The Art of Cyber Deception: How To Get Inside The Mind of A Hacker with Rob Black

Jim [: 00:00:00

Hello and welcome to another edition of Razor Wire with your host James Rees, myself. Now, today we're going to be continuing on with our interviewing of key members of the information security community, where we sit down and we talk about their views on Infosec, how they got in, what they like about it, what they dislike about it, pretty much everything related to Infosec, and what it's like to work in the world of Infosec. And today I am interviewing Robert Black. Welcome to the Razor Wire podcast, where we discuss all things in the information security and cybersecurity world, from current events and trends through to commentary from experts in the field, providing vital advisory on what it is to work in the information security and cyber security space. Rob, welcome and thank you ever so much for joining us.

Robert Black [: 00:01:02

Hi there, Jim. It's great to be here and looking forward to a fascinating conversation.

Jim [: 00:01:05

Good, good, good. So tell us a bit about yourself. How did you get into Infosec? What was your journey like? I mean, did you get in quite early on, or were you working in another career? Say it. Or maybe even something else before you got in? What was your journey into infosec like?

Robert Black [: 00:01:21

So I ended up in Infosec in a completely haphazard, fortuitous way, to be honest. I was an analyst in the Ministry of Defence, a strategy analyst. So I spent my time helping the mod think through difficult problems and how best to approach them. And I had quite a varied career over 1015 years, nearly looking at everything from how we can improve the way we fight wars, looking at how we can change the decision making of our enemies, rather than necessarily just fight wars by going to a defeat level of force and destroying all their tanks. I spent time looking at how we would communicate deterrent effects. Both of those had a really interesting theme, that they were all focused on understanding and thinking about shaping the adversaries understanding of the world in order that they would either be influenced or deceived into doing what we wanted them to do. So my career in the military, supporting the military as a civil servant, was focused primarily looking at understanding how we can improve our understanding of others and do something about it. As a result, I did some other things as well.

Robert Black [: 00:02:20

I ended up chasing pirates of Somalia. I was based in the Middle east, but the pirates of Somalia. So I can say I'm a pirate hunter, although it's not the kind of swashbuckling adventures you see in the pirates of the Caribbean. I was in a windowless office in the Middle east, questioning why I was not outside in the sunshine and then I did some work looking, if you remember, the campaigns we fought in Iraq and Afghanistan, did some work looking at the roadside bombs and the ieds and looking at how that threat was evolving so we could try and get ahead of the curve of the use of new technology so we could improve our research programs. So the kit we were given to our service personnel was sort of ready to deal with the future threat as it arrived in theater, rather than being 618 months too late, as it were. So I did loads of interesting things in that field. And then the question coming back to Infosec, I ended up being asked if I would pull through some of the MoD's research on how to influence people, how to understand people, pulled through that into the community that was happening, looking at how we deal with cyber security, how do we deal with those people attacking us, and how we might use that as well in the kind of protecting UK's force to do cybersecurity as well. So that was my first entry.

Jim [: 00:03:25

I mean, it's interesting because a lot of infosec people back in the day, I mean, I've been in this game for 25 years, so go back to 20 odd years. A lot of them came in from it. A lot of people kind of naturally progressed in from there. But you came in from a very different angle, very interesting angle, actually. How was it moving from the military mindset of how you handle threats, risks, intelligence, you know, all the stuff that you were dealing with, into the more commercial world of basically the same thing, or infosec as we, as cybersecurity is? The name keeps bloody changing, to be honest.

Robert Black [: 00:04:01

So I think for me, it wasn't necessarily, and I haven't had a huge experience in the commercial world, working with cisos, advising them on procurement decisions or strategy decisions around there, because most of my work at that time was very much focused on thinking about how we can work more effectively in teams and deal with the threats we were dealing with. And I guess I found that the two things I think are absolutely personal in the commercial world, from what I've seen and in the world that I was experiencing, was that we very easily delegated and deferred to the technical expertise. We saw it as a technology problem, and I think that still persists today. The CISO, until recently, was the techie who the board turned to and said, there's a techie problem, go and deal with it. And if you can talk to us in English and explain the techie problem in an easy way, we'd appreciate that too. But actually, we don't want to really understand it, we just want you to sort it. And that conversation is still changing as we talk today. So the first challenge was we saw everything in cyberspace as a techie problem.

Robert Black [: 00:04:57

And I fundamentally disagree with that. And I think that pattern is changing gradually. If we look at how we see kind of the geopolitics of cybersecurity, we're seeing the ability to project force being about shaping opinions. The national cyber force, for example, has recently highlighted a new strategy of cognitive effect, which focuses on exactly that. And I think it's showing that we've got this transition, that people becoming more aware that when we deal with cyber threats, we can't just deal with them as a technological threat. And then the other theme, I would say, is that repeatedly in the community, because I wasn't technology centric and I wasn't expert in technology, I felt, and I was seen to be a bit of an imposter. And because I wasn't CIPS qualified, I didn't have the latest security credentials in this technological challenge. So I didn't do technical cyber.

Robert Black [: 00:05:46

And in fact, I repeatedly had it reminded to me that what I was doing wasn't cyber. I think fundamentally, there's been a massive shift in that thinking, particularly as a result of the russian activity that we've seen disrupting elections and in other misbehavior around the world. We've started seeing that cyber activities, cyber threats, don't have to be super technical to be effective. And actually, that means we have to change our thinking about what technology is involved and what is actually reliant on, or what we're actually reliant when we come to dealing with these threats.

