Cultivating the Investigative Mindset: Improving Critical Thinking Skills

good morning everyone i hope that everybody's doing great this morning i am super super excited to talk to everybody about this topic um so yeah welcome everybody um my presentation is called cultivating the investigative mindset and we're going to talk about improving our critical thinking skills to start or further a career in cyber security this is something that's super near and dear to my heart i have a weird crazy background that i'm gonna discuss a little bit and um that just kind of helped me to you know become um you know somebody that can actually talk about critical thinking so first and foremost um you know who am i i'm a mom i have two boys

uh 20 and two and that is not a typo or a um miss you know uh spoke i have a 20 year old and a two-year-old you can see my two-year-old here um he is definitely my little critical thinker in my in my house we call him bubs and um so other than bubs what qualifies me to talk about this well um i have kind of a mod podge of training and experience i started off as a police officer and police detective i have degrees in applied psychology a master's in forensics i kind of i started as a police officer i became a detective i did that for 11 years i investigated special victims crimes

and i did a dual role of being a regular investigator as well as a computer forensics investigator so um the types of crimes that i investigated was all the the stuff nobody likes to ever talk about i did um like sex crimes child abuse child death those kind of stuff um and then i got into doing onto line exploitation and that's kind of what led me into the computer forensics field which then led me into um network forensics and and cyber security so um i think it's important that like you know it everything people to understand like everything is an investigation right whether you're trying to get into red teaming or blue teaming everything in cyber security really is

an investigation and so we're going to come back to this but it's just that's such an important thing to think of is that all of what we're doing and what we're trying to do whether we're it doesn't matter what we're doing when we're problem solving um we're trying to figure out you know our ways are think critically to get the job done the best way possible every investigation or job can be you know like half-assed and still completed or you know we can complete it well um i threw up just a little bit of my my educational background i mentioned i have i have a degree in applied psychology i was trained by the secret service in

forensics and then i have a master's degree from the university of florida in digital forensics so what are we going to talk about today well hi ursula i'm so sorry to interrupt you um currently originally we were sharing your screen beautifully and we saw everything but now it's just a white slide and i don't imagine that that is intended interesting i see it says paused nothing's coming up no i don't maybe i click something hold on let's try i i so sh it's a sharing and pause hold on let's click on the things let's see if we can unpause it how about can you like stop sharing my screen and then reshare like can you take presenter away from me

and give it back that is a great idea let's see if we can do that

one would think it would be super simple

oh whoops so now i've killed your camera but i haven't killed your presenter so so let's see what is this here how about now there we go now i can see your lovely face once again okay and can you are you able to no longer see the white screen so that's good oh but now i see you're sharing but unfortunately it is is it still white yeah gosh okay how about let's do this i'm just going to share my background um let me figure out where the sharing how i share and by the way everyone we are so sorry about this thank you for your patience okay i'm gonna stop showing the screen now i'm gonna show

all right well oh yeah powerpoint what about now yes beautiful what is critical thinking awesome okay what are we okay i'm shutting up thank you so much awesome thank you so um all right so what are we going to talk about um we're going to talk about what an investigative mindset is um we're going to talk about holland how many of you can you sell everything's there i'm trying to pull up my notes in the back okay that's what's happening give me one

second okay here we go all right thanks everybody for being so patient i know how irritating this can be sometimes um i think this uh this new way of learning is still got to curve for some of us okay so what are we going to learn we're going to talk about what an investigative mindset is we're going to talk about how it's useful whether you are just trying to get into cyber security or even i.t in general or if you're still like if you're currently in in cyber or you're an i.t person and you want to increase your skills to move into you know a um you know a different cyber role or um you know that uses different

technical abilities or whatever we're going to talk about like the fundamental components of critical thinking and then we're going to talk about like applicable ways that we can actually like actionable ways that we can um increase our critical thinking so what is critical thinking i'm not gonna read this to you guys um i do think this is a great description of what critical thinking is um it's a little wordy and so we're gonna break this down right this is a great but you know words like synthesizing and like we're gonna we're gonna break this down to make it just a little bit easier all right so when we're talking about critical thinking or an investigative mindset the

first thing we have to do is we have to figure out where we're going what are we trying to figure out so you know we have a problem and we're trying to figure out a solution to it so the first thing we need to do is kind of figure out like what's our end game what are we trying to do here investigations are multifaceted which means that their challenges that are going to quite require different approaches to each situation and so we have to learn to kind of think outside the box and think around that i just love this quote it's critical thinking is just deliberately and systematically processing information so that we can make better decisions

that i think is key right what are we doing here a lot of the stuff that we're going to do in cyber security is you know we're we're trying to fix a problem and then we need to make a decision on what we're going to do and how to best fix that problem um so we have a couple of different types of thinking that i want to talk about first so everybody has has a way that they think that our brains are all different so no approach is going to be the same for every person right so we've got these we've got these um three ways of thinking the two main ways is divergent thinking

um which uses your imagination and you can think of this as like um you're looking at all the possibilities of a a problem how like all the different possibilities of how we can approach that problem convergent thinking is when we use facts and figures and to to find a solution for that problem and lateral thinking is what we're going to work mostly on today which is thinking outside the box and it's it's using both divergent thinking and convergent thinking so you're probably sitting there thinking like i already know which one i am right um a lot of us i think in this in this realm are convergent thinkers where we use logic and we use numbers and we use

if you hear my my little bubs in the background i apologize um he's he likes to scream and yell and talk but so a lot of us are convergent thinkers and it's hard sometimes to increase our divergent thinking um like anything else right like a muscle um the more that you do something the better are that you're going to be at it and so um if you are a convergent thinker but you want to better think laterally then we're going to try and increase your divergent thinking and we're going to talk about ways to do that um so you know first and foremost the thing we need to figure out and realize is that we always have to

think outside the box um and here you see my little bubs starting in the box and he's getting out of the box because he knows that as well always looking different directions so we're going to talk about some of the fundamental components of critical thinking um so first thing that we want to do is we want to identify the problem we need to understand all the sides of a problem in order for us to best figure out how to fix that problem right that makes sense um so and sometimes you may know just a little bit of the problem you don't necessarily need to know all of it right we just need to know what we need to do

know for our portion of it um and we're going to talk about different ways that you know we're going to get through each of these second component is gathering information so what are we doing here we're asking questions we may not know how our exchange server works because everything is is configured differently at every place right so and you might work in the sock and have no need to know every single component of how your exchange server works but you need to know enough so that you know what you need to do in order to mitigate like a phishing threat um so gathering information about whatever the problem is or whatever it may not be a problem

necessarily it may just be that we have a target um that we're trying to get done right and it could be if you're if you're wanting to get into red teaming it could just be that you're trying to figure out how are we going to you know breach this network how are we going to get in over here and like i found something that might work but um you know you're so you're you're gathering as much information as you can about whatever we're going to call it a problem for now but whatever your problem is that you're trying to um that you're trying to solve we want to evaluate the evidence so gathering information isn't just

asking questions it's also gathering any logs it's gathering you know any physical evidence that we can use as well as non-physical evidence so we're trying to just kind of and then once we gather all of that we need to evaluate it we need to look through it we need to decide um you know like what evidence is going to be relevant what's not going to be relevant and we want to see what is it showing us once we've been able to wrap our head around the problem and then we get all our information together um evaluate what we have right and then and some of these things are happening you know they're overlapping and they're

happening in conjunction with with one another you're not just gonna gather your information and not look at it until you're like okay now the next step it doesn't work like that right we we're gonna do all of these things blended together um as you're gathering the information and as you're evaluating the evidence you're considering solutions you're considering what's going on and what the actual you know issues here may be and that's kind of part of that divergent thinking that we talked about which is you are coming up with all of the different possibilities that may be and so we want to make sure like as we're going through these we're considering all of our possibilities don't ever

think or consider that like you're right at any point i like to say always can always think that you're missing something um because that's how we're going to make sure that we cover everything and get the most complete job done lastly we're going to choose an implement so we're going to choose our solutions that we think best fit the problem or issue at hand so that might be you know pulling emails from people's boxes and blocking email addresses that once we've realized that we have an actual malicious email coming in um there may be you know we may need to do something that's more drastic or less drastic so it really just depends you know on um

on what's going on like if we have phishing emails coming in from say a gmail account we may not want to block all of gmail i mean you might want to if you're working in a sock because it's can be um irritating but yeah we're not going to do that so we've got some different sources that we're going to get this information from observation observation is huge and learning to um to be very observant and learning to um find the fine details is a skill that i believe is critical when it comes to cyber security um and and really i would say in it in general it because the when you can hone in on

the fine details you're going to figure out either what you missed um or you know like the little things that you that you pick out sometimes those little teeny tiny things are the things that are able to completely open up a problem for you that you're able to figure out now what our next steps need to be experience um you know i i say experience is huge because you're gonna be like oh there was that one time that this happened and let me see if this applies here in this situation and that's the key is let me see it's it's that old adage of trust but verify right we want to make sure that no matter what conclusions we come

to just because everything looks like that's it it probably is it in my experience it's it's whenever if it looks like a duck and acts like a duck it's probably a duck um but if it meows at you you might want to reevaluate what you were what you were thinking um which comes back to reflection so we want to reflect back on on everything that we've gathered and everything we've evaluated and we want to reflect we don't want to make super quick decisions there's almost nothing in cyber security that is like it needs to be done right this second we always have five minutes 10 minutes even an hour because you know as as long as we are doing as

much as we can um there's always time for a little bit of reflection before you say pull all of the sent emails out of your ceo's inbox right reasoning that kind of goes in the same thing right we want to make sure that we're making sound decisions and sometimes these things you should be bouncing ideas off of your co-workers because they're gonna have different experiences than you do and you know cyber security is so vast and when i got into it i was i was intimidated by the amount of knowledge that is out there that i don't know right like and so and there's going to be lots that you don't know and that's okay and that's

normal um you're going to meet people who have been doing this this like computers it programming cyber for the last 20 years those people have a mountain of experience but what i've also noticed is that people who have 20 years of experience sometimes you might get an intern in who's still working on their on their bachelor's degree and they come in and they go have you thought about this and your brain blows up and you go oh my gosh i didn't even think about that so everybody's experience is valid and valuable communication obviously is key like i was mentioning talk to people um and and i even say like for communication not only when you're thinking through

problems but it's really good to make sure you communicate well with the people that are around you so i kind of mentioned the exchange server people as a stock analyst i did kind of forgot to mention that um earlier i was a soccer analyst when i first got into um into cyber security and i made friends with everybody because you never know who you're going to need when the when the stuff hits the fan right and so it's been super valuable to me to go and meet those people and then when i have time and i'm just working on something and something pops in my head i can pick their brains and say hey i'm

curious how does this work and how does you know how does dns with our exchange server work and and understanding how those things works helps you understand how things break and then how you can fix them so some concepts that are really important don't like don't take anything at face value do not absolutely assume that like what you see is what you get because you know sometimes things just they just aren't what they what they seem at first so that's that trust but motive but um trust but verify that concept that i mentioned um so the next thing is we want to consider motive like you know when we when we consider the motive of

what's going on and like what is this um what is this threat actor trying to do or what am i trying to do as a red team or what am i looking for what am i you know it's not just about getting in it's about getting around and so what is it that we're looking for what is it that we're trying to accomplish um i cannot stress enough research that goes back to asking questions and don't forget that google is your friend half of cyber security is is is honestly figuring out the right google search terms right if i'm looking for one thing i might search it and not find the answer but if i google it a

different way i might find the answer we're in such an awesome place right now where most people have probably had whatever problem you're having they have probably come up with a solution from some other person so um yeah definitely don't discount anything don't think oh why didn't because i can't tell you how many times i think i don't even think to search that um ask questions you don't need to know all parts of the infrastructure to determine what to do in a phishing email case right but we do need to understand the key components so ask questions to wrap your brain around what is actually happening here understand the ins and outs of what is

important in your situation um so like i mentioned i mentioned i keep mentioning the exchange server just because i worked with them a lot but um so yeah make sure that we're asking a ton of questions don't assume anything so i mentioned earlier like just don't assume you're right you know what don't assume anything there's a reason that my bubs that we saw earlier checks the child locks on everything in the kitchen a couple of times a day um it's because sometimes i leave it open right and he knows that like it's not always going to be the same every single time configurations change you may not know it because you might not be part of that team that changed

