never know why what you can do is really kind of think about those different types of attackers and why they might might be motivated so it doesn't matter an opportunist activist organized crime nation state actor an Insider a l warolf they're all motivated in some way but if I can get access to that data dependent on who I am what can I do with it and so actually

as I think about all of those different things combined I kind of think about what if what if someone could get access what could they do with it what's the so in adversly we then start prioritizing what it is we need to do and how we're going to do it um I kind of then kind of really really thinking about that kind of process in particular and the other thing we have to kind of be really cognizant about as well the people on the board um so kind of again we have this impression that the most senior person knows everything they're going to make the decision they're going to make it right funny thing they're human too

they feel exactly the same emotions ters know this so when we're in the middle of a ransom W case they want it to be as public as possible they wanted to put as much pressure on as possible they might even give you a time window so if you don't answer me don't do this don't do that in 30 minutes I'm going to start leaking data I'm going to start doing various different things and the problem is those people have not experienced a Cyber attack they've not experien a major crisis they are panicking they feel the emotions they feel the stress of all of these things combined in particular so what we need to be able to

do is help them visualize the worst case scenario give you hint I've never ever seen anybody go anywhere near the worst case scenario normally we do exercises it's very nice half a day cup of tea and ramps some we TI yeah got backups we'll put backups will be cool back up tomorrow morning but is not the case at all whatsoever so those people that never actually experience the Deep level emotion that's going to hit them and hit them hard so this is where we really need to go to that level in particular as a kind of military time you like train like you fight to fight like you train and that is really understanding the most difficult decisions you're

going to have to make and the EM motion that sits behind those decisions how you're going to make decisions and don't we have enough information to make effective decisions um and then when you when you've kind of gone through all of those you stop guessing yourself um because if you've actually got the confidence you've got all those things in place and you can actually do what's needed in particular so part of this is that transformational lead you can't will it to be soed I want a better culture we're going to do the right thing by our people I'm going just assume it's going to happen no we need toate down in essence and really kind of

think about leading with empathy and really have that kind of level of psychological safety that comes with with I made a mistake I really St um whatever the case may be I'm really scared I'm really worried about the consequences so then you have to kind of think about how are you helping them um to overcome some of those emotions in particular and kind of where I just want to like really wanted to end it really is a kind of that reality ultimately we are all humans um might you're a tyer or a victim but we all table for our own feelings and our own emotions and how we how that manifests into so can we make

that positive experience was a negative experience and ultimately people will make mistakes and just because people do bad things doesn't mean they're fundamentally bad and they can change that's one of the things I wanted to reflect on in particular now I hope you found that interest part from this thing not really working properly who am I going to blame who's es skate only joking so if you'd like a copy of my book I am doing some book signings in the interactive Village which is kind of just through the opposite side um of the auditorium area whatever you call it out there and so thank you very much and enjoy the rest of your day hand back