Jim [: 00:06:16

I fundamentally agree with you on this one. I mean, one of the. One of the key frustrations I had 15 years ago was we didn't really have many cisos back then. You were usually some kind of security manager. You were normally lumped in with the it teams responding to the CIO, the CTO, whoever it may well be. It was difficult because you were trying to communicate intrinsic risks to the business, which weren't, as you say, necessarily tech centric. There was a lot of psychology involved, a lot of intelligence as to why things were happening and so on and so forth. And it kind of gets lost when you filter it through it.

Jim [: 00:06:59

It kind of does end up being this, oh, that's about technology. I mean, if you look at things like PCI, DSS, ISO 27,001, even like NIST and HIPAA, and I could go on forever about the different sort of security frameworks and compliance requirements there are today. They are heavily moving away just from that tech world, and it's taken us ages and ages and ages to get to that. I learned very early on in my career that a lot of security is about psychology and mindset and thinking like the enemy, like the old Sun Tzu thing. You know, if you know your enemy and you know yourself, then you needn't fear the outcome of 100 battles. Obviously, you came in from the military, which is that kind of mindset, and trying to change that commercial world. That must have been a real tough one.

Robert Black [: 00:07:48

Actually, Rob, you know what? I don't think we've changed it. If I'm honest. I think we failed. Absolutely. And I think we're still on that fight. So I'm not sitting here feeling I've won the medals for it. Sure. I think if we think about the use of psychology in cybersecurity, and if we talk about human factors in cybersecurity, we automatically default to a consideration of the user, the average member of the organization, and whether they've done their spear phishing training, are they going to click on that link, and how do we help make them more resilient? And we think about the psychology there.

Robert Black [: 00:08:17

Now, that is a completely legitimate and worthwhile initiative and effort, and there needs to be more of that. So you're not going to be getting me resistant to that in any way. But I would argue my focus and the area that I think there's more value in focusing in now at the moment, because it is so untapped, because we focus on the threat being. Technology is thinking about the threat actor as the user and thinking about their decision making and their psychology. And what's been really interesting, as we've seen with the development of ransomware groups and the ransomware as a service is we've started seeing tensions in groups. We've started seeing their decision making being affected. There was a podcast, Charles van der Voort was talking about the work they were doing at orange, looking at some of the ransomware actors and looking at how those ransomware actors are deciding on their victims based on their knowledge of their victims, and then was talking about what disruptions you can do against those actors based on what they're targeting and why they're targeting. And basically what we're saying is threats are humans, too.

Robert Black [: 00:09:12

How simple a phrase is that? If we look at every threat actor, and this is where I think I'm a bit critical of the industry because I can understand why we're very keen not to attribute threat actors to certain nations, because that's a geopolitical issue, and I get that, and I understand that. But if you look at any threat reporting, we do two things. We talk about the technology. We do very little on their decision making, and then we caricaturize them. And you can get a fuzzy colored teddy bear or a pink fluffy elephant, and that would be the threat actor we're now talking about. Or we give them a generic name, and I can understand why, but we immediately dehumanize them. And it seems strange to talk about dehumanizing the attacker, but it means we're losing attack separators that we could be going after on these attackers. These attackers have to make decisions at every twist and turn.

Robert Black [: 00:09:57

If we aren't building our networks thinking about how the attacker is approaching our networks and operating through our networks and the decisions they're having to make, we're missing windows that we can influence them and shape their thinking and shape their behavior, and that is an opportunity cost that I do not think we can afford to take. So we should be engaging with our threats. Using the military terminology for threat, or often used by the Mediterranean, threat is capability by intent, and I think too much. In cybersecurity, we focus on threat as technical capability. How many might have ttps do they map against? How many of this do they map against? What are their tools? But every single threat actor is like you and me. They have to make a decision several times just in every activity they do. And if we're not understanding how we can engage their decision making, fight them mentally, psychological combat, how we can do that, that's where we're missing the opportunity.

Jim [: 00:10:52

You mentioned this a few times, actually, and it's a thing that I see quite a significant theme in this community and the discussions going on and some of the other people that I've interviewed and who have guested on the podcast, we are fighting this battle, and it is a war. It's been going on and raging for ages and ages and ages, but it's very silent in the background. And I think this is where a lot of the problems lie. From what we were just discussing, business people don't. They just want to kind of progress. They want to get the profit for the company. They want to make the shareholders happy, keep things running and all the rest of it. They don't understand what they're actually facing up against.

Jim [: 00:11:33

And the capabilities of some of these people, I think the Conti tapes, or whatever they were called, the Conti sort of release, where they saw exactly what the malicious actors were talking about, how they operated, that they operated like cells within a company with different departments, even a bloody HR section checking people coming in, whole screams of analysts. She's looking at the organization and profiling, not just from a tech sense, obviously, but from a business sense and from a psychological employee sense, exactly who they would target next, who's most likely to pay, who's most likely to bend under pressure. I think in the early days of ransomware, you did see a little bit of a scattergun approach where they just kind of fired it out because they found something new that they could get paid for. But I think when they hit the pipeline and all of the bad press that came out of that, I think somebody and I have had a few discussions with a few people over the years, somebody deep in the ransomware side. We don't quite want that level of hate leveled on us. Can we just back off a second? Lets not target childrens hospitals, that kind of thing. Lets go after the big business. And you do have to understand that mindset, and its only when youve been in Infosec for a period of time, for a long period of time, do you kind of suddenly get it to tweak in your head, or at least that was what it was like historically.

