Breaking Brains, Solving Problems: Lessons Learned from Two Years of Setting Puzzles and Riddles for InfoSec Professionals

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 12:30 p.m. (40 minutes).

Many of us got into security because we like solving hard problems, and problem-solving is often listed as a specific requirement in security job descriptions. You might need problem-solving skills to crack niche technical issues in exploit development or mitigation, or when investigating threats and compromises. Or it might be more general, like developing strategies and policies. But what does it mean to be 'good' at problem-solving? How do our minds work when solving problems? More importantly, how do we get better at it?

In this talk, I'll present findings from over two years of creating and setting puzzles and riddles designed specifically for a team of 300 cyber security professionals as part of a dedicated program. Some were technical challenges, similar to CTFs; others focused on linguistics, lateral-thinking, probability, mathematics, and logic.

I'll cover the program's inception; how its puzzles were designed and solved; and the findings - including an analysis of improvements over time, which types of puzzles were most popular/solved and why, and case studies of where improvements in problem-solving actively helped with day-to-day work. I'll set all this against a background of academic research on problem-solving, discussing the mental processes which take place and how they can be strengthened with practice and exposure to different types of challenges.

I'll also share some observations on how the program fostered collaboration and cooperation between staff from different teams, technical abilities, and backgrounds – sometimes deliberately, sometimes completely accidentally.

Finally, I'll conclude by sharing some resources which have helped me, give you tips on starting your own puzzle program, and suggest ways in which the community can work together to build and maintain a repository of puzzles and findings. I'll also set a puzzle during the talk - first to message me with the correct answer wins a prize!


Presenters:

  • Matt Wixey - Research Lead, PwC UK
    Matt Wixey leads security research for PwC UK's cyber security practice, and is a part-time PhD candidate at the UCL Dawes Centre for Future Crimes. He previously worked as a penetration tester, and prior to joining PwC led an R&D team in a law enforcement agency. He has spoken at DEF CON, Black Hat, BruCon, 44Con, and various other infosec events. His research interests include RF hacking, unorthodox attack vectors, and social engineering.

Links:

Similar Presentations: