Harnessing Critical Thinking to your Advantage

over to Connor strickley with harnessing critical thinking to your advantage thank [Music] you thanks everyone um so genuine thank you to everyone coming out I know there heaps of stuff to be doing at these sides and coming to see my talk um means a lot um it's probably the least technical Talk of the conference so hopefully I'm giving you a little break um mines aren't absolutely melted by all the Wizards that are around um that being said I know I'm between everyone in food so um let's get into

it so I couldn't write uh this without Charlie from always signing in Philadelphia being front and center um that's the face of an analyst trying to understand and correlate what's going on um on that note if anyone has figured out who Carol or pep silia are let me know um so imagine a world as a the digital world is a complex ecosystem where Defenders attackers and everyone in between are navigating a constantly shifting landscape to thrive in this environment you need more than just technical skills you need the ability to think and adapt it's like having a mental toolid that empowers you to analyze situations from multiple perspectives question assumptions and make informed decisions Under Pressure whether you're a blue

team defending against attacks a red team simulating threats or anywhere else in the Cyber realm critical thinking is your key to success it allows you to anticipate vulnerabilities uncover hidden patterns and develop strategies so if you're ready to gain an advantage in the ever evolving world of cyber secur stick around I'll go through some Concepts which demonstrate how critical thinking can elevate your skills so who am I I'm dad DIY breaker of things and I can't say good uh no to a good beer Al and so barbecue I'd like to point out though although this has a psychological and Neuroscience twang to it um I've got no business talking on their behalf they're way smarter than me

uh but what do I know I started my infoset career in telecommunications in various roles including doing tech support for a large ISP uh I thought it was a good idea to join the Defense Force in 2015 where signals intelligence was supposed to be cyber um was not unfortunately um but I then managed to move into DFI uh threat hunting and CTI um since then I've moved into the Private Industry uh but still have chice needs to defense and government done a bunch of formal training um but some of them are listed there um feel free to hit me up on LinkedIn more than happy to have a chat about anything um cyber much so why this talk um Everybody Lies

We lie to ourselves every day without knowing it well I could have written a tour about my current field on DNS and this applicability of The Wider threat landscape um I took a step back and I realized a lot of my experiences come to critical thinking um the way I've always approached something is how do I solve this problem that comes from an inqu inquisitive mindset digging deeper into what is asked as a low order question understand what the real questions are so critical thinking problem solving and informed decision- making can be applicable to almost every industry at every level this goes from candidates I've interviewed for roles up to directors a common question to

understand the needs and have some awareness of the problem is why which is often followed up by a what if perhaps you've got a boss that's a tad excitable sorry Matt um they jumped straight to a conclusion without examining all the evidence um in an effective team open and transparent communication can really save you through some of the techniques I'll talk about the path to problem solving is reduced by taking a purpose-- driven path rather than exploring every Avenue I'm sure everyone has spent plenty of time going down unnecessary rabbit holes to reduce um so let's try to reduce that time so my take on critical thinking uh critical thinking skills don't come overnight and in my experience it's not

very well to what I've spoke about a low water question previously uh schooling and education is full of the sorts of questions for example if I would ask anyone in this room what is fishing um pretty sure most of you would have a very similar answer um but applying that to something like how can organizations effectively combat the rising sophistication of fishing attacks particularly those Le leveraging social engineering and AI that would require most people to take a step back and have a think to highlight um how that critical thinking can be applied to most roles here are a few examples Straight Out of My Life um this is one's kind of more towards the students out there and

people that are trying to dive into the industry um so business uh 19-year-old me was thrown in the deep end as a restaurant manager at KFC and I was told to make the restaurant more profitable I had no experience I'm a 19-year-old um but understanding the root cors was pivotal to making that work um so how do we make more money out of this delicious but disgusting but delicious Fried Chicken sales I moved into customer attention for a telecom telecommunications provider where the goal is to retain 75% of people who called through to me understanding that people wanted to cancel or why people wanted to cancel was super important sure a lot of the time it was price um