Jim [: 00:12:59

Are you seeing that change in mindset with infosec people as you are coming across to them? Obviously weve talked about the business people still not quite there for actual infosec people that you meet. Is that a thing that's changing?

Robert Black [: 00:13:12

I think what we are seeing is that intrinsic risk to the business being articulated in a way that it is an existential threat. And more people are realizing that. More people who are outside the CSO community are realizing that if they don't get this right, it's not just a tech issue and a tech falling over, it's a fundamental threat to their business. And I think that mindset shift, it needs to happen more, but it is happening. And I think that then empowers better risk assessments against the impact on business, rather than just the service being down, the server being down, or the data not being available. And I think that realization is quite a significant shift. And we're starting seeing people in the community, sort of, let's say CISo evangelists, talking about changing the language from evaluating products and looking at security decisions, but looking them in space of how is this helping the business? What is this doing to the business? And I think we are seeing that waveform coming through, I think where we're probably not necessarily seeing as much progress is that they're dealing with and having to fight against a mountain of assurance mindset. The easiest approach for your network is to make sure it meets all the assurance criteria you need and then keep your fingers crossed that the bad guys don't get in.

Robert Black [: 00:14:25

And that assurance mindset, whilst it's important, and we need to make sure we meet a minimum standard here, there and everywhere. When you're up against competing budgetary requirements or competing asks for your budget, it's very easy to realize you need to hedge your bets. Do the minimum you can, that is, tick all the boxes, but not necessarily move to that next stage of how do we then do the proactive defend? We can secure everything, but how do we defend everything? And I think that's the shift that needs to happen now.

Jim [: 00:14:50

100% agree with you. My producer always tells me we need a little bit more conflict in some of the podcasts and some of the interviews, but it's kind of hard to disagree with what you're saying. In fact, 100% totally agree. And I think it certainly is changing from what I've seen. It is very slow, though, in a commercial world. Obviously, when you start talking about security intelligence, immediately the vendors come out and they start saying, oh, buy our tools. Our tools will tell you everything you need to know. It'll give you all this and that and the other and the gunfire and so forth.

Jim [: 00:15:21

I've spoken with a lot of the vendors. I've used some of the tools. Some of the tools are great at giving you ideas of what different groups attack patterns are like, what they go for, the kind of vulnerabilities they tend to look for, be it sort of a phishing vulnerability, or be it a technical vulnerability or whatever. So if you are coming under attack, there are some good tools out there that can help you try and establish a little bit more or maybe give you a bit of intel on what's going on on the dark web, whether someone's mentioning you and so on and so forth. You know, you need to have a tool set like a lot of these, these, these organizations have today. So what do you do when you're doing this? What's your process?

Robert Black [: 00:16:01

I'm not sure if I'm going to answer it directly, but I just wanted to reflect on your point about the conversation between the vendor and the CISO or the procurement person in the organization. And I think for me, this is a really important relationship. And again, this might seem as being critical of the community, and it might be unfounded of me because I haven't been in that space myself, but I think we've got some really interesting challenges where we've got a vendor market, I think, and we've got cisos who are up against it and they need to get a solution quick and they need to get pressure off them because the board's putting weight down and it makes a very good healthy for the vendor market for them to pick between a b based on pretty much the mitre framework. Who ticks enough of the Mitre framework? Okay, I'll go with them. Let me compare product a, product b. I know I need this type of solution. Let me compare, is it four or five? Put them into a RFP, I will put them into a response. Okay, I'll pick the one that comes up best against cost, against Mitre, against a couple other criteria, perhaps a good working relationship.

Robert Black [: 00:17:02

And I think that's all for the benefit of the organization. To consumer, I think the best vendors, and again I say, hasten to add, I am not a vendor and I'm not a salesperson, but the best salespeople in the vendor community are those who have conversations with the cisos and the team and listen to them and understand their problem and help them identify how their solution or how their kit will support them in the solution to the problem they need. Now that's stating the remarkably obvious, but again, that shifts the power slightly from the vendors. All shouting I get nine out of ten here, I get eight and a half out of ten here, shifts the power back to the CISO or whoever it might be. As to here are my needs, how are you going to help me with my needs? And immediately at that point, we're shifting from it's against this mitre fresh external assessment criteria. And I think where we need to go next with that conversation isn't just what are your needs, how our products help you with our needs. It's empowering the CISO once again to be a critical consumer of the vendor spec community, not based on external criteria, but based on what do I want to be able to do and what do I want to be able to achieve and what is my strategy for defending this network? And at the moment, with that strategy being assurance and a tick box exercise, quite bluntly, I need to tick the box. I've got this kit, the only criteria I've got are those external criteria cost.

Robert Black [: 00:18:25

How much money am I going to spend? Is it cheaper to buy this than the other one? What are the ticks in the boxes. It's gold standard against this assessment criteria, silver against that one, and this one's gold. And gold, I better go with that one. But actually that doesn't matter. It's what do I want to do with it? And not even what do I want to do? What do I want to be able to achieve in terms of the defense of my network? And how does doing that help me? And doing that, how is that supported by the kit and capabilities available by the vendors? And I think that shifts the conversation considerably into a strategy based approach of defenders. What do I want to set up rather than necessary? What do I need to have some of and make sure I've ticked the box.

