BSidesCincy 2017 Live Stream

Check. Ooh, that's loud.

- Everyone's on the podium. - And you're getting audio feed from both of those? - Yeah so I'm holding just the microphones basically. - Easy enough. - And that's on for you. If for any reason you need to mute this, it's the red button.

um

Yeah, were you looking for me? No. Oh, okay. Nope. I got your cell from my dude, so. If I could turn off the spot. It's a movie theater, right? There's not typically much of a need. Well, hopefully when Jesse gets here with the spot, that'll help there. That splits the difference. Yeah. Let me swap. We'll have a spot on the podium. You do video around. I was trying to, yeah so we're trying to get back to, there we go that's what I was looking for. Project now project now that's what we wanted. Okay, so that looks pretty bright and viewable I think. Yeah. - Hey, maybe oh that works, this work, yeah.

Check one three five seven check. - Right, oh so the red button is on. So red button is not mute, red button is on. Red button is on. I don't believe that. Red button is on. It switches. - All right everybody. Hey I want to give you guys a couple of notes about today. So thanks for coming out. My name is Justin. I'm on the organizing committee for B-Side Cincinnati. This is our fourth year. This is pretty rad. Sold out again and so looking forward to a lot of fun today, a lot of good speakers, a good beer, CTF. Yeah, so you know why we do B-Sides. Our goal here is to showcase talent. There is a ton of InfoSec talent in this

region and It's been one of the coolest things to see those folks kind of come out of the woodwork in the last couple of years and talk about their research, talk about case studies, tools that they've built, stuff that they've seen, just share knowledge with the community. We've seen some great how-to's. We've seen just great knowledge dumps, good wisdom and best practices. So we're really excited. and we're excited to have all you here participating and being part of it. Hopefully you'll think maybe about speaking in the future again. This is a great place to get started. It's a pretty low pressure So I think if you've never spoken before and you're thinking, "Yeah, I don't know if I could do it. I don't know. It'd just

be a little tough. I'd be scared. I'd look dumb." We all look dumb. I'm going to look like an idiot all day. All the speakers up here have done that at one point or another. So you are welcome to give it a shot. We've got a couple of first-time speakers, I think, today, and I'm really excited to have them here. So here's where we are, and it's a little tough to see because this screen is bright because it's a movie theater screen. It's supposed to be. You are in Tangeman University Center, the student union of the University of Cincinnati. Those of you who are from the area may be familiar with it. Those of you

who are not, you're kind of dead smack in the middle of West Campus. Just a couple of key areas that you want to be aware of. So, Main Street Cinema is where we are right now. All the area around it is kind of the food court. Kind of around the back corner, so behind this wall right here is where we're doing CTF, which I'll talk about in a minute. There's also restrooms way towards that end. So if you're looking for a restroom today, this floor, they are down at that end in a little hallway in the back. You'll see some vending machines, it's around that way. Man, that slide is terrible. Goodness. Yeah, so that's the first floor. The floor below, well, technically the floor out those doors is

right around the corner is the Katzkeller Pub. And if you want to go, you know, get some drinks, hang out a little bit, have side conversations, meet up with folks, you can go do that in there and you won't miss talks because we're streaming. So the YouTube, the live stream is on YouTube right now the whole day. Red and Black Productions, these fine folks here, Bevan and Jesse, thanks guys for streaming today. They are handling the live stream. It is going out and you can watch it next door in the bar. Just a couple of notes. We know that you were here and got a ticket because you got a badge, so wear your badge

all day, if you could, please. It will double as a nice coaster once you take it out, if that's your thing. Not messing up tables or whatever, I guess. Be cool. Just be cool to people while you're here. I mean, we're here for the same reason. We've never had any beef at this place. This event has always been, you know, peaceful and cool, and everybody's, you know, treating each other really well, and I don't expect any different from this year, so thank you, guys. We will be checking IDs at the door. You got a couple of drink tickets, you can use those for adult beverages. If you were 21, they will ask you to prove

it and you'll get a wristband next door. I don't think a ton of folks here are underage, but we have some students and family. So yeah, then go get yourself a wristband. UC's a non-smoking campus. That's a new thing this year, so if you're looking to smoke up, I guess you gotta do it somewhere else. You can walk a block or so that way and get off campus. It's not too far, but I don't think that's gonna be a huge problem for folks. Our schedule for the day. Again, you know, we have talks going all day. We'll have a noon break for lunch. Lunch will be in Katskeller. We're having a baked potato bar. You

can get some beverages with your, there's some, I think they'll have iced tea and water, but you can get other beverages with your drink tickets. And yeah, you know, we're looking forward to seeing you This fantastic lineup all day. I think we've got, like I said, some new folks, some folks that have come in from out of the area, including Chris, our keynote speaker. So we're grateful for them coming out. We'll be done at 6. And just so everybody knows, FC Cincinnati, the soccer team's going to be playing next door. And that game is going to start at like 7. And so it's going to get pretty rowdy, I think. You know, as you do

at a football or football, well, football game, sure. That's whatever the weird people call it. You can expect that there's gonna be a ton of people coming in and out, so just be aware of it. It shouldn't cause a problem. Actually, go watch a soccer game after you're done if you want. It's a pretty sweet event. That team is interesting and it's a good crowd, so. I mentioned lunch, it's next door. You can eat in here. um just be careful man like it's baked potato right things fall off i guess yeah something to keep in mind um but yeah you're you're welcome to kind of you know grab lunch and take it anywhere capture the

flag is new this year we're excited to introduce this we've been wanting to do this for a while and so i'm really excited to have ctf which will start at 10 a.m again if you want to play it's around the corner In the food court area, you'll see a giant TV screen on the wall. It's right underneath that. And yeah, come out. We've got the whole event has been built this year by Nate Fair, one of the guys from the team and his crew. He got a couple volunteers together and put together all the The challenges and the infrastructure and so it should be a really good time. If you've never done to capture the

flag before, I really encourage you to check it out again. It's an opportunity to test your skills to learn some new stuff to try some new stuff. Maybe try exploits against. targets that you've never messed with before or sit with people that you've never met and make some new friends and hack together. So again, if you've never done CTF, it's a great place to start because there's a couple of really good kind of first level challenges that We'll really facilitate people that are just getting their feet wet with it. And there's some challenges that are a little tougher. There's also some jeopardy and some trivia and some things that are not necessarily technical if you

are not necessarily technical. Maybe if you came along with somebody that does this for a living and you don't, and you wanna still participate, head on over. They got some stuff for you. There's some of the different challenges and categories of stuff that you can try. A couple of rules about CTF, I'm just gonna throw these out from up front. Again, if there are teams, hey, that's handy, luminous glow. You can totally play as a team, just be cool and stay within your team if you get a giant force of teams collaborating. I don't know, maybe that makes one big team. Just be cool, I don't think the goal out there is to stomp everybody else, the goal out there is just to have a good time and try

to win. Again, don't try to break the stuff, please be gentle with the infrastructure. I'm pretty sure a stiff breeze could knock it over at this point, so yeah, be cool with it. If you find something that isn't supposed to be, like it's an exploit or vulnerability Doesn't lead to a flag. You're like this looks really bad. This could take something out. Go grab Nader one of the guys in a black shirt and let us know. We'd appreciate that. Yeah, don't don't run a denial of service against infrastructure. That's that's pretty standard stuff. Again, the group of folks that put this together. You know again, they're all volunteers. All of us that have done this

are all volunteers and so we're grateful to them for they've worked really hard for the last few months to build this thing for us. I mentioned Red and Black, the UC in-house video crew is doing streaming for us today, so we're really excited about that. You can watch the stream from there or just go to bsidesensee.org or the YouTube channel or our Twitter page or any of that stuff. The stream link's there if you want to pass it to friends and say, hey, this is where I am today, check it out. You may have seen Wireless on campus. It's UC Guest. There's some instructions to follow, but it's pretty easy to pretty straightforward once you

get in and sign in and all that stuff. One thing you'll notice is that it kind of it may drop you from that session that authenticated session here and there during the day. Just log back in. It's kind of a pain, but you'll live with it. It's a decent decently fast, I think. Our sponsors, again, this whole thing operates on volunteer energy and sponsorship from local businesses. And, you know, we could not be more grateful. Integral Defense is a new sponsor for this year. We're excited to have them. We've got a couple of their employees are attending as well. GE Aviation, our oldest sponsor, yes, indeed. Um, these guys have supported us in a huge

way, uh, since day one and, uh, they really believe in InfoSec and in the community. So we're happy to have them. Uh, Morphic Defense is in the house. Uh, another sponsor that's been here since day one, as is CBTS, my employer, uh, and, uh, No Starch Press. So we've got some books to give away from No Starch, um, including, uh, One of the books written by our keynote speaker, Practical Packet Analysis, and I've been told that Chris may sign them, but he gets to sign whatever he wants. So, you know, your mileage may vary. We're going to give those away at CTF. And so if you want to get Chris's book or any of the

other books that we've got that were donated by NoStarch, go play CTF, and we'll hand those out. If you have questions, all the volunteers are wearing black shirts. So not just send everybody the black shirt. Like Reeves is wearing a black Star Wars shirt, but you can... Actually, you can ask him questions. Just direct all questions to Mike Reeves right here. He'll answer all of them for you. Now, folks like me, Greg is up in the back. Say, hey, Greg. We are wearing black B-side shirts. Come and talk to us if you have questions or anything like that during the day. We'll send you a survey after the event's over. We'd love your feedback on how you felt the year went. And yeah, other

than that, if you have something you want to send to us during the day or, you know, questions or something like that if something immediate is going on but you're like I don't want to talk to somebody face to face that's totally fine email bsidesensee@gmail.com and we'll get it and we'll check it out and as well obviously after the events over any questions from anybody all right cool well we'll get started here in about 15 minutes with our keynote speaker so hang out and have fun

If it can go higher maybe that's the ticket. I'm making sure that you don't have a big black mark on your chest. Okay. Right? I think that covers it. That's good because then it's not in your eyes when you're looking up that way as much. Okay.

I'm plugging in right now. Is there a wireless mic or something? I think all we have are the handhelds. Okay. So they'll all work if you want to. Okay. I may stay for a little bit more, then I'll start with that. That's just fine. Yeah, so there was a... So this guy right here? No, it's not that guy. This is your... Okay. Here you go. Okay.

Yeah.

- You all in there you all set? - I think so. - Okay. - Mic on mic on. - Check check check check. - Testing. - Check, check. - Oh it was on. Oh that was this one. - There we go. - All right, that worked. I'll just start this one here. you got a couple minutes yeah get you anything while you're i'm good okay hey justin are you gonna give me a signal five dollars

um

Thank you. Some of their other parents have been here. Yeah. Yeah. Yeah. - Yeah. All right. All right, let's do the little intro. All right, y'all. I would like to introduce our keynote speaker. Yeah, uh-huh, uh-huh. So we got Mr. Chris Sanders. He's an author, he's a trainer, he's a researcher, he's a business business owner he founded Applied Network Defense which is focused on delivering high quality accessible information security content and he's also worked for the Department of Defense for InGuardian for Mandiant and is also the founder and director of the Rural Technology Fund which is the charity we were supporting this year with all of your ticket sales so thank you guys very much for buying tickets because every cent of it goes to

the Rural Technology Fund which is nonprofit that donates sponsorships and equipment to public schools to really kind of further you know technical education and especially in rural areas and impoverished areas that wouldn't be able to get to it otherwise so you know we're very excited to be able to support them this year Chris is authored yeah give it up So if you're counting, that's $2,000 from 200 ticket sales. So yeah, so Chris has authored tons of books and articles and training courses, including Practical Pack Analysis, which is a fantastic read. If you've ever opened Wireshark in your life, if you ever looked at a PCAP, you absolutely need to read this book. It is phenomenal. So again, we're very

excited to have him as our keynote, Chris Sanders. Thank you. Well thanks for the great introduction. I want to take a moment and thank the organizers of the conference. As a matter of fact, can we have another round of applause for all the organizers and all the great work they've done? I never knew just how hard to create one of these conferences and make them successful it was until, I haven't done it myself, but until I've been good friends with folks who have done it and seen the stress and the worry and all the work that goes into it. So big thanks to those guys. Now before we get started, I'm actually going to give away this copy of Practical Packet Analysis. It is signed It

is signed in hexadecimal, so you have to decode it, but that's half the fun. So I have a trivia question, and it's a sports trivia question. So basically the first hand I see, I know we're at a computer conference and I'm asking a sports question, so that's kind of tricky. The answer is not University of Kentucky, but go Wildcats. So the coach of University of Cincinnati basketball team is, and this is not the question, but is, somebody yell it out, Mick Cronin. I believe, well, name the school where Mick Cronin really kind of got well known for taking a team to the tournament and deserved to go there. I saw you right there. Murray State University, my

alma mater, so you went, come on down. We kind of wish we could have kept him, but y'all got him. All right, I'm going to move over here now. So does anybody know what movie this is from? Alice in Wonderland. Have any of you seen the cartoon version, this much older version? I think it's around well before I was alive. Most of you have kids, your kids have probably seen it. And if you haven't seen it, right, the premise is pretty simple. It's this girl Alice sees a bunny hopping around. The bunny heads down this rabbit hole. She peers down into the rabbit hole, decides, hey, this could be fun, and hops down the rabbit

hole and then has this really fantastical adventure where she meets the Mad Hatter and the Cheshire Cat and all kinds of hilarious and interesting things happen. And I want to focus on this scene right here because I think this scene is particularly interesting where Alice is peering down the rabbit hole because there's, this is really the critical point in the story and it happens really, really early on. She's peering down the rabbit hole and she has to make a decision, do I go down the rabbit hole? And what made her make that decision? What was the one kind of trait that was in her that made her decide this is something I should do? And

you might say stupidity if this is real life and you're going down a real gigantic rabbit hole that could hold any number of evil things. But for our purposes, I think the answer is curiosity. So I'm going to talk a little bit about curiosity today. And I think I see we have a pretty wide range of ages here. So I assume we have a lot of people who are maybe very new to the field. Some people who are maybe interested in getting into security and they're not in security quite yet. So, we have, I think, a lot of diversity. So, this is not a technical talk. I'm not gonna talk bits and bytes. I'm gonna

talk about traits and skills and a little bit of psychology and how that you can utilize that to better yourself in this field and essentially learn better. Our field is all about learning, learning to get into it, learning while you're in it. Even investigations are the sense of learning what happened. what are a sense of events that occurred. So we're gonna talk about those things and I took the title from the, I don't believe it's in the movie but it is definitely in the book, is Curiouser and Curiouser. So we're gonna talk about curiosity, why it matters, a little bit about how it's made up, how it's comprised, break it into some different component parts.

And we're gonna talk about strategies for being more curious, whether that's yourself, because I think that's really the X factor that makes someone good at what they do in security, or if you manage a team, helping make them more curious and facilitating an environment of curiosity. I got a really great introduction from Justin, I'm not gonna spend too much time talking about myself. I'm from a little town in western Kentucky called Mayfield. That's actually the town there, that's the whole thing, there's not much. You can't see it, there's like a, we got our Walmart back there and there's a few traffic lights and there's a McDonald's and all those things you'd expect to see in

the far western Kentucky. I do run a company called Applied Network Defense but I actually wanna talk more about the Rural Technology Fund and I'm just gonna spend a couple minutes on this because that's what this conference is supporting. I'm from an incredibly rural area where there wasn't much for me, a kid growing up who was interested in technology and wanted to pursue those jobs. I was very fortunate to be able to have some success at that thanks to some teachers who really cared about me. but not everybody has that. So I founded the Rural Technology Fund in 2008 to provide educational resources that really get kids interested in computer science and engineering related careers.

And for those who are already interested, kind of help foster that and give them an advantage when they go into college or into their career. Really talking about the opportunity that technology jobs presents it's life-changing it can end generational poverty it did for me and my family and i think it can do that for a lot of other folks so we donate things all from all spectrums from kindergarten up through uh high school level arduinos raspberry pies we build entire maker spaces on occasion um ozobots little toy robots that you build and code kids don't realize they're coding they think they're playing a game but they're actually learning about logic and if then else statements

and things like that so it's really cool they're learning about that stuff without even realizing it So we donate a lot of those things. We do some scholarships and book donations and some general advocacy as well. Last year, I'm really proud of this number. We were able to put technology education resources into the hands of 10,000 kids in 30 states, which is super awesome. This year, we're headed to 25,000. That's our goal. We're already halfway there. We're about halfway there. We're 12,000. And so we're with the contribution of this conference that's really going to help and one of the cool things we figured out is for every two dollars that is donated to the Rural

Technology Fund that puts technology education resources into the hands of another kid and we're able to be very efficient with our money because we donate not just to individual students but to entire classrooms so we build these resources that are accessible to entire classrooms. So for every $2 donated, that's another kid. So just by virtue of being at this conference, purchasing a ticket, I think there were 200 tickets sold at 100 bucks a piece of $2,000. I promise there won't be any more math in this thing. $2,000, $2 a piece, 1,000 kids are gonna benefit from this concert. So that's pretty awesome, right? Yeah, yeah. So, thank you. And I always like to show a couple pictures because it's nice for me to talk about

this, but when I can show this, these are some of the kids who have received our equipment from across the country. I think we have Ohio, Kentucky, Tennessee, and I think Texas represented in this picture. So a lot of stuff going on, so I like to show those pictures when I can. Okay, to the actual meat of the presentation. And I want to start by talking about why I think this presentation matters. And I want to talk about cognitive crisis and just kind of a little bit about our field in general and things I've observed from it in the past. From my perspective and through the jobs I've had working both government, public, private sectors

and so on, the benefit of the keynote, it's a little less technical. It's kind of more of a broad overarching view of things, at least in this case as I see them and I think several others may as well. So cognitive crisis, what does that mean? Well, crisis is obviously bad. It's not a good thing. There was a study done by some Kansas State researchers. It's been a few years ago now. They were anthropologists. And so they did what they call an ethnographic study. And ethnography is really the study of culture. So they took some anthropologists from Kansas State and they put them in a functional security operations center. God help their souls. These non-computer

people had to hang out in this SOC for a while. And if you've ever been in a SOC for a long time, that can be a very interesting experience if you're not used to it. So they went and they spent a lot of time in this SOC and they learned about the culture. They listened to people, they talked to people, they saw how people did their jobs, and they wrote a really great report about it. And I'll have the report linked here in a second. But they had... some really interesting findings. I think some of the best findings about culture often come from people outside that culture. And so I want to share a couple

of those with you here. One of them says that an analyst job is highly dynamic and requires dealing with constantly evolving threats. So far so good. Doing the job is more art than science. Ad hoc on the job training for new analysts is the norm. Okay, that's about right from my experience, but listen to this one. The profession of security is so nascent that the how-to's have not been fully realized even by the people who have the knowledge. The process required to connect the dots is unclear even to the analyst. So what does that say? Well, it says, sure, we're maybe very good at what we do, but we're not good at telling other people

why we're good at what we do, and that's a big problem. Can you imagine going to talk to your doctor and you have to have surgery and you ask him, how are you gonna do this surgery? And he's like, I'm just gonna open you up and find the bad stuff and take it out. I'll figure it out when I get in there. Not a great strategy. So granted, generally life isn't on the line with some of the things we're doing, in some cases it may be. So it's maybe not a perfect comparison. But we have this sense where in security most of the knowledge is tacit, it's not written down. Even the people, and we

all know them, right? The people who are really, really good at this stuff, they can't really elaborate or explain that. We have a few folks who are maybe really good at teaching those things, but even the things that we're really good at teaching, like intrusion analysis, the concept of connecting the dots, starting with some type of input, investigating it and determining did something bad happen or not. The process we do that in is very poorly documented and very few even really good, really high level SOCs are good at explaining that. with and around a lot of stocks and most practitioners just cannot simply explain how they do what they do and that's a problem and

that's entirely limiting to us because especially if you're new to this field and you want to learn and someone says the only way for you to learn is to do on the job training so sit and watch me do it that doesn't work right again going back to a medical reference and we're gonna make a lot of medical references in this talk if you want to be a surgeon, you don't start right off the bat just hopping into surgeries, right, or watching other people do surgeries. You do some of that, right, that's important, but you have a whole lot of training that occurs before you're ever cutting into somebody. So same type of thing here.

Now one of the ways this plays out of interest to us is in career progression. So in terms of how we progress, if you want to get into security, how do you do that? Now, in other fields, it's a lot more clear-cut. If I ask you, how do you get into accounting? Pretty straightforward. You go to college, you probably do some type of apprenticeship, you get your CPA license, perhaps, and then you go into practice. Very straightforward. Most people can identify that path. you want to be a lawyer a little more complex but still pretty straightforward you go to college you get into law school you go to law school you graduate you go into

some sort of apprenticeship you pass the bar and then you are a lawyer and you can practice and do what lawyers do even medicine again more complicated but college to medical school then you go into some type of residency with your specialty sometimes you go into a more specialized residency so you may go from a general surgery residency to a cardiac residency of some sort and then you're in practice. So all those career progressions are pretty straightforward. Now I spend a lot of time thinking okay what is the standard career progression look like for someone who wants to get into security and I think I diagrammed it pretty well. So that's where we're at, right? And I host a podcast. It's called Source Code. And what

I do in that podcast is I talk to people in this field who I think are generally pretty darn successful. And I basically have them tell me their life story, their source code, their origin story. How did you get into technology? How did you get into computers? What led you into security and so on? Now, the thing I've learned from that basically is that there's no one path. Everybody takes dramatically different paths. For some people, that's college. For some people, it's not. For some people, it's college, but not in computers. It's in something completely different. One of my best friends in the world, he has a physics degree, but he's an excellent security practitioner, although

that was not his plan from the start. He just ended up there. So the paths are very, very different. Now, I want to loop that back into this concept of cognitive crisis. And I looked and we're not really the only field that's experienced some form of cognitive crisis, right? There are others and medicine is one of those. I want to talk about that in a minute, but I want to talk about ours first. And there are three really factors that I've identified that I think are the things you see that are symptoms of the underlying affliction that is cognitive crisis. One of those is that the demand for expertise greatly outweighs supply. If we have

anybody in here who's responsible for hiring people, you probably know this. It's very hard to find people really at all ends of the spectrum. Maybe a little less at the entry level now, but the fact that it's hard to get a job as an entry level person is mostly because we're not good at identifying and finding people at the intermediate and advanced levels. So that creates this kind of tidal wave effect that hurts people trying to get in a job at an entry level. Most of the information in the field cannot be trusted or validated. We don't have peer reviewed journals in our industry and the ones we do have are 10 years out of

date by the time they're published. So most of the information we rely on, where does it exist? Blogs, Twitter, those things are great but anybody can publish to them and there's no way to perfectly vet that information and even information that's good now may not be good a couple years from now and there's no information police out there kind of purging old information or citing that it is now out of date and no longer relevant. or that theories in it have been debunked and so on. So most of the information out there simply cannot be trusted or validated. Finally, we have an inability to mobilize and tackle big systemic issues. Ransomware, that's the big one

right now. Many of you may have had to deal with WannaCry recently. We still haven't solved patching, we still haven't solved SMB warrants, we still haven't solved ransomware and these are big things that are affecting everybody. Ransomware presents a good opportunity for our industry to mobilize and figure some things out and formalize some things but we're not quite there yet. These are examples of information security and cognitive crisis, but there are examples of other fields that do this, and I once again want to go back to medicine. Let's think about medicine not as it is now, but as it was 120 years ago. We think of medicine now, it's really robust. We have a lot

of problems with medicine, but they're not really about the study of medicine itself. It's more about insurance and politics and things that are kind of on the side. But as far as medicine goes, it's a really nice science now. We have this concept of evidence-based medicine where we actually, and this is crazy, we actually have to observe things and have science to prove things. before we make decisions about health care and so on. We didn't always have that. And think about these three things here. Think about demand for expertise. Well, 100 years ago, most towns didn't have doctors, right? Mayfield, Kentucky didn't have a doctor. You had to travel 20, 30 miles down the road

and hope you weren't too sick to not be able to make it there. Not only that, the doctors we did have also happened to be your vets and your dentists and your morticians and all that. Most of the information cannot be trusted or validated until, I think it was maybe 30 years ago, we believed that if you had a stomach ulcer, you should drink milk. Well, we now know you don't do that. That's the exact wrong thing to do is drink milk when you have a stomach ulcer. It makes it worse. What is the average temperature of the human body? Does anybody know that? 98.6. Did y'all know that's based on a study that's something

like 60 or 70 years old, and it used technology that was extremely out of date? and that's not actually the standard temperature for a human body. Most people didn't know that. So my wife is actually a physician. She's a family medicine physician, which is where I get a lot of these medical references. She didn't know that. They don't teach that. But that study was done by a guy who's using a thermometer that was really hard to read. It was about that long. He did it under the armpit as opposed to in the mouth, which is where we know you do it generally now, or rectally, but, eh. the average human body temperature is actually a

few tenths of a degree lower. And not only that, it's also a range, and it can fluctuate by as much as a degree at any given point during the day. So evidence-based medicine, we know that's not necessarily true now, although that's not quite yet permeated society yet. And of course inability to mobilize and tackle big systemic issues pick your plague of choice. We have a much better ability to handle things like Ebola now whereas if we had Ebola as little as 100 years ago it probably would have been a much more disastrous thing when it got into this country. So medicine went through a lot of the problems we had in terms of cognitive crisis.

Now medicine was able to get through them very slowly but very efficiently because obviously lives were on the line and while lives aren't always on the line with what we're doing, sometimes they certainly are now that we have things like critical infrastructure connected to networks. So, how do you get out of a cognitive crisis? And I say you do that via cognitive revolution. So I looked back and I looked at other fields, I looked at medicine and biology and physics and law and how they kind of got out of their cognitive crisis and it's really a three-step process kind of at a high level. It's much more complex than this, but if I had to

distill it down to three kind of things it would be these. So one is to understand the process used in your craft to practice your craft. that you use to draw conclusions. That's what we're all in the business in, drawing conclusions, whether that's a medical diagnosis, a legal case, a scientific research discovery, and so on. Developing repeatable techniques and method, and then essentially building training that makes those more teachable. where we're actually teaching people fundamental facts and concepts that they can use to better learn new information as opposed to just built teaching people specific tools and how to do very specific use case things. So it's underlying fundamental knowledge. So I think that's how we

get out of that and I think that's why understanding how we think about things is very important. So that's kind of the basis for the rest of the talk. We're gonna talk about curiosity because I think it's one of those very important things. Now, Curiosity has a lot of definitions. I know we think in information security we have too many definitions for the one thing. I could probably start a really fierce debate in here right now if I said what's the definition of threat hunting? We're not gonna do that. But that's not unique to our field as well. In psychology, things you would think are very well defined like intelligence or curiosity have dozens of

definitions. So I don't want to spend too much time delving into various different definitions, but the definition I want you to think of for our purposes today is the desire to know. So that's all curiosity is for all intents and purposes and as we're gonna define it and approach it here is the desire to know something. And that can be something at a larger scale, like I wanna know how to be a programmer or something at a very specific scale. I have this IDS alert and I wanna know whether it's connected to a bad guy. So it's simply the desire to know. Now curiosity comes from a couple different places where we've really been able

to gain a deeper understanding of it. The first is developmental psychology. And if you think, many of you probably have kids, and when you think of a small child, a baby, you think about them kind of exploring their world, right? They discover at some point they have hands, and then they want to just look at their hands and touch their fingers and stick their hands in their mouths and do other gross things that babies do, I guess. But they're exploring their world, and that's how they learn. And really learning in a broader sense as adults is really not much more complicated at a fundamental level. We're constantly exploring our world, we're taking in new information,

and where we have some type of drive that drives us to continue to do that exploration, and that's generally curiosity. So curiosity is very important from a developmental perspective. Now the other perspective, which is interesting, is the evolutionary perspective. And I have the gator on the screen here because there's a very prolific psychologist by the name of William James in the early 20th century. He wrote a lot of great stuff, did a lot of very important things, but in terms of curiosity, one of the epiphanies he had, he was standing on a riverbank, standing just like I'm standing now, and he saw a gator swimming at an angle towards him. It was coming from a

distance, and he could tell it was a gator. Gators don't have good eyesight, so the gator probably couldn't tell that he was there, that he was a human. Maybe he had never seen a human, who knows? But it was swimming towards him, and William James, for whatever reason, didn't run, but he was just standing there. And this gator swam towards him, and he's standing looking at it, and then he kind of shifts his weight over. And when he shifts his weight over, that gator sees him and then darts off the other way. He realizes this thing that's standing there is actually alive, and I don't know what it is, and I'm scared of it. So

you have this concept of fear, and that's where we really get our understanding of curiosity versus fear, that they are two sides of the same evolutionary coin. Curiosity is what propels us to explore our world, and fear is what is really the check and balance on that. It limits our ability to explore such that there are certain things that we maybe don't need to explore. So the gator is a simplified kind of animal world example, but there are plenty of those in the human world as well. So for our purposes, curiosity is simply the desire to know. And so we're gonna talk about how to break that down into sub components and some things like

that. But I wanna talk about curiosity first as it relates to experience. Because I think most people, if you ask them about experience, will say, well, how do you measure experience? Well, okay, I have five years experience, 10 years experience, but is years really the best way to measure experience? I mean, let's take this example. Let's say we have Jack and Diane, two American kids living in the heartland, who happen to be security analysts. They, fresh out of college, fresh University of Cincinnati graduates, they get hired into the exact same job, they have the exact same experience in the field. So they get hired in to be security analysts, and then you leave them alone

and come back five years later and you find out, well, Diane has far surpassed Jack in ability. All of her superiors say she's just a much better analyst, she's intensely better at her job. but they both have five years experience so what's the difference well i would posit it's curiosity and that diane is probably all things being equal more curious than jack and that allowed her to gain experience at a more favorable rate of course at this point we're not measuring experience simply by years we're measuring it by the amount of practical knowledge gained for use in the field and that's a much better way to understand curiosity as it relates to experience now The

thing about curiosity is it changes, right? It goes up and down and up and down, but it really affects the rate at which we gain experience. And I have a couple charts here, and you can see we have time in the job on the bottom there, and then we have the amount of experience, measured the way I discussed a moment ago, on the vertical axis. So at the top we have someone who I would say has very sustained high curiosity, and this is their career progression. They learn at a really fast rate, and they keep doing that. On the bottom we kind of have the flip side. It's somewhat very sustained low curiosity. They're not

very curious. They're not taking in a lot of new information. They're not exploring the world within their domain. And so they're not really gaining a lot of useful knowledge and they just don't end up at the high level of experience that the other person. So you would say perhaps that Diane is at the top here and Jack is at the bottom. And you can see those career arcs as such. Now these aren't entirely realistic arcs in terms of how curiosity affects our experiences. These are probably a little bit more realistic. In the top one we have someone who's just getting into their career and they are very, very curious. And they gain a lot of

experience really quick, but then it kind of levels off. and we've all known folks like this life happens you're very career focused and then maybe you become more family focused you're you get in you take a new job and it's not a great job and it kills your curiosity for a little while or you just kind of phone it in we've known folks like that too so this is a waning curiosity On the bottom we have kind of the opposite of that where folks start out with very low curiosity, maybe they're not in the right field, they're not in the right specialty, maybe they're on the blue team side and they decide, they figure out

that the red team is the place for them to be and then they get on that side and then curiosity really ramps up and they start gaining experience at a whole new level. This is also pretty consistent with what we see with folks who choose technology as a second career. when they get really interested in that and the curiosity is absolutely there. Now in truth, this is also probably not super realistic. It's maybe realistic kind of on a macro scale, but if you look in and maybe were to zoom into a year of this, curiosity doesn't look like this or it doesn't look like this. It probably looks like this. Because again, life happens. We

often want to think that our personal life and our professional life are very separate things, but that couldn't be farther from the truth. Everything we do in our personal life psychologically affects our professional life and vice versa. So there's a lot of things that go into that and how curious you are, and we're going to talk about a couple of those here in a second. Now, practically speaking, I see curiosity and experience and the combinations thereof manifest as such. Now, green is obviously good, red is obviously bad. And you'll see the common denominator here is experience doesn't matter in a lot of ways. And if you look on the top right, we have the excels

area. These are the people who are your ideal employees. They have a ton of experience and also very curious. And not only do they have that experience, they're continuing to gain it at a really high rate. That's the ideal place to be. But not everybody starts with experience and that's okay too. So we have that on the top left. Those are the people who are really curious but they have little experience. The good thing is because they're so curious they will gain experience at a much higher rate than others. And these folks are generally jumpy. That's the word I would use. If you're in a SOC environment they're the folks who everything they see looks

malicious and they want to file a ticket on everything. And that's fine. It's not fine if they're working by themselves because they can't figure out, you know, they don't have someone telling them what's good and what's not. You need strong mentorship and that's the case. And if you are that mentor, it can get really frustrating. But that's okay. That's why you got to have a strong will to be able to do that stuff. So those folks are jumpy and jumpy is a good thing. Jumpy can be channeled. Jumpy can be used. Now, what can't be are people with low curiosity and low experience. Those are your folks who are generally ineffective because not only do

they have they don't know what is bad and what isn't, they're also not propelled to actually gain that experience at a very quick rate. So those are the folks who are generally ineffective unless you can do something about that curiosity level. And then of course on the other side you have folks who have a ton of experience but their curiosity has fallen off the map for some reason. Again the folks who maybe have just kind of phoned at home or have other things going on and they generally tend to be pretty apathetic about the job. That's the best word I would use to describe folks like that. Generally, you want to be in that top

section. You want to be hiring people who are in that top section. At an entry level, you want to be hiring people on the top left is my experience. Again, from the perspective of someone who's spent a long time hiring people in a SOC environment, curiosity is the number one thing I look for when I'm hiring new folks right out of the field. Now a lot of people like to talk about passion, you want to hire passionate folks, but generally speaking I don't expect someone who's never had a job in this field to be passionate about it. I don't think that's entirely realistic. How can you be passionate about a job that maybe you don't

fully understand the full scope of? As a manager I generally believe it's my job to make them passionate about it, and if they're curious I'm much more able, better able to do that. So let's talk about curiosity and a couple of the sub-components of it and kind of define it a little bit. There are a lot of theories about curiosity. Obviously, psychology is a field where there are a lot of things we don't know. The mind is generally the most studied thing in human history, but the least understood. We're getting better at that thanks to medical science and MRI devices and things like that. But one of the more predominant theories about how curiosity works,

and I think the most subscribed to one, is something called information gap theory. Now, with information gap theory, you really have two components. You have what you know, which we call your knowledge point, and you have what you don't know, which is your reference point. And it's your awareness of what you don't know that presents opportunity for curiosity. That's where this gap comes in. So I know what I know and I know what I don't know. And there's a gap between those two things. And that creates essentially deprivation, right? Mental deprivation. It creates a little bit of strife and that I really want to be able to close that gap. Or maybe I do or

maybe I don't. What you're doing is essentially a subconscious gamble, right? you know what knowledge exists out there and you think okay here's the effort required to gain that knowledge and here's the value I get out of it and you make a gamble and if those two things combined mean it's worth it you're probably going to pursue that knowledge if they don't maybe there's no reward for learning it there's no career benefit there's no personal benefit or maybe it's just simply too much work to learn it then you're probably not going to pursue it right and that's and this isn't just information security specific it's really all walks of life um From an investigation standpoint,

it means you see a weird packet come across the wire and you think how long is it gonna take me to research this? What's the benefit of doing it? And if all is good, you're gonna do it. Chances are if that's your job, you're probably gonna do that more often. If something breaks on your car, your alternator breaks and you don't know anything about alternators, well, you could probably figure it out and probably figure out how to fix it. But is it worth it to you to spend that effort and go through the pain of gaining that knowledge? And is there a great benefit to it? How often are you gonna have to replace an

alternator? maybe not often maybe it's not worth it so you have this concept of reward and disappointment and reward and disappointment are kind of moving targets a lot of things have very clear rewards like for our career a lot of us started out playing video games video games are great because they have a very clear reward system you get achievements along the way there's a final boss you beat that you get the pride of doing what you've done but there's also the concept of disappointment and we often do things that from a curiosity perspective where we're statuating our curiosity that we almost never get rewards and i think of one that applies to me is

i work from home so my office is at home so one of the bright shining moments of my day when i get a little bit of sunlight is when i go out to check the mail some of you probably work from home and you probably notice i see a lot of heads shaking on the front row so i get really excited when the mail comes my window looks out at the front i see the mail truck and i just scamper out there and it was very funny when i first got married my wife came home one day from work and she brought in the mail and i was like what are you doing why would

you take my joy away so she doesn't get the mail anymore but nonetheless that's the thing is i get really excited about the mail because there's curiosity you know i know the things i know i don't know what's in that mailbox and there's a gap there and i go out and check it every day very excited now unfortunately nine times out of ten or more, there's nothing exciting in the mailbox. It's bills, it's junk, it's what have you. I don't get a lot of mail, I guess. You can all write me letters, I guess that'd be great. I don't get a lot of mail, so that's one of those things where I'm constantly disappointed virtually

every day, but I'm still satiating my curiosity. It's probably because the effort's really low, right? And there's benefits of I get to go outside, get some fresh air, take the dog with me sometimes, et cetera. So, is again is a two-factor thing. It's the reward that comes with it as well as the amount of effort and it's the kind of the interplay between those things. So that's how information gap theory essentially works. Now there's also an interesting concept of knowing what you don't know and what we kind of see over the course of the career especially in fields like ours where if you've been in it for a while you know that the amount of

knowledge out there is vast and more than you'll ever be able to consume. A lot of people come into this field saying I want to know everything there is to know about security and as most of us know that's virtually impossible because it's such a diversified field so many different specialties within it. So you kind of get that knowledge as you go along and this picture kind of represents that where and when you start in this field as a novice your knowledge point which is what you know and your reference point which is the point at which you know exists is pretty close you think okay I can get there but then as you go

along those two things diverge pretty quickly and they don't always diverge in a perfectly straight line it's not a linear thing it's often like this Like you learn, okay, I don't know anything about SQL injection. And then you kind of learn a little bit about it, then you realize there's about a billion different ways to do SQL injection, and so your reference point for that goes way up. You realize there's a massive amount of things you don't know about that. And it's a lot of those little instances and those topical things when combined that produce an art kind of like this, where when you get to an expert, really oftentimes what expert means is being

aware of the things that you don't know. And also being aware of who does know those things, so you can point people to them. I used to feel like, to pick on someone in the crowd, I used to feel like I know a lot about sensors, network sensors. And now I realize there's so much more I don't know, but if there's something I don't know, I point them to Mike Reeves sitting here in the front row, 'cause he knows more about sensors than anyone. So that's a lot of what being an expert is, although I don't think they teach that in school as much. Expert is often not about knowing things, it's about knowing what

you don't know, and then pointing to people who do know those things. So we have this concept again of the knowledge point and the reference point. Now, I'm going to get back to that, but I want to talk about motivation. There's obviously a motivational component to curiosity. It's the desire to know, and desire means there's a motivational aspect to that. Now, there's two sides of this. There's generating curiosity in the first place and maintaining it. Now, generating it in the first place is tricky and that relates to interest. And interest is kind of another field, we're not going to get into that too much, but how do you generate interest in a specific topic? Some

people are kind of innately interested in information security, some people will never be interested in it. I think one of the problems with our field and with computing in general is there's a general perception that you have to be a genius to work on computers for a living and I am living proof that that is not true. So, by setting that, it's almost like an excuse people use. You set the barrier to entry so high, then I can use that as an excuse for not getting into a specific field that you need to be a genius to do these things. And there are very few fields where you truly have to be a genius to

do them, and ours is certainly one of those. Curiosity generally begins with interest. How do people get interested in things? That's a long and complicated thing that we don't honestly know a ton about, so I'm not gonna focus on that. What I will say is we're really good at getting people interested in this industry at hacking, breaking, and coding, and really bad at getting people interested in detecting, defending, and writing, which are ironically the things I do more of. What goes into that? Well there's a lot. I think generally speaking when you talk about a red team versus blue team type thing, on a red team side there's generally a bigger sense of mystery, reward,

and measurable success. As a red teamer you have a very clear perspective of generally here's my objective and here's my mission and you know when you accomplish it. Whereas on the blue team side you may spend your entire life preparing for an attack that never comes and you also have this sense of am I being attacked right now and I never know it. So it's very hard to measure success, it's very hard to identify rewards for things you're doing is very quickly picked up upon by people and as a result it's hard to get people interested in those things. So I think that's where we really have a lot of work to do collectively as

an industry because those are the things that are, I'm not gonna say more important, but those are the things we need more people who are skilled and able to do. Next I want to talk about maintaining curiosity. I want to spend a little more time on this because I think this is important. I think we can do things about this. And we all know this phrase that a journey of a thousand miles begins with a single step. And that's great, but here's what they don't tell you is that the first step is also often the easiest. Right? It's the first step out your door and then you get to the mile 124 of a thousand

and you got to climb that big old mountain over there. Maintaining motivation is much harder than starting it in the first place. Go look at a gym on January 2nd, right? Everybody sets their New Year's resolutions and they wanna go to the gym and then three weeks later it's a ghost town again. Now where this comes into play is with that gap we talked about, that gap between what you know and what you don't know. And that gap's very important Temporally speaking in terms of your awareness of it. You know the gap is all about awareness and that's where curiosity lives But there's something kind of negative that happens when you feel like you really

know something then very quickly you realize there's a lot You don't know when that happens really fast. It can be very detrimental to motivation and that's something I call rapid gap awareness and this kind of picture shows that to some degree wherein when your awareness which is the red line goes up really really fast your motivation goes down equally as fast and unfortunately the only remedy for getting your motivation back up oftentimes is closing the gap and once you figure out that gap is very large closing that gap is something that takes a little bit of time you don't jump out of it you generally uh crawl out of it so this kind of illustrates

how curiosity is Easy to start but hard to maintain. You get really curious about something and then you realize you don't know a ton about it. There's so much to learn and you get really demotivated fast. The area where I think this applies to a lot of people in our field is coding. Most people in information security don't start out as programmers, but they realize eventually that yes, as a security practitioner, it is helpful to be able to write out some Python scripts or something like that. So you say, I'm gonna learn Python. And then you write your first little hello world, you're starting to use if then else statements, some loops, and then everything's

good, then all of a sudden you learn about object oriented programming and functions and inheritance and all these third party libraries come into play and you feel like you're doing something right and someone says no you're an idiot you should have been using this other third party library and there's really no right answer and that's when that knowledge gap you realize it's much bigger and that's when you get demotivated and that's when most people quit. And I saw a lot of heads shaking when I said programming, so I think a lot of people can relate to that. I know I can. I didn't start out as a programmer when I wanted to learn specific languages

or specific things. Very demotivating once you realize how much there is you don't know. So that's this concept of rapid gap awareness or RGA. The good thing about RGA is I think you can do some things about it. I want to talk about those, but first I want to talk about when is RGA most likely to hit. There are certain events and certain things that occur in our daily lives where you're more likely to have these instances where you become rapidly aware of the gap that exists between your knowledge and the knowledge that exists out there. One of those, very straightforward, is when you get a new job. You get a new job, and especially

if it's a new role you've not done before, very easy to say that once you get in there, you're going to realize there's a lot you don't know. New projects as well, especially if they're projects outside your normal comfort zone. Training does this. I see a lot of people who come to my training courses or other ones who they feel like, let's say they're doing a malware analysis course. They feel like they've used some sandboxes, they feel pretty confident that they know a little bit about malware analysis and then they start the course and somebody starts talking about assembly code and their eyes glaze over and then the RDA occurs and motivation is not where

it should be. You see this happen a lot, new hires specifically, when you hire someone who has a knowledge set that you don't have and they come in and they show that very early, this can create a lot of contention, but it's an RGA inducing event usually. And of course that also can lead to some type of competition between people, not just competition between people in the workplace, but also actual competitions. I see this with a lot of people in CTFs, like the one going on here. go into the competition and they feel really good about it and then they struggle a little bit and realize man there's a lot I don't know about this

and their motivation goes down into the toilet. It's an RGA event. So what topics do I see RGA hit with the most? And I've mentioned a couple of these. General skills programming, regular expressions. I teach a lot of packet analysis and I see a lot of people once they realize how much they don't know about packet analysis their eyes kind of glaze over as well and it drops their motivation into the floor. From a defensive perspective, reverse engineering, signature development, Windows log analysis are things that are very big topics. That last one is one that sneaks up on people. You feel like I'm gonna learn everything there are about Windows logs and then you realize

that the people who wrote the Windows login system, well, We're live streaming they may be watching this great people over there But it's it's very diverse and it changes dramatically between operating systems and it makes me want to want to fall over so And on the offensive skill side exploit development web at pen testing so you may look at a lot of these things and say I've really just identified things that are hard in our field and that's maybe true with some of these things but There are often as well a lot harder than we make them out to be just because we get very Demotivated once we realize how little there is or how

much there is to know that we don't know. So So, we can do things about that. And that's where I'll get into the final portion of the presentation. The talk was called Curiouser, Curiouser, so I want to talk about how you can become curiouser, which is a real word. The first thing with being curious, if you want to become better at it, the first logical question is, well, can you measure it in the first place? That's logical. There's really two types of curiosity, and I've kind of lumped them together. We have this concept of curiosity as a trait. Are you born with a certain degree of curiosity more than other people? And can you measure

that? That's called trait curiosity. And there are a bunch of tests out there that measure that. They're all kind of psychometrically valid. They're good tests, but whether they correlate directly to curiosity and how it manifests is a little bit of a point of contention amongst the psychological community as I interpret it. So we can do that but it's not the best thing. What most psychologists have said though is that we have this concept of state curiosity which is curiosity as it's applied to a particular field or a particular field of study and we can become better at measuring curiosity in those things and apply it to specific domain. You just have to have folks willing

to do that research and learn more about it and that's Part of the reason I'm here is trying to figure out how we can better, in our field, measure curiosity. So I've actually had folks take a few of these tests and I'm currently doing that data analysis and that's part of my PhD thesis. So more to come on that. But I think we can measure certain aspects of it, but we are not there yet. So we have the ability, we're just not there yet. That said, I don't think we can measure it effectively right now, but I do think we can recognize it. That's important. If you're able to look at someone and look at

how they perform their job and recognize whether they are highly curious or not, that's a good thing. There's a couple things I've noticed in my time and from the literature I've read where you can notice in people whether they're highly curious individuals or not. Here are a couple things that curious people tend to do. One of those is ask questions. I'm really big on question asking really as a form of learning anything. You want to be able to ask good questions and being able to ask good questions is a very specific skill that not quite everybody has. So curious people generally ask a lot of questions because they're motivated to close those information gaps. Curious

folks often have wandering minds. We've all known folks like this who begin talking about a certain thing or looking into a certain facet of their job and then all of a sudden they wander here and there. They also pivot rapidly, especially in conversations. And we all know people like this and we may think they're annoying 'cause you're talking to them about one thing, they latch on to like a tangential thing you said and take it and run with it. So that can be annoying if you're not used to that, but that's generally a sign of just rapid curiosity and an inability to kind of regulate attention between those things. Curious people often either get up

too much or don't get up enough, right? So they don't get up enough because they're intensely focused on what they're doing and they're doing all this pivoting and they're staying really engaged. But on the flip side, they often get up a lot because they see something that's really interesting to them and they just want to think about it. They want to process it. They're kind of thinking out loud, or not thinking out loud, but kind of walking as they think and doing active thinking. So it's really the extreme of either end, not getting up enough, getting up too much. Curious people also tend to engage in very random discussions. We don't know anybody who does

that, I'm sure. I think that's, you know, one thing I will say about our field is I think our field generally attracts people who are more curious about things. So the baseline of curiosity is probably much higher in our field and I see a lot of this with a lot of people in our field. But also on the flip side, those people often don't engage in any discussions. It's that whole getting up versus not getting up thing. They're generally the folks who oftentimes are very quiet and they're reserved because their mind is just going in a lot of directions and the ability to regulate that is a little difficult. So again, both ends of the

spectrum. So these are a few of the ways that I see that you can recognize curiosity amongst people and obviously a lot of these are kind of two ends of the spectrum. So getting up, not getting up enough example. what is the normal amount of getting up? I don't know, like that's not been studied. But that's something to, if you look at someone and say, man, they should get up a lot and move around a lot and like they're walking around thinking or whatever else, maybe they're just insanely curious and that's a good thing. So the last part is really creating and sustaining curiosity. So how can you create more of it, how can you

sustain it better? So I'm gonna give a few tips here really quickly on what I've observed that are effective. Number one is understand rapid, the rapid onset of those knowledge gaps. We talked about it today, so all of you are already better equipped to understand it, both in yourself and when you see it in others. So by understanding it and knowing it's there, knowing that your lack of motivation isn't because you're not good enough, that you're not having enough skill, that you're not smart enough, that's not the case. You're just rapidly demotivated because you realize there's a lot to learn. Again, the journey of 1,000 miles begins with a single step. The first one is

the easiest, but by taking those first few hundred steps, you are a little better equipped when you come to over those mountains like we talked about. Number two, and I hit on this earlier, is building fundamental domain knowledge. One of the things, and I was talking with someone about this example the other day, I have a lot of analysts who have come to me and they'll say they have investigation experience and they used a single tool. So they used ArcSight, right? And so they'll say, I am an analyst, I used ArcSight, I know how to do investigations. But then they come to an environment that doesn't have ArcSight and they don't actually know how to

do investigations. They actually just know how to use ArcSight. So, less learning of specific tools, more learning underlying fundamental domain knowledge, how to ask good questions, how to use evidence, how to pivot between that evidence, learning how to actually do investigations as opposed to just learning the tools that facilitate them and that will help diminish those RGA level events and help you better process information. Next thing is looking for aha moments. One of the best ways to get out of these gaps created by rapid gap awareness is to be able to make quick leaps in your knowledge. And there's not a lot of those. There's not a lot of aha moments to be found. What

I found with packet analysis, which I teach a lot, is the concept of encapsulation of protocols. You teach that very early on and people are much more likely to get less confused as they get further into the course. When you're looking at packet captures that all have SMB and TCP and IP and Ethernet all in one packet view and they want to understand that, well if you understand encapsulation better that really helps a lot. So looking for those fundamental nuggets of knowledge that really help people get over the hump We're not very good at that right now, but we need to become better at it. And those things, I believe, exist in every area in

some sense. There are several of them in programming. I'm sure a lot of the college professors, if there are any in the room, have seen the aha look on students' faces when they really get one concept that enables the learning of other concepts. So we're looking for those aha moments. Mentorship is very important, both seeking a mentor and being one. The thing about humans is we're naturally not inclined to be able to see and detect our own biases. By definition, we don't know we're biased most of the time. And really, rapid gap awareness is really a bias towards being less motivated. And so we need others to help us realize we're kind of in that

rut, in that cycle, and others are a lot better at recognizing that. So you want someone who you can be around, who can recognize that in you, who's not afraid to tell you, hey, don't worry, you're not It's not that you're not good enough to do this, it's just you have this rapid gap awareness and you just need to pick the curiosity back up and kind of work through it and let's do it together. So seeking a mentor if you're newer in this field or if you're, you know, I think there's a myth that you can be someone with 20 years experience in information security and can't have a mentor and I think that's false.

Everyone needs a mentor and everyone needs to mentor from my perspective. Creating interest is important. The phrase from the literature that they use specifically is that it "primes the pump of curiosity." So we don't know a lot about creating interest right now, but I do know that by gamifying things, that's a really great way to do it. One of the great ways people get interested in red teaming is via CTFs, like the one going on in here. You're gamifying the work so they get really interested in it, and then that primes the pump of curiosity and it's a lot easier to sustain curiosity once that initial interest is created. So creating that interest is an

interesting thing, and we're always looking for ways to do that. Next, keep in mind that attention is limited. I've not talked about attention a lot, but generally you can only pay attention to one or two things at once. For people who are insanely curious, they really tend to wander, right? I talked about they want to pivot from different things. So for people who are curious, you want to satiate that by having multiple work streams available to them. I know I work better this way. I can't have just one single job I do. I need four or five things so I can spend a couple hours a day doing each one. And I think generally speaking,

people who have a higher degree of curiosity need more of those multiple work streams so they can pivot so they don't get bored and they maintain their high level of curiosity. And finally, just learn to recognize underserved curiosity. Again, the things I talked about earlier, people getting up all the time, asking a lot of questions, those things can come off as annoying at first for new people, and it's very easy to dismiss those people, but I think that's where we lose a lot of our best people. So being patient with people, recognizing curiosity, serving it, helping people satiate that curiosity, close those information gaps, I think that goes a dramatically long way towards keeping and

developing good people in our field. So last slide, I just wanna close, talk a little bit about art versus science. I mentioned that earlier, that was a quote from the Kansas State study is that our field is really more art and science. And this is something I see people ask a lot, well is what we do more art or science? And I generally think that's the wrong question. 'Cause I think what we do is neither art nor science. If you get enough people in the room, you can answer any question there is to answer about an information security problem. There's not really any phenomena, so to speak. I think what we do is engineering. Maybe

that's a little de-glamorizing for our field, but I don't think it necessarily should be. I think what we do in our field is more tend to a craftsmanship, as it would be with an engineer. It's not art, but there can be an art to it. It's not science, but we can use science to better understand it. We can use science to collect data, form hypotheses, seek out answers, just like some of the science I've applied here with psychology and how we think about thinking, this concept of metacognition, which is just a fancy word that means thinking about thinking. So it is not art or science. I think the right question is not is what we

do art or science? It is how do I use science to better understand security so it is less art and more craft? So that's really my challenge to everyone here. is just that, is learning how we can better use science to make this less of an art, more direct implicit knowledge, less tacit knowledge, and making this more a better place to learn and a better place that attracts more initial talent and doesn't lose talent when that initial curiosity gap occurs. So that's all I got. I think I got some time for a couple questions maybe. Yeah, any questions? Go ahead. Do you have any insight on like,

- Sure, so I think that's a great question. The question was, if you didn't hear it, was basically how do you focus curiosity when you're generally curious about a lot of things? And I think that a lot of us can probably relate to that. We probably all have a lot of hobbies. And I think it's really, I don't have a lot of super great practical advice. I do think it really is contingent upon being aware of It's being aware of the fact that you obviously have limited attention and you're making this subconscious gamble all the time, right? Where you have this information gap and it's what do I get out of doing it and what

is the effort required? And I think if you frame it that way and you start approaching things that way and realize that time and attention are a limited commodity, You don't just pick what seems interesting at the time when you're gonna do a hobby, say what am I gonna get out of this? And it doesn't have to be financial, it doesn't have to be work related, it could just be you get joy out of it. I like to cook barbecue and I get delicious meat out of that, but also I just enjoy the process. So it's being aware of that subconscious gamble and then having awareness of it is really half the battle. And then

once you're aware of it, you can kind of apply your time accordingly. But you do have to recognize that time and time's the only thing in life you can't get more of and attention is also fairly limited. Well sure yeah that's definitely part of it and it may be it's an oversimplification as I present it here but that is definitely a facet of it of rapid gap awareness for those that didn't hear is basically there is a factor of not only being aware that that knowledge gap exists but not knowing where to go. Those kind of go hand in hand a lot of the time especially in our field like the programming example I used. if most of us have a problem, we're gonna try to Google

it, but there's so much information out there and there's so much bad information out there, it becomes really easy to get frustrated and it creates this effect of not only do you not know the things you don't know, you don't know where to go to get them. And that actually only just makes it a larger gap, quite honestly, because that's knowledge, it's the knowledge you don't know and the knowledge of not knowing where to go are just, they're still knowledge, but it's increasing that gap, so absolutely. Okay, I think that's it. Thank you all for the time.