Think about the box - Stefan Hager

thank you very much and welcome to bides London welcome to my talk think about the Box um so many people tell us to think outside the box and I thought it would be interesting to think about the Box itself and what the box is in short how are we thinking about stuff and how could we change that to our advantage before I actually start I'd like to ask a question to the audience to ponder while I'm talking what would you do if there was a highly configurable very hackable system just within your reach and once hacked you could make way better decisions and you would have a lot more to think about and you would have a lot more

options and no worries all the other questions I'm going to ask during the talk um I'm going to answer myself like why exactly this topic now within our industry I think that that behavioral patterns KNE reactions and ego are actually more damaging than the next zero day or the next dump uh by the shadow Brokers or mware in general so I thought it would be interesting to talk about that and some of you will have maybe seen that slide uh your brain is lying to you and when I say your brain is lying to you I'm usually overexaggerating what I mean is your brain is not telling you all of the truth all of the time

the reason for that is very simple uh all our senses can pick up way more information than our brains can handle so bandwidth is limited or you could put it that way reality is just dsing our brains and the interesting question is what comes through what makes it through to our conscious mind so Dr leonet or in the' 70s had this theory that whatever The Thinker thinks the pro proves he has seen the brain as having two distinct halves not the biological ones but um one part of the brain that thinks about stuff and the other that tries to prove stuff so the Thinker can think about really anything thinker can think itself sick can think itself well can think

we're living on a spherical Planet a flat Earth inside a hollow planet that this planet is circling around the Sun that the sun is circling around the planet it literally can think about anything and the Pro's job is so much simpler it just tries to prove what the Thinker thinks the problem with that is that we are getting very fixed in our thinking positions because we constantly get reaffirmed right all the stuff that makes it into our conscious mind seems to reaffirm what we already know so imagine this scene uh just to demonstrated if you were an ignorant Westerner like myself and needed to go to the L very badly then in this scene probably your brain would send a strong

visual signal of that sign saying tourists and souvenir or maybe if there was a rest restaurant nearby that could be somewhere where I could pick up um where I could go to the L as well if I was hungry my nose would pick up more smells or it would seem like that because that's the data that gets forwarded so even the suspicious looking sausages from the wender uh at the corner might look tasty at that moment and there's something that always takes precedence and that is if we perceive danger this is a very deep biological imprint so whenever we think there's something threatening us everything else we just thinking about at the moment goes to the

background so we could say that brains are filters with Dynamic rules which I think is pretty awesome um our brains are chuckling between what our body needs at the moment what we're thinking about at the moment and everything else so it's really cool the only thing is if I want to know why I reacted to a certain situation in a certain way and do something about that I would love to have an audit Trail so it might be um something like Splunk for the brain but we don't have that yet uh could be a good thing I don't know but on the other hand we also don't Lo have lock files or anything for that um fixure

spunk so the question is how do we get to the point where we actually can see why we rect it in a way um that really doesn't fit us or why we thought certain things and the answer to that is you have to observe yourself at all times so if you're hacking stuff uh you would do a blackbox approach you would just try to figure out what you're doing at the moment and just observe it observe your reactions analyze them maybe but don't judge them and that is the only way where I can get a feeling for uh that Dynamic firewall and whatever it did at that moment but you are observing yourself using yourself as a tool in order to change

yourself so there's a lot of recursion involved and a protyp don't dive into madness that makes it worse and so the next thing of course is now that we know that we want to change things or that we just want to broaden our thinking how do we do it we need to disable a few of our defenses and defend um disabling defenses is not as easy as we might think so there's only a few people in the room but I'd like to keep an open you to keep an open mind that you keep an open mind actually because I'm going to show you a picture of a guy with a giant [ __ ] and judging by your reaction this

is not really what your brain prepared you for at that moment but if I said something like Darth wader you wouldn't expect that although your mind and your preconceptions were preparing you for nudity just a slide ago you probably didn't think think about that Darth waiter from another sexy universe so there's a lot of Defense going on and a lot of stuff going on which enables us to actually act quickly when something happens and I'd like to take an Excursion into cyber security defense mechanisms and how modern cyber security tends to work and this slide is just we've got some programs packets whatever you name the BL guys in the left hand corner and they