Jim [: 00:19:03

Fantastic. We're woefully underfunded in security. I mean, you know, I think every department says that at some point, don't they? You know, you always hear it, oh, we need more budget. We need more budget. But security people are really, really woefully underfunded compared to the remit that they're there to do. You know, when you have an organization with a revenue stream of, say, you know, 10 billion, 20 billion, that kind of thing, and they're spending the equivalent of five pounds and a pickled egg on their security, you're not going to get the level of security that you need. And I'm not just talking about the technical security, the tooling there, but just kind of like the management side of things as well, the intel feeds in, because a lot of Infosec people have grown up in that tech centric idea of Infosec, and it's been supported by the business. But I agree with you, it's interesting to see it is shifting now.

Jim [: 00:19:58

We're seeing a lot more cisos, a lot more Infosec people advising boards directly. Some of them are even becoming part of the boards. It's definitely a change. I think the most successful ones I've spoken to have said intelligence is the key thing here. You have to understand not only your organization, but you also have to organize the component parts of it and what the enemy is looking at and what the enemy is doing. Is that something you agree with? Do you see that shift progressing where people are going to take security a little bit more seriously as an organizational aspect rather than, as you say, just a technical?

Robert Black [: 00:20:36

I think for me, you touched on sort of security intelligence and what might be available in the dark web, and you used that as an example earlier. And I think for me that highlights, if you take that organizational approach, you redefine the boundaries of your problem space, or you redefine the boundaries of what you're trying to defend, and immediately you start bringing into other aspects to play. So, for example, the dark web becomes a place that you could be actively engaged on, but wouldn't necessarily be feeling that that would be your traditional area of territory and responsibility as a CSO. But what could you be putting in the dark web that would shape and influence any threat actors who might be operating against you and thinking about targeting you? What could you be putting out in the public space to do that? There's a range of things you could do which probably aren't technical capabilities. That might be enough just to shape the thinking of the attacker, and that might be enough to dissuade them to go from you and go somewhere else, or it might be enough to go, oh, I better think about this twice. So there's a range of revision of boundaries that I think start happening when you take that organizational approach rather than just the tech centric, your IT footprint approach.

Jim [: 00:21:43

Oh, you've just touched on a really good subject matter there for. I've. I'm a big fan of, you know, I always go back to Sun Tzu, you know, for a guy who lived quite a long time ago, his text certainly still, still rigs through today. You know, the whole, all warfare is the art of deception. And you just touched upon a good point, and it's a good example I've made to people in the past where it's like, if you want to protect your house from, like, the average sort of group of miscreants coming down the road to potentially sort of rob you and looking for targets to rob something simple like, smile, you're on CCTV, or, and beware of the dog signs go a long way for them to just bypass you. Exactly. Completely. Might not be true.

Jim [: 00:22:24

You might not have any CCTV, or you might have a dummy camera, you might not have a dog, you might have something that barks, and when people get too close to the house, but it's surprisingly effective in making them pass on and go somewhere else.

Robert Black [: 00:22:37

But what does that look like in cyberspace?

Jim [: 00:22:39

Well, this is it.

Robert Black [: 00:22:41

And the problem is there are so many things that we can do in cyberspace, but we're not doing them. You get an equivalent, you get a response that you're looking at an inappropriate web, not inappropriate. You get the web pages down, you get a generic response. This webpage doesn't exist. Why not put a web page response, a search response, so that when they ping you or something like that, they get a response saying, we know you're there, we know you're looking at us, we know you're doing something naughty immediately. That changes things. Look at some of the nudge techniques and the behavioral economics. If you put a bowl of fruit out and a bowl of sweets out and let people to go up and freely choose what they want to have to eat, they'll choose the sweets.

Robert Black [: 00:23:17

If you put a mirror behind the fruit and the sweets so they can see themselves as they go to choose the. Guess what? Not as many choose the sweets and a lot more choose the fruit. Funny, that. So what is the equivalent in cyberspace? And it might not be choosing the fruit and sweets, but it's the same kind of thing. There's a series of studies that have looked at the presence of CCTV. The CCTV has a deterrent effect, not just because it captures the recording, but because people see the cameras and think, oh, I'm going to be recorded. And so they don't do it there. And even more so, they've done studies where they put pairs of eyes up on the wall, just pretend pairs of eyes, to make it look like someone is looking at someone, and that has had a deterrent effect and move the behavior away from those areas.

Robert Black [: 00:23:56

So what is the equivalent in cyberspace? How do we make our networks more resilient using these type of techniques? And you know what's really funny about all of that? The digital. The cyber domain is the only virtual man made domain there is, land, sea, air and space on man made. So we actually own this environment. We can tell them that the sky is green inside our networks and they have no way of checking whether it is or not, because it's man made and virtual. So why are we not playing with that and using that to our advantage? Why are we getting them to use their tools and trusting what their tools are saying to them? One of the most famous cyber attacks in the world is the Stuxnet attack. I don't know if everyone remembers it, but it was the attack on the iranian nuclear enrichments in Natanz in quite.

Jim [: 00:24:43

A few years ago.

Robert Black [: 00:24:43

Now, allegedly in israeli US joint operation. Brilliant piece of technical coding to jump over the air gap and target the program logic controllers. And I sound really technical talking about it. But one of the most exciting bits of that attack was as the centrifuges were spinning at the wrong speeds and causing damage to themselves as a result of the virus. The information being relayed to the scientists looking at the centrifuges on their dashboard was that everything's running fine. And as a result, the scientists didn't stop the centrifuges because they saw everything was fine and they didn't understand when they started breaking why they were breaking. So the scientists believed the systems they were using because we all believe the systems we're using because we haven't had that trust broken. So attackers believe the systems they're using because they've got no reason to believe the computer won't lie.

Robert Black [: 00:25:35

So how do we make it inside our man made network that they have to tread carefully because they don't know what to trust and what not to trust? It can't be that difficult. The problem is, it involves a little bit more clever thinking than just buying an off the shelf solution.

Jim [: 00:25:49

Yeah, I mean, do you see a situation in the near future where intelligence consultancies spring up that provide misinformation and various different kind of activities that could help defend organizations? Or am I. Am I talking crazy talk? Let's look at the Vulcan files. A good example. The big country with the red flag that may or may not be doing special operations in various parts of the world. When the Vulcan files came out, I mean, there was a lot of tech stuff in there. Obviously, they were technically an information security company. But there was a surprising amount of what you're talking about in there as well. And making it plausible deniability for certain government groups.

Jim [: 00:26:37

You know what I mean? It's crazy. And it's interesting to see how things are changing on that national scale. But we're still kind of stuck in this commercial area.

Robert Black [: 00:26:47

You know what? I think if we took it out of tech, you would see more evidence of corporate espionage activities being conducted almost routinely.

Jim [: 00:26:55

Yeah, I agree with that.

Robert Black [: 00:26:56

Trying to get one up over a competitor is legitimately seen as a business activity. I'm going to put away my ethical opinion on it and so on like that. But I think we could point to examples of that happening quite regularly. Scandal based influence activities to disrupt. I don't know whether it be disrupt a key decision. We can all think of examples where there's been some bad tactics or nasty tactics. Whether it be political campaigning, whether it be product launches. Where we've had competitors undermine confidence in particular products, for example, or undermining confidence in another competitor.

Robert Black [: 00:27:29

We've had examples of manipulation of ticket sales. We've had examples of manipulation of reviews on Tripadvisor Amazon. So that one person's product gets purchased over another person's product. It doesn't feel that that's too far away in that space. But I think probably because we default to cybersecurity as tech, we haven't necessarily appreciated that there's this space here, too. Now, I'm not going out to encourage that in any way whatsoever, but I think it's interesting that we're seeing this space going, what's going on? Why wouldn't we sow seeds of doubt into our attackers as they're approaching our networks? There is a range of different things that our attackers are going to be thinking about. Why are we not making them question them a bit more? To me, it would be a legitimate defense activity.

Jim [: 00:28:12

Well, this is it. I mean, back in the day, we did have a little bit of that. I mean, it seems to have fallen by the wayside a hell of a lot. But we used to have honey pots on a technical sense, and they just basically sit there. They look like the network. They aren't really the network. They're just a very carefully constructed a honey trap, really. I mean, I love the history behind the original kind of honey traps and how they were used.

Jim [: 00:28:36

And then it was kind of translated into the technical sense of, oh, look, this is a beautiful looking network I've got here. Let's have a little poke around. And they were completely unaware that there were a couple of security and techie people going, ha ha. I see what you're trying to do here. Good luck getting in.

Robert Black [: 00:28:51

You know, I think this is what's really interesting. I think that deception tech and I can think of some great examples of that at the moment, but that deception tech is being used for intelligence gathering. So we trap them in a fake bit of our network. Yes. They're not in our network, and we can control and make sure, but we're doing that to understand them, and we'll sit there and watch them and go, aha, we know what you're doing. We're going to learn your ttps, and then we're going to build our defenses up so we can stop you coming in. That's a legitimate and worthwhile activity. But there the deception is about using the deception to stay secret.

Robert Black [: 00:29:20

They don't need, the bad guys don't need to know that you're not real, basically, and you're a fake honeycock. I think the really exciting space is, I would say deception 2.0, if I can use that, if that doesn't sound too cheesy, is moving away the use of deception to stay secret into moving into the use of deception to get the attacker to behave differently because they've made sense of the world? In the wrong way based on our deception, and therefore they've acting differently as a result. So they do not believe the reality that is true. They believe a created reality, as it were, and then they're acting on that false reality in a way that is beneficial to us rather than them. And I think there is so much we can do in that space, and it's really exciting. Again, I don't think we're beyond the rounds of plausibility, because if we think about Hollywood films, Hollywood films are 2d films. And yet each one of us in this podcast, whoever's listening out there, has had moments where they've laughed, probably moments where they've cried, although they might not admit it to their partner. Moments they've been scared and things like that, and that has been an interaction from a 2d thing.

Robert Black [: 00:30:24

I'll hold my hands up. I was petrified as a kid because I watched ET and it scared the hell out of me. And what was it? It was a reenactment of some actors somewhere in America at some point in time. Really bad video if you look at it now, because technology's changed so much being played to me on a tv screen, and I thought it was happening for real. Likewise, there were some really good examples of computer games that have been. I remember the time, I remember a particular computer game called Alone in the dark. And this was in the early nineties. Yeah.