but what happens if I could bundle their whole family internet and energy bills into one this would save them time money and simplify their lives same thing goes for a general tech support like so many people just call up and want to cancel their service because they didn't have enough coverage or something along those lines making them understand what the core problem was was a key moment to keeping as many people on board as we could then I talk about ISP ISP tech support um condolences to those who have been through this um but every call of every day was solving some kind of problem it's a great learning experience to identify a root cause of a problem

based on an initial hypothesis how do I get this less than techsavvy 70-year-old to give me the information I need to prove a fold how can I do this with the least amount of disruption to them and their lives while some people were happy running through the pre-baked scripts that we would give um I thought a real understanding of the core problem could drive efficiency rather than going through a list of have you turned it off and on again style questions then I moved on to intelligence this is where I had some informal in formal training and it was an interesting experience ways of thinking in defense um is very much IND indoctrinated with a left and right of

Arc one day you would have a few hours to come up with to a decision um other times You' have a few minutes so how do you make an assessment on multiple sources of intelligence to give an overarching strategic brief on any particular threat then moving on into cyber moving on from the intelligence world into the Cyber realm is very similar um overwhelming amounts of information can be given how do you know that alert that you just flagged as a false positive wasn't a true positive is the assessment you've made about a particular thread actor or is it another thread actor using the same techniques to masade their actions or are there multiple thre thread actors um trying to achieve

different end goals so let's get into the system Theory apologies it's kind of dry but I promise it will be at least somewhat relevant to some aspect of your life so cognitive bias is what makes our lives easy dayto day it's about our life experiences and how we form rapid assessments on any particular situation by making these assessments we're drawing on past experience in an attempt to predict the future unfortunately in the infos domain this is an automated process which our brain wants to take that can lead us to making an error in judgment I personally believe that cognitive bias is one of the biggest hurt to overcoming critical thinking without being aware of our bias we make

assumptions which may lead to errors in our judgment this is uh for those working in a similar role um to isps um trying to break into the industry but honestly it can be a bit of a drag but the more you engage yourself the more you uh have a solid foot forward um so example straight out of uh it always fun U let's imagine 80-year-old Henry who calls up the support line his internet is not working all of the cables are plugged into his router and he's been sitting in his chair all morning so he hasn't tampered with the device at all there's no lights on the device and he just wants to play bingos with his friend on the iPad we

want to help Henry as quickly as possible so we have to come up with a few beliefs based on our assumptions so we confirm in the background that we can't see any network traffic uh billing is all up to date the account's active no lights leads me to a hardware failure pretty much straight away so let's just ship him out a new router and be done with it wrong um while we have followed the standard operating procedure we haven't identified the root cause in this scenario there was a power outage in the suburb he didn't know it would affect the internet on his iPad he was wants to play Bingo sure most of us know that no power

would mean no internet but perhaps we've uncovered a lacking question uh in a fault identification check and now we can update this soop um from a career perspective this is really going to uh proactively put you above you [Music] pe uh so let's dig a little bit deeper into the cognitive bias um we would be here for hours or days if I listed out every individual bias but they're broadly aligned into two categories you've got your unconscious bias um uh where am I up to yeah contous Biers sorry conscious Biers is the types of Biers that we can be made aware of and that can be accessed and easy to change uh unconscious Biers on the other

hand can be difficult to be made aware of making it much harder to change I'll give some examples of both shortly um of course some mitigations can be put in place I think one of the easiest ones is just educating yourself on your own blind spots or potential bias especially when uh which is included in your day-to-day role did you just get that Alert in your scene because Carol typed a password in too many times again or has a threat actor tried logging in using previous compromised credentials did you even look to notice that the IP address that was used was from a lesson reputable ASN what about the following log on from an AWS range

rather than Dodo internet which is typical for this user and I spoke before about trans dialogue it's another really good one um if people are feeling blamed or braided over their incorrect assessments they're not going to speak up as a manager of my team I try to keep discussions open where it's appropriate and my team has pointed out flaws in my own thinking multiple times regardless of the outcome Remains the Same having the perspective of someone else can make you say hey yeah fair point I havn't thought of it that way and this leads into seeking diverse perspectives each member of your team or any other of your peers will have a different p uh perspective to you

allowing that transparent dialogue would give them confidence to speak freely and lastly um structured decision making Frameworks it's a tricky one uh the concept of a decision-making framework such as the ud Loop or F3 EAD can be helpful in many situations but it's important to remain flexible to allow innovation in the same way a Playbook or a a sop should be dynamic just because it worked in your last engagement doesn't mean it's going to work in your next one so confirmation bias in essence confirmation bias is our tendency to favor information that confirms our existing beliefs or hypotheses while in ignoring or discounting evidence that contradicts them we all like to be right and this bias can lead us to selectively

interpret information in a way that reinforces our own preconceptions so how does that apply to cyber security imagine you're a security analyst investigating a potential breach you might have a hunch about the source of the attack and confirmation bias could lead you to focus on evidence that supports your while overlooking other possibilities this could result in delayed or incomplete responses allowing the attacker to further exploit the system similarly compil uh confirmation bias can affect how we evaluate security products or Solutions might be more likely to trust a vendor who's marketing uh aligns more with our existing views even if their product has fls well maybe we uh dismiss a new technology because it challenges our established

processes again to confirm uh combat confirmation buyers we need to cultivate a mindset of open mindedness and critical thinking we should actively seek out diverse perspectives challenge our own assumptions and be willing to change our minds in the face of new evidence remember in cyber security the stakes are high we can't afford to let our own blind biases blind us to the truth uh anchoring bias in simple terms anchoring bias is our tendency to rely on the first piece of information that we receive uh this initial information acts as an Anor influencing subsequent judgments even if it's irrelevant or inaccurate this bias can manifest in various ways for example if a security team's initial assessment of a new

threat that is lowrisk they might be anchored to that perception even as new evidence suggests that it's a higher level of threat this can lead to delayed or in inadequate responses leaving uh systems vulnerable similarly during incident response an initial estimate of the damage caused by a breach could serve as an anchor potentially underestimating the true extent of the compromise and lastly how many times have you found while do a pent test that the F first open service outside of the norm is definitely the F the right way in I mean that can take hours off of your time trying to get into something um to mitigate this bias again um it's vital to cultivate critical thinking and

challenge those initial assumptions every now and then take a step back and ask yourself why you're trying to do this what is the end goal um and again encourage diverse perspectives within your team and actively search uh uh seek out alternative viewpoints remember the first piece of information isn't always the most accurate remaining flexible and open to the new data is uh crucial for Effective defense uh so in in essence availability bias is our tendency to overestimate the likelihood of events that are easily recalled or readily available in our memory it's like judging the frequency of shark attacks based on recent news headlines even though they're quite rare especially in CRA in this industry this bias can lead

us to focus on threats that have been recently published or experienced while neglecting other potentially more dangerous risks for example a company recently suffered a breach by a publicly exposed web app become hyperfocused on preventing that in future while overlooking other vulnerabilities in other areas availability bias can influence our perception of solutions we might be drawn to products that promise protection on high profile threats even if they don't address our needs or vulnerabilities marketing could be really manipulating to combat availability bias we need to cultivate a data driven approach regularly review threat intelligence conduct risk assessments and prioritize security measures based on objective data rather than gut feelings or recent headlines remember the most memorable threats

aren't always the most likely um reasoning so reasoning uses logic and uh information and evidence to form conclusions or judgments two main types of reasoning being inductive reasoning which is a bottom up approach so it starts with specific observations like patn in log files and then uses them to form General hypothesis or theories about the Potential Threat patent recognition identifying similarities between attacks allowing us to categorize threats and develop proactive uh defenses then in threat hunting we're using past attack data and current trends to predict future attack methods and discover new vulnerabilities um examples um heuristic base detection uses rules and patterns to identify suspicious Behavior even if it's not a known threat and then we've

