Reverse Engineering the Wetware: Understanding Human Behavior to Improve Information Security

Reverse Engineering the WetwareUnderstanding Human Behavior to Improve Information Security#retww

Alexandre Sieira@AlexandreSieiraCTO @NiddelCorpPrincipal @MLSecProjectMatt Hathaway@TheWay99Products Leader @Rapid7

Lets Start On A Very Serious Note

Because we are very serious people. Seriously.

People

are not rational.More evidence is available at @awardsdarwin if youre still not convinced.

The People-Process-Technology TriadPeople define and execute processes. People decide funding, implement, operate and/or monitor the technology. Your adversaries are people.

People are key.

Yes, people. Really.A lot of humans are needed to keep any organization secureExecutive teams funding (or lack thereof)Security teams build the process, use the technologyIT teams implement controls, operate infrastructureSecurity vendors ummm perfect people, of course, right?The end users your organization wouldnt exist without them

Blame game achieves nothingExecutives dont get it.Its the shitty tech, not us.Its the shitty team, not the tech.I took that dumb training, but I want my bonus.

I did my job is not an effective approach

LOVE you cant patch stupid but its inaccurate. 5

Why do Humans Think Like They Do?Wetware evolved to meet survival requirements of hunter-gatherer lifestyle and threat model:Low latency, near-real-time decisions;High aversion to loss;False positives have much lower cost than false negatives;Social living in small communities where it is easy to keep track of reputations.

... so not really surprising to find heuristics dont work as well now.

Why do Humans Think Like They Do?From The Art of Thinking Security Clearly RSAC USA 2015 presentation by @apbarros

System 1 operates automatically and quickly, with little or no effort, no sense of voluntary control and no self-awareness.

System 1 runs the show, thats the one you want to move. Daniel KahnemanSystem 2 allocates attention to the effortful mental activities that demand it, including complex computations.

Its operations are often associated with the subjective experience of agency, choice, and concentration.

InfoSec, Know Thyself

No, not in the biblical sense. Wrong conference.

You Are Not Above Average At EverythingEver heard of this town? Yeah, me neither.all the women are strong, all the men are good-looking, and all the children are above average. Garrison Keillor

Im a better than average XI am better than the sysadmin who got pwned at RSA.

If you think youre the best at everything, youre either horribly delusional or just not observant.

Lake Wobegon effect (illusory superiority)9

Experts Who Are Actually AmateursSuccessful lawyers of [major law firm]: I spend all day avoiding traps. No phishing email is going to work on me.

Some silly finance team wired $1 million to help the CFO close a last-minute deal in China. How could they fall for that?

Will never forget the discussion with Law Firm director of security

Fake e-mail from CEO at Magnolia Health Corporation just a week ago10

Experts Who Are Actually Amateurs

Experts Who Feel Like Amateurs Cant get through all your email?In awe of a colleagues knowledge?Hungover and cant focus?

Feel underqualified and at risk of being exposed at any moment?

Recommended reading: @sroberts Imposter Syndrome in DFIR blog

Expert biases can certainly go the other way, too. 12

Expert RealityIf you dont think you can be outwitted, you probably already are

If you dont ever feel like an imposter, youre not challenging yourself to get better

This all means you probably have the wrong view of your own expertise, so you have to directly consider that13

Professional CertificationsCan be objectively useful as signals and filters in professionals / organizations market (information asymmetry);

Getting a certificate causes you to overestimate your own expertise;H/T to @fsmontenegro

Positive bias to vendor and/or other certificate holders: If I went through the effort of certifying on that vendors product and I consider myself a good person, then that vendor must be good too;Endowment effect;Might impact vendor selection and/or hiring processes.

Experiment:Allow people to cheat, and they do;Ask them to predict future performance knowing that cheating will not be possible;People estimate on cheating performance (75%), not actual performance (50%);Monetary reward for correct performance estimation made no difference.14

More Tired == Less RationalTired people are less likely to make rational decisions:Less oversight from system 2;Less capacity to avoid and resist temptation.

Think IT maintenance windows and DFIR:Mandatory down time for people involved?Follow the sun teams working on their own mornings?

References:https://hbr.org/2016/02/dont-make-important-decisions-late-in-the-dayhttp://sloanreview.mit.edu/article/why-sleep-is-a-strategic-resource/

Ego depletion.

Judges reviewing parole cases: more granted early morning and right after lunch.

Social engineering at the end of shifts?15

You Will Be Judged UnfairlyThink the team was at fault for Target/Neiman Marcus breaches?

February 2014:Hackers Set Off 60,000 Alerts While Bagging Credit Card Data

December 2014:Lawsuit not dismissed because of disabling certain security features

Public with Insufficient evidence

Dan Ariely founded the Center for Advanced Hindsight at Duke university as a joke about this effect.

http://www.bloomberg.com/bw/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data

16

Your Heart Is Not ScientificAlways had a gut feeling about something you couldnt prove?

Know in your heart that every time you got sick, you waited too long?

Maybe you have a specific event which always seems to reveal the truth?

Going with your gut will only justify the quick to judge crowd

Illusion of validity17

We Search For Explanations In What We Have Ever heard an educated person explain that their team only lost because they didnt stick to their ritual?

What if simply checking the hash against VirusTotal was enough to find malware the first time, so you kept doing it?

Illusory correlation

Have you prevented attacks by rebooting the firewall appliance regularly?18

Test. Trick. Get Attention. Trigger System 2.Still not considering phishing your employees?It might be the only way theyll ever think twice

Incident response exercises seem cheesy?Consider using random data or fake incidents to go further

To summarize: you need to question everything. Especially, your first reaction.19

Cheating and Morality

Stop shifting in your seats, not that kind of cheating.

Why do we care?How attackers thinkWhy IT people bypass security measures20

Why and When do Humans Cheat?Rational humans would cheat when cost-benefit analysis merited it:Personal gain from cheating;Chance of being caught;Penalty if caught.

Most actual humans cheat when:Theres a gain for self or others;Its possible to justify or rationalize;Fudge factor model.

Dan Ariely - DishonestyDistance makes cheating easier to justify:Moving the golf ball: hand