Robert Black [: 00:30:55

And the reviews came out saying it was, you're walking around a haunted house, and the reviews came out saying it was so terrifying. It was spine tingling. Real. The music was eerie. It made us feel like we're in it. And they met, you know, they had the music that got more tense as you walked up the stairs and things like that. You look at the graphics today and they are shockingly poor compared to the lonely dark today. But at the time, I remember being freaked out.

Robert Black [: 00:31:19

I remember thinking there was someone upstairs, and that was from a 2d computer game interaction. So if we've got that ability and we're playing with that for commercial entertainment pursuits, why not bring that in to our defense? And that sounds absolutely crazy. I can hear Ciso going, what the hell? I'm going to invest in from movie makers. But no, let's invest in thinking about the experience of the attacker in our network. Look at the recent horrific data breach, the PS and I data being released online on the FOI request. Yeah, serious stuff. People who don't want their identities revealed potentially have had their identities revealed to malicious actors who might be interested in going after them. I would not want to be a serving police officer in Northern Ireland at the moment.

Robert Black [: 00:32:03

That's real. Yeah. And look at that in terms of our network. Yeah. So if we've got attackers in our network who have got a dwell time, and sometimes they can be in our network, what, 90 days, 200 days? And we've had examples of Internet security companies researching them using open source and identifying where they're based, taking photos of them in their office or capturing photos of them from social media sites and identifying pretty much who they are. Putting aside the GDPR issues for one moment, because I don't think that's the big issue at this point. Wouldn't it be nice to remind those attackers that we know who they are whilst they're wandering around our network? And at that moment, you're in a Liam Neeson taken moment and you've got that attacker thinking quite differently about what they're going to do next. And if they're anything like the PSNI serving personnel in Northern Ireland, they are questioning the fact that they don't want bad guys coming after them and they are questioning whether or not they're safe or their family is safe.

Robert Black [: 00:32:57

It happens, if you think about it. The shadow brokers stole a load of capabilities from the NSA and they publicly declared that they had them and they were putting them up for auction. And then they started calling up members of the community, the very community that we're engaging with now, and said, we know you were involved in these in the past. Those individuals were then nervous about traveling to other parts of the world. They weren't nervous about traveling to other parts of the world because someone might be coming out to hit them with a cyber attack. They were nervous about coming to other parts of the world because they didn't know where the shadow brokers were affiliated to and which nations might have extradition treaties with those different nations they might be traveling to to give infra sec training. They chose to stay at home because they feared for a legal consequence to what they were being associated to in the US. The same is true over here.

Robert Black [: 00:33:46

The same is true for our attackers. If our attackers feel there is a severity of punishment or a probability of getting caught, they will act very differently to the space at the moment where they know they can pretty much get away with anything. Because all we're worried about is meeting the tick box to say, yes, we've done the level of assurance we need. Not that we're going to defend and defend aggressively or practically. And I think that just shifts the mindset quite considerably. Could you imagine putting a nice shiny honey token inside our network that didn't have a beacon when they took it back and opened it on some third party infrastructure, but instead had all of the data we collected on them and said, we know where you live, we know what you do, we know you've got these issues. We know what you're doing with that money. You're screwing away from your employer.

Robert Black [: 00:34:28

Look at what happened with the Conti leaks. You've already highlighted them, the tensions there. We could play on that inside the network. And if we are really bothered by the GDPR issues and we're revealing sensitive data about the attacker, a who's going to report us to the ICO? The attacker isn't, I'm pretty sure, and that would be interesting if they did. But let's not worry about that one. And secondly, if that is a key driving concern, then that shows we haven't got this right collectively across society. We need to address these issues. And finally, if it is a case where we're really worried about GDPR and we don't think we can do it legally, let's use some cold reading techniques.

Robert Black [: 00:34:59

Let's use the reading techniques, those clever techniques that those tarot card readers and those fortune tellers tell us on the end of the pier in Brighton or wherever you might be in this country. Some fortune tellers, I don't want to get sued. Some fortune tellers, I am sure, do tell your futures and do have abilities, but some of them might be a little bit of a scam artist. And those scam artists use cold reading techniques who use a series of linguistic tools to make it sound like they're saying things that can only be relevant to you and that are definitely to do with your future and your dead relative, when in fact it's just clever phrases and clever states. Why don't we use those techniques inside to document that we put in our network, telling them that we know who they are and we know what we're going to do about them. And that point, you've got them thinking differently. You've got them thinking, oh, shit, or you've got them thinking, oh, I'd better just go and check on things and they're not focusing on their job. Or then thinking, perhaps it's easier to me go next door because I'm not going to get hunted by these guys.

Robert Black [: 00:35:54

I'm getting hunted by this network.

Jim [: 00:35:55

Yeah, I don't like. Yeah, because I mean, ultimately, whatever kind of criminal activity, criminal is engaging, be it car theft or whatever, none of them want to get caught. None of them want to their, their details put up.

Robert Black [: 00:36:06

And in cybersecurity with hackers, doxing is a well known thing of exposing the identity of someone. So we know it's an issue for people. So why not design our defenses where the threat of doxing might well shape their decision making? But actually, we don't even need to go that far. That's just one example. The NSA have done some brilliant work looking at the effect of telling someone deception is in their network. So not about doxing them, nothing else. They had a network set up and they had two sets of pen testers. One set of pen testers weren't told anything about the network, and the other set of Pen testers were told deception has been deployed on that network.