got machine learning Lear uh which lears from large data sets identifying anomalous and potential attacks without relying on predefined rules uh this is different to deductive reasoning which is a top down approach uh it starts with a general principle or established knowledge like a know attack vector or security framework and applies them to specific situations to identify threats we're talking more like signature-based detection matching known uh attack signatures and uh to detect and block specific threats then vulnerability assessment uses known vulnerabilities to identify weaknesses in a system and prioritize remediation um examples of these kind of antivirus software firew rules kind of thing um five yse um I've said the word why a lot so let's dive into uh the five

wise analysis it's an iterative interrogative technique used to explore the cause and effect relationship of underlying particular problems the five kind of derives its name from an anecdotal observation of the number of iterations in needed to uh resolve the problem or understand the root cause um though it might be more it might be less it really depends how deep you want to go the primary goal is of the technique is to determine that root cause and just continuously asking why each question forms a basis of the next question yeah this is pretty small I thought it would be um so I I'll go through this word by word um but a data breach for example um so why did the

data breach occur um the initial answer would be an attacker exploited vulnerability in our web app why was the vulnerability exploitable it wasn't patched why was the vulnerability not patched the patch was not applied due to a misconfiguration in our patch management system why was there a misconfiguration in the patch management system the IT team responsible for patch management lack sufficient training on the system why did they lack sufficient training there's no formal training program in place for new technologies so that's the five I mean you can go down to six and go say hey um why wasn't there a formal training program um perhaps it's budgetary or perhaps it's just time limitation so in summary we made it it's

nearly lunchtime um the image you're seeing on the screen is my brain a lot of the time um everyone has bias so how are you going to identify these and combat them the way our brains are wired manipulate how we think some of this we have control over others we really need to work on and seek diverse perspectives often building our teams with diverse Minds can attribute to these efficiencies your tools are going to lie to you if you don't understand how they work it's going to be really hard to justify your actions continue learning don't believe your tools they're there to supplement your knowledge they're not supposed to be the base and human thought and critical thinking is

becoming more and more important especially with rapid development of AI platforms asking is this true or why is this the right answer is essential to utilizing these platforms effectively if any playing around with these and seven times out of 10 they're okay but remember you shouldn't be a direct consumer of these platforms I'd need to many hands to count how often they've been wrong for those applying for RS uh if you are using AI please understand the output it's super obvious when a hiring manager asks you when an operational question and you can't answer it you're just reciting whatever open AI has told you that's the end of my talk um are any questions at all

[Music] [Applause] [Music]

sorry just what you touching on with the inductive and deductive reasoning we of of the two options which do you think is more computationally expensive was that computationally expensive human computation like thinking wise yeah um let's say inductive reasoning um because then you're going to have to like consider your bias all the time as well so if we going through a bunch of vogs right um your previous experience is always going to um kind of point you in the direction of going down that specific path um whereas deductive reasoning um it is what it is essentially H has false positives though right sorry yeah any other [Music]

questions question y so was in teams how do you remediate the cognitive bias and identify and identify it um I guess it's about being open right if your teams aren't um aren't in a safe space I suppose they're not going to speak up um my boss over here he's always um been really supportive of just saying what you think um more people learn from it right and also you're not always going to be the most the smartest person in the room um and you're going to have your own flaws so someone else pointing that out for you in that safe space is super important

just to build on that last question if you've got someone who's resistant to identifying their own biases and clings to them how do you resolve that that's a really good question um it all comes down to the person so um I guess that's more of a a behavioral thing that you're going to have to address um certain people are going to be super competitive when you say hey you're wrong this is the right answer um so it's about being around the bush and trying to let them understand understand what the correct answer is rather than pointing it out directly um again you can ask them a question back and say hey why do you think that's correct have you considered

it this way rather than just saying you're wrong this is a correct answer and again you learn from

it not a question if you use the debono technique of six thinking hats where each person is empowered to be you know um for against there's different colored hats black hats red hats that sort of thing U that sort of makes sets up a social setting where people are empowered to um be Devil's Advocate that sort of thing so if you want to learn about it just look it up on the on the on the web thank you thanks appreciate that all right well thank you very much for that and uh as a gift from bides for making the conference what it is um here you go thank you very much you