something you know we may have left some port open that used to be closed and so don't assume that just because something was the way that it was before that that it is that way now and this you know i'm going to go back real quick to the don't assume this gets seasoned people sometimes too so don't think that like oh i messed that up because i made this assumption like that gets everybody um break it down into bite-sized manageable pieces um especially if the problem is large and multifaceted like if you think like apt or advanced person advanced persistent threat actors um if you think they're in your network this isn't gonna be like a one hour type

of case where we bing bang boom and now apt is out of our network no that's going to be super super multi-faceted you're going to be using different departments you may be calling in different agencies to assist you with ir but whatever it is it's not going to be a one-day affair and you're going to need to break everything down into you know manageable pieces try to keep it simple make sure that whatever your problem is you just again you're breaking it down you're making you're simplifying things um what i do currently i am a threat research analyst with mandiant security validation and it was formerly verodin for those who are familiar with veridim and what we do is

we break down like ttps or technics tactics techniques and procedures um into their like basic form and their basic behaviors and we use those in our platform keeping it simple is so important to make sure that you're not missing any part of the puzzle and then again reevaluate as i mentioned before don't assume you're right let the evidence tell you what's going on and where you need to go next try not to get ahead of yourself and always always always reevaluate your findings before you make decisions you might regret if you're about to make a decision to do something pretty intense like you know pulling a ton of emails from from people or blocking an entire email

domain sometimes you have to do that sometimes that is the answer but before you go doing major things you want to make sure that everything else aligns maybe talk to some people all right so we're going to talk about some applicable ways that we can increase our skills okay so i know that this one may seem silly and and seems super basic but reading so this is like the most obvious right um of increasing our knowledge but what you may not know is that reading actually increases your brain power um so because reading requires critical thinking you have to observe the words you're interpreting the words you're evaluating them from meaning you're assigning a meaning to them

and and personally what i like to do is i like to combine books and videos so i am i'm a pretty visual learner but what i find is is that books makes my brain work a little bit different way and so i try to combine the two where i will i will watch a video and then read or vice versa usually i watch the video first then i read and reading it really will solidify those concepts in my mind practice thinking on your feet i think this is such a cool skill that people need to try so essentially what you do is you create like a short presentation on a topic that you find interesting

make it interesting because if you don't find it interesting nobody else will so you want to find a trusted friend or colleague to be your audience and you want to ask them to post questions to you and challenge your facts or ideas what this what this does is this helps you to work on that kind of you know um coming up with quick ideas and quick answers as you're standing there in front of somebody this is great for like you know when you have to answer to a c-level about something going on in your network and if you're the type of person who flusters easily and you have but you're smart you have the answer in your

brain but you can't get it out of your mouth quick enough because you get flustered um then thinking practicing thinking on your feet is actually going to help you with that so presenting ideas and information at meetups um right now we're virtual which is so awesome you can go to meetups anywhere in the world right um i went to dallas hackers um a few weeks back and like i've been wanting to meet those guys and so i got to you know attend a meet up with them um a lot of meetups like dallas hackers they they require somebody like they want you to to present ideas and it's for this kind of thing um the

more ideas that you present the better off that you're going to um you're going to be i know that we're getting really close so i'm going to kind of zoom through the next couple of things and i'm going to be in the discord fully available for any questions that you guys might have afterwards so joining public yes i am so sorry we actually need to call it right here i i'm so so sorry i've been trying to like i'm trying to ride this as perfect um thank you i i i i love what you were saying and thank you for being in the discord like we'd love to have you there because i know people are following this and very

very interested in the content you have and we also have a channel where you can post the slides if you feel comfortable doing that to everybody else or the content i will i will post the slides you guys and i'll be over and discard thanks everybody quit joining us quick shout out is there any way that people can get a hold of you at outside of discord that you want to share absolutely let me just get us to the end and you can hit me up um ursula.com at fireeye.com or you can hit me up on twitter at ush1c and um i do try to respond to all of my messages there so anybody can can get me at either one

of those two locations brilliant thank you again ursula and don't worry about having to close anything i'll take care of it all for you okay thanks you guys