Talk on courses on sociotechnical ethical hacking and cognitive security

1. DISARM
Foundation
2022
My Year of Teaching
Dangerously
Sara Sara-Jayne SJ Terp Other
AMW RAT 2022-04-28
1

2. DISARM
Foundation
2022
NOT ALL GREAT
HACKERS CODE.
GREAT HACKERS
THINK ABOUT
SYSTEMS
2
And we need more of these
people
Image: https://business.leeds.ac.uk/research-stc/doc/socio-
technical-systems-theory

3. DISARM
Foundation
2022
BUT ALL THE INTRO
HACKING BOOKS, ALL
THE COURSES, ARE
BOXES AND WIRES
(kudos to “The Car Hacker’s
Handbook” and “Practical IoT
Hacking” though)
Certified Ethical Hacking
● Ethical hacking fundamentals
● Reconnaissance and footprinting
● Scanning and enumeration
● Sniffing and evasion
● Attacking a system
● Hacking web servers and applications
● Wireless network hacking
● Mobile, IoT, and OT
● Security in cloud computing
● Trojans and other attacks, including
malware analysis
● Cryptography
● Social engineering and physical security
● Penetration testing
3

4. DISARM
Foundation
2022
HOW DO WE BUILD
SYSTEMS HACKERS?
A: we teach them. At
university. In a very liberal
college (yay librarians!).
2021-2022 16-week courses:
● Sociotechnical Ethical Hacking
● Cybersecurity Decision Making
● Cognitive Security
● Technology Innovation
● Privacy, Security, Ethics
● Living with algorithms
4

5. DISARM
Foundation
2022
BUILDING A
COGNITIVE SECURITY
COURSE
Brains, PCs, they’re all belief
systems
“Cognitive security is the application
of information security principles,
practices, and tools to
misinformation, disinformation, and
influence operations.
It takes a socio-technical lens to
high-volume, high-velocity, and
high-variety forms of “something is
wrong on the internet”.
Cognitive security can be seen as a
holistic view of disinformation from
a security practitioner’s perspective”
5

6. DISARM
Foundation
2022
Cognitive Security course
What we’re dealing with
1. Introduction
a. disinformation reports, ethics
b. researcher risks
2. fundamentals (objects)
3. cogsec risks
Human aspects
1. human system vulnerabilities and
patches
2. psychology of influence
Building better models
1. frameworks
2. relational frameworks
3. building landscapes
Investigating incidents
8. setting up an investigation
9. misinformation data analysis
10. disinformation data analysis
Improving our responses
8. disinformation responses
9. monitoring and evaluation
10. games, red teaming and simulations
Where this is heading
8. cogsec as a business
9. future possibilities
6

7. DISARM
Foundation
2022
Disinformation as a risk management problem
Manage the risks, not the artifacts
● Risk assessment, reduction, remediation
● Risks: How bad? How big? How likely? Who
to?
● Attack surfaces, vulnerabilities, potential
losses / outcomes
Manage resources
● Mis/disinformation is everywhere
● Detection, mitigation, response
● People, technologies, time, attention
● Connections
7
Image: https://www.risklens.com/infographics/fair-model-on-a-page

8. DISARM
Foundation
2022
BUILDING A
SOCIOTECHNICAL
ETHICAL HACKING
COURSE
8
Thinking beyond the
technology
Getting ready for hybrid attack forms:
● Cyber + cognitive + physical
● Cyber supporting cognitive
● Cognitive supporting cyber
● Cyber attack forms adapted to
cognitive
● Etc

9. DISARM
Foundation
2022
Sociotechnical Ethical Hacking course
First, do no harm
1. Ethics = risk management
2. Don’t harm others (harms frameworks)
3. Don’t harm yourself (permissions etc)
4. Fix what you break (purple teaming)
It’s systems all the way down
1. Infosec = systems (sociotechnical infosec)
2. All systems can be broken (with resources)
3. All systems have back doors (people, hardware, process, tech
etc)
Psychology is important
1. Reverse engineering = understanding someone else’s
thoughts
2. Social engineering = adapting someone else’s thoughts
3. Algorithms think too (adversarial AI)
Be curious about everything
1. Curiosity is a hacker’s best friend
2. Computers are everywhere (IoT etc)
3. Help is everywhere (how to search, how to ask)
4. CTFs, bounties, and competitions
Cognitive security
14. Yourself (recon & systems thinking)
15. Social media (social engineering)
16. Elections (OSINT & mixed security modes)
Physical security
14. Locksports (vulnerabilities)
15. Buildings and physical (don’t harm self)
Cyber security
14. Web, networks, PCs (RE, malware)
15. Machine learning (adversarial AI)
16. Maps and algorithms (back doors)
17. Assembler (microcontrollers)
18. Hardware (IoT, badges)
19. Radio (AISB, SDRs etc)
Systems that move
14. Cars (canbuses and bypasses)
15. Robotics / automation (inc don’t harm others)
16. Aerospace & Marine (reverse engineering big systems)
17. Satellites (remote commands)
9

10. DISARM
Foundation
2022
Keeping ‘em safe
● Teach ethics and the law. Not just “hey
behave yourselves please”
● Continuing safely: Introduce them to
places to practice, that will be around long
after the course finishes
● Mentoring: introduce them to hackers I
value, who can talk about why not to be on
the dark side
● Purple team, not red team.
● Keep pushing the message of “here’s a safe
place to try this; don’t do it anywhere you
don’t have permission / understand the
potential consequences”
Safe places to practice:
● Tryhackme.com
● Hack The Box
● RingZer0 CTF
● https://www.hackthebox.com/
● CTFTime - live
● picoCTF - practice
● Micro Corruption - one of the original CTFs
● Top 10 Cyber Hacking Competitions - competitive CTF
(cash prizes etc)
Bug bounties:
● https://www.bugcrowd.com/bug-bounty-list/
● https://hackerone.com/bug-bounty-programs
● https://www.guru99.com/bug-bounty-programs.html
Help:
● Look for reddit and discord groups
● IppSec for techniques
● https://ctf101.org/ - tips and tricks
● Beginner's Guide to Capture the Flag (CTF)- tips, tricks,
links to more online CTFs
● Capture-The-Flag Competitions: all you ever wanted to
know!
10

11. DISARM
Foundation
2022
I also fell a bit in love with the Parkerian Hexad
Confidentiality, integrity, availability
■ Confidentiality: data should only be visible
to people who authorized to see it
■ Integrity: data should not be altered in
unauthorized ways
■ Availability: data should be available to be
used
Possession, authenticity, utility
■ Possession: controlling the data media
■ Authenticity: accuracy and truth of the
origin of the information
■ Utility: usefulness (e.g. losing the
encryption key)
11
Image: https://www.staffhosteurope.com/blog/2019/03/cybersecurity-and-the-parkerian-hexad

12. DISARM
Foundation
2022
Other work over the past year…
Communities
● CogSecCollab
● CTI League disinformation team
● Ukraine
Collaborations
● DISARM Foundation (inc MITRE, FIU, EU etc)
● Community-level behaviour tagging (UW)
● Disinformation response coordination: European
Union (51 countries), UNDP (170 countries),
individual countries (3 english-speaking ones), (WHO
Europe&Central Asia: 51+ countries)
● Defcon Misinfo Village (inc CredCo / MisinfoCon)
● Atlantic Council / Vanguards
Mentoring
● Individuals and organisations
● Book sub-editing
● Machine learning in infosec PhD advisors
● Nonprofit boards (RealityTeam, SocietyLibrary etc)
Research
● Risk-based Cognitive Security
○ AMITT model set (DISARM, EU, NATO, etc)
○ AMITT-SPICE model merge (with MITRE, FIU)
○ Extensions to FAIR etc
○ Community disinfo behaviour tagging (UW)
○ iVerify extensions (UN)
● Machine learning for cognitive security
○ Disinfo OSINT (country)
○ Community-based disinfo response (UN)
○ Extremism tracking (country)
● One-off research
○ Disinformation market models (DARPA)
○ Assessing disinformation training systems (State Dept)
○ Disinformation social ecological models (ARLIS)
○ Etc
12

13. THANK YOU
SJ Terp
@bodaceacat
http://www.overcognition.com
http
13