are hitting some kind of anti-to solution that we have in order that our services are not brought down and only that um more or less legitimate packets make it in then we have some automized reaction like an IDs antivirus that's looking for specific patterns reacts to those we might have some kind of anomaly engine running that just looks for anything suspicious in user Behavior or something that hasn't been seen before for there will be sandboxes where we test Out programs and run them in order to see what kind of DL DLS they want to run and what the outcome should be there are firewalls everywhere and at least a few packets or programs make it to our

core I use the Crown J as the core because I thought maybe few of you wanted to play [ __ ] Bingo um and of course we as humans are fundamentally different so I put together a different slide for for us um it looks like that we've got new ideas and new thoughts coming in all the time and then we hit the bandwidth limit so a lot of it gets dropped the next thing that happens is in order to get on a fast track our brain will form behavioral patterns and if anything matches that we will react more or less automatically without even thinking about it that's quite like uh pattern matching in in antivirus as

humans we are really good at spotting anomalies so we've got that going for us and of course our way of uh sandboxing stuff is daydreaming so I could think about what would happen if I kissed her if I punch punched him things like that and it would be all within the safe space of my mind well my mind is not a safe space but you know what I mean and after that we have the problem that the prover only approves of the stuff that we think we already know and only a few new thoughts and ideas make it actually to our brain so is that a problem are we are we all robots um and robots meaning not the

cool kind of robots that fight aliens or something but uh just in our Behavior the thing is I don't think so uh we are not as robotic as this slides um might might in uh might show I think we're just staying robots if we know that we are acting in a way that really doesn't fit us and don't want to try to change that but it sounds like a lot of work and of course there's the question why would you do it what how does it benefit your cyers and why put the lot of a lot of work into observing yourself in order to get to learn about you is there any benefit and yes there is I

think so the first benefit is you are having more options if you were around for the first talk uh this morning we talked about it and women in it and how you can't really break into the market now imagine you are a recruiter and you have a certain picture in mind how somebody in your team should look like they should have this and that certifications be of a certain age maybe and bring this and that skill set now maybe you've seen Lord of the Rings if you've seen Lord of the Rings you will notice that Nicholas Cage didn't play every role but this could be your it team if you just have that fixed position in your mind how an IT guy

should look like and let's be honest with a lot of the Rings nobody in a sane mind mind would have hired the hobbits in the first place they just kind of tched along and saved the day so if you broaden your horizon with that as a recruiter for example then you will have a lot more diversity in your team and it will benefit you in the end I think and that's the whole thing about understanding yourself better the president of the United States um Donald Trump it's the new one allegedly said last year before he was elected that he doesn't like to look too deep into his own psyche because he just doesn't like what he

sees and my advice is and that is a general advice just don't be like Trump you can't go wrong with that and understanding yourself better is obviously something where you start maybe with a crude picture what you think you are or what you think you are like um but if you try to fill out the picture with many interations you will find out that it might not be true there might be things you never know exist within yourself and it's it's a fun thing so and one of the last points is you doing things differently if you went over to info security and bought every box from every vendor put it in your network then you would do what nearly

everybody else does which is cool which gives you protection but in order to do things really differently you have to be creative and that's where not only protection comes in but deception detection and new ways of thinking about how you do security this is a picture from an inflatable tank that the US Americans used in World War II to distract the Germans to bind resources and to confuse the hell out of us basically and if you can bind Resources with your attacker by being creative and doing DET uh deception things and stuff like that you will have an edge you will get the advantage back so just thinking slightly differently and thinking about thinking really gives you a freedom of

choice instead of the freedom from choice and so I think it's really worth it I started with a question what would you do if you had an hackable device um that you had access to well um of course I was referring to our brains your brain and I think now that you're quite aware of that how could you not try to hack yourself I mean that's obvious isn't it so I'd like to thank my mentor Nick dra and Bart London for having me and thank you for being here thank you much any questions thank you