Robert Black [: 00:36:39

And you know what? People who had got told nothing about the network progressed through the network more quickly and achieved their objectives more quickly. Those who were told deception was deployed on network moved through the network more slowly. They questioned their tools when it didn't work. They questioned the principal that they found the principal that looked a bit suspicious. They questioned why that port was open because it shouldn't be open. Perhaps that was the deception. Perhaps that was deliberate. No, it was just a poorly designed network.

Robert Black [: 00:37:06

But in their heads, they were already questioning everything because they had to, because they knew deception was being deployed. Telling them that deception was being deployed is not a technical capability, it's a press release.

Jim [: 00:37:17

No.

Robert Black [: 00:37:17

Yeah, but it's a simple and effective tool.

Jim [: 00:37:20

It plays upon their own paranoia as well. You know why? Let's not bother with this bunch. Let's go and hit these other guys. Because these other guys have said nothing.

Robert Black [: 00:37:28

And it comes back to realizing that a threat actor is their capability and their decision making, their intent. And if we're not thinking about the attack surfaces that presents to us, we're missing the trick because we're being caught up in focusing on the technological fight and not the human sciences fight, the human factors fight in defending our networks.

Jim [: 00:37:45

I like this. I think this is really good. This is the kind of information that I think we as security people rarely consider or we may have considered in the periphery at some points, but because we have significant amounts of people shouting us to get this done, get that done, meet this particular requirement, there's compliance requirement, tick boxing side of things. We rarely ever get a chance to really consider this, but I'm with you on this one. I think this is an aspect we need to address. Misinformation is great, creating paranoia is great, you know, subverting expectations of those malicious actors.

Robert Black [: 00:38:21

There was a documentary on british tv, for those of you not in the UK, a few years ago. I don't know if anyone in the UK remembers it. It was about Pimlico Palmers and it was a documentary about the boss of Pimlico. Plummers is quite a high profile character. They run a big plumbing business, primarily in London. I believe one of the episodes on this was the boss had decided to declare everyone's salary to everyone in the organization. So they were taking away the last taboo in british society, which is, how much do you earn? And you know what? It was quite a disruptive event inside the organization, because you had colleagues who'd been working with each other for 1015 years, realizing all of a sudden that the person next to them, who they thought was rubbish, was earning 1015k more than them. It was quite a disruptive and leveling activity.

Robert Black [: 00:39:03

Why wouldn't we just use that as a disruptive tool? Look at the Conti leaks. That's what they were arguing over. Who was getting paid, who's getting this, who's getting that. We don't even have to be that clever, I'll be honest. We just have to look at the things that disrupt us and then we have to think about, how would that apply to our attackers? But all the time we see our attackers as just technical attackers. We don't even think about those dimensions.

Jim [: 00:39:22

That's brilliant. I've really enjoyed this conversation, Robin. I could talk about this for hours, but I have a special question for you. I promised you before that we would ask this.

Robert Black [: 00:39:34

There we go. But look at that as an example. You threatened me with this question and I've now spent the entire session thinking about what this question could be and how am I going to respond? Am I not going to make a fool out of myself? So it's already influenced my decision making. And all you did was mention, as a question, that's a great example of feeding and shaping an individual's experience of whatever they're doing. Why are we not doing that with our attackers? Sorry I interrupted, but I think as a.

Jim [: 00:39:57

Now you go for it. Psychology, folks. Right? So, Rob, there you are, you've just come out the military. I'm going to frame it for you. Been out of it for, say, a week, maybe you're sort of like looking into what your. Your next role is, you know, and which was sort of where you went. Let's say you're in a bar having a beer, waiting for the phone call. The phone call comes in and you find out you've got that phone, first job in the commercial world, and then all of a sudden, you, as you are now, sits next to you as you were then, in a timey wimey, time travel kind of way.

Jim [: 00:40:32

If you could offer yourself a bit of advice to your young self when you were first getting into this space, what would you advise yourself? Doesn't have to be one point. It could be two, it could be three. What would you say to yourself?

Robert Black [: 00:40:44

Okay, great question. There's a couple of thoughts that are coming to mind, so I'll share them, if I may. 1 is don't worry about being a poster. You're working in the land of the blind where the one eyed man is king. So don't be frightened if you don't know enough. Just be confident that you're asking the stupid questions to get that understanding right. And you're asking the difficult questions to get that understanding right. Because if you don't understand it, there's definitely other people in that space who won't understand it.

Robert Black [: 00:41:09

There. That's. That'd be my first one. The second one is make sure you're having fun. In fact, I was having a conversation with someone just yesterday evening about their rules for life, and it was, have fun. Make sure you're having fun. Make sure you're smiling and make sure you're putting your head above the parapet and saying yes to things. And I think that's a really good approach.

Robert Black [: 00:41:26

Don't be frightened if you're the imposter, ask those challenging questions or feeling like you're an imposter. And then the other piece of advice which a colleague gave to me, which is about working with others, and it's probably about appreciating that everyone, and I think, interestingly, this is me practicing what I preach about understanding attackers better, is that actually understand that everyone else has their own world that they were living and working in, and they might have other pressures and other priorities. That means they might be slightly different to you. So don't kick the horse every day or kick the donkey every day. Give them a kick if you need to. Give your team a kick or whatever it might be, and then allow them time to adjust, develop, come back to you rather than kick them again the next day, because that will make you frustrated and it will make them frustrated. And actually, we're all here, whether we're doing it because we need to put food on the table or whether we're doing it for the love of what we're doing, we're all here to try and make things better. And actually, just by creating that negative environment, that more toxic environment, it doesn't help anyone.

Robert Black [: 00:42:23

So sometimes you do need to give them a little bit of a kick in the proverbial sense rather than a physical sense. You actually realize that there are other competing priorities on people's times, on the decisions, on their worries and concerns, and you might not fully understand that. And I think actually the pandemic was a good level from that. Remember those first few weeks of the pandemic when everyone didn't know which way was up and what the hell we were doing? Everyone opened up their Zoom call or their meeting teams and they genuinely asked how the other person was, are you okay? And we've quite quickly forgotten that. But actually that was a real eye opener to me, that there were people in different positions at home, differently. They might be juggling several kids at home, homeschooling whilst trying to work. They might be juggling with a relative who was ill with COVID And we actually just paid attention for that first five minutes of every call to make sure we checked in and made sure we're okay. And actually, you didn't need a good kicking at that time.

Robert Black [: 00:43:13

You just needed to understand them a bit better. And when you understand them a bit better, you can work with them more effectively and you can get the better results. I think that's what I'm saying. With the bad guys too. If we can understand them better or think about their decision points, we can have better results by exploiting them and shaping that. And I think that's true with our own teams as well. So I guess I'm being consistent in practicing what I preach, in encouraging that. But that would be what I'd say is those tips.

Robert Black [: 00:43:35

Don't be frightened to give things a go. Stick your head above the parapet, get stuck in. Don't be worried about asking those difficult questions or silly questions, because if you don't understand it, no one else does. And in the land of the blind, the one eyed man is king. You just need to be ahead of that curve a little bit more.

Jim [: 00:43:48

Really wise words, mate. I've really enjoyed this conversation and I'm hoping I can nab you once or twice in the future to come on some of the other Razor Wire podcast stuff, because I think you've got some great info and you've got some great advice for all of you out there watching. You can find Rob on LinkedIn and various other different places. Rob, where can they find you if they wanted to get in touch with you or they want to learn a little bit more about kind of some of the stuff that you're involved with. Is there anything you want to put out there?

Robert Black [: 00:44:18

I'd probably reach out on LinkedIn. I'm happy to respond, just say, mention the podcast. So I know it's a friendly request, rather than someone who might be in the newspapers at the moment reaching out to me and yeah, reach out on LinkedIn. I also run a great initiative here in the UK, but also around the world, encouraging a multidisciplinary approach to cybersecurity and developing cybersecurity leaders of the future who are thinking strategy, policy and technology, and bring in other disciplines to cyber security who might not necessarily see that potentially they've got a really valuable contribution to make from an arts background, a philosophy background and so on. So I'm passionate about that and I'm quite involved in that. So if you wanted to get involved in that, we'd always welcome volunteer people from the industry who want to help encourage new people entering in the industry, get them to learn about the industry, get them to think about their role, understand their role. And obviously, if you wanted to get involved at a corporate level, we'd be very keen to have some sponsors. We've got a great set of sponsors and supporters and it really is a great initiative shaping, I think, a really exciting generation of future cybersecurity leaders who are going to be dealing with these complex challenges we're facing on a daily basis.

Robert Black [: 00:45:17

And we need to empower them with the critical thinking skills, the strategic thinking skills, and the awareness that it's not just about a technical solution, it's about understanding stakeholders, analyzing the key policy options available and taking the right steps. And I think for me, again, it's a real drive that we're trying to shape and we're seeing some great students come through for being proactive and then moving on into the cybersecurity industry as a result of meeting mentors and inspirational people in the industry who are coming along to our events and initiatives and encourage them to join up and do it. So perhaps, I hope you don't mind me being cheeky and giving a shout out to that, because I think it's a great little thing and everyone's talking about the cyber skills drive that we've got to do. This is about bringing in those complementary skills as much as those technical skills, and bringing in a wealth of exciting, new, diverse talent that is going to help shape how we fight the wars in the future in cyberspace.

Jim [: 00:46:04

Fantastic. Well, Rob, our time is done, but I will be trying to convince you to come back from time to time. So thank you ever so much for giving some insight into what you do, the industry, your background, and then the importance. And I think it's a really, really important message that we've given over today. And thank you for listening. The latest edition of Razor Wire. It's always good to get feedback. Please feel free to reach out to us.

Jim [: 00:46:30

You can reach out to us via LinkedIn or through our website, www.rosathorne.com. if you feel that there's something that we should cover, maybe a little bit more in depth, a new topic or something of interest to you or the community at large. Got any recommendations or you want us to interview people, we'll reach out to those individuals. So it'd be great to see what your feedback is. In addition, I do have a book recently come out, the Cyber Sentinels Handbook, a primer for information security professionals. Now, this book is very much geared up towards professionals, all levels of their career, be they starters, be they newcomers, be they people been in it for a little while and maybe looking for a little bit more direction, albeit the older ones looking to maybe reground themselves in some of the more important aspects of the trade that maybe they've forgotten over time. I've had lots of good feedback from a lot of different readers of Lodz and different levels, so please feel free to get yourselves a copy. We've got the e copy.

Jim [: 00:47:26

We've also got the paperback copy. And if you don't want to spend any money, you can go on Kindle Unlimited and read the book for free there as well. Thank you ever so much again. Look after yourselves and we'll be seeing you again soon.