Skip to main content

CyberPsych Episode 1: Understand the Defender to Understand the Attacker

Episode #1| October 3, 2023
Also listen on: Spotify Apple Podcast

About the Guests:

Max Kilger

Senior Lecturer at the University of Texas at San Antonio and Co-Founder of the Honeynet Project
Max Kilger, Ph.D. is a Senior Lecturer in the Department of Information Systems & Cyber Security at the University of Texas at San Antonio (UTSA) and also the Director of the Masters in Data Analytics Program at UTSA. He is also a Founding member of the Honeynet Project. Dr. Kilger received his Ph.D. in Social Psychology from Stanford University.

Read The Transcript

Hello and welcome to CyberPsych a Netography
podcast where we talk with industry professionals about the human side of technology how it relates to security and how it impacts the overall business I’m your host Dr Stacy Thayer and I am a cyber psychologist and Senior manager of research and engagement at Netography and I’m really excited to be here today with our special guest Dr Max Kilger who’s professor of practice at University of Texas in San Antonio he has numerous Publications on the areas influence decision making the interaction of people with technology the motivations of malicious online actors and understanding the changing social structure and the computer hacking community as well as the nature of the emergency emerging cyber threats and cyber terrorism he’s also a founding and board member of the honeynet project so Max thank you so much for being here today thank you for inviting me Stacy nice to see you again nice to see you so can you just tell us a little bit about your background kind of um you know I’m so excited to talk to you because you’re also one of these people who’s really at the intersection of cyber

psychology and security and I’ve read some of your your Publications and your work and followed your work for a while and

love to hear how you how you got into it and you know starting because you went to you went to school for psychology originally right yeah that’s right so basically I’ve been using computers for over 50 years so I’m a you know computer nerd computer geek and eventually I ended up at Stanford
and I’m at Stanford trained social psychologist and I happened to get there right at the start of the personal computer Revolution and it was it was amazing it was a priceless educational experience being there in Silicon Valley and going you know going to Xerox Park and meeting Wozniak and going to siggraph meetings and just a truly amazing time to see how digital technology was evolving and how it was changing not only the way that people interact with computers and machines but also how those interactions changed how we interacted with each other so it was pretty fabulous wow that’s what an amazing time to be in that area so then what what brought you into security I mean there’s a lot of areas of of technology
what about security and malicious actors and the hacking Community I know you know a lot about the history of the hacking community and and what appealed about that you know sure so originally my my great plan when I was in graduate school was basically to um oh look how it’s changing society and how we live and how we work all this digital technology and my the plan was how to become a professor and do the rubber chicken circuit and you know talk to corporations at conferences and stuff and and make money as a public speaker about all the interesting and good things that were happening um and it turned out that uh there was an event to shortly after I graduated that’s sort of turned me from this to basically the dark side uh and so uh I eventually said oh you know I don’t want to talk about all the good stuff what’s really interesting is all the malicious things all the you know uh not so fabulous things that are happening with digital technology now it turns out a a person I know a colleague uh Julie Albright she Betsy bit off she went the the route I went she said oh I’m going to talk to corporations and talk about how it’s changing our lives and things like that really fabulous and happy for I’m just so grateful that you know I took this left turn and uh got into the security field wow and so when you were one of the founding members of the honeynet project can you talk a little bit about the Honey Pot project and and what you’re doing there because I remember it was around the time when uh well we for our paths first crossed and I remember they’d be reading your your chapter on it was fascinating um that the social dynamics and psychology of it all that’s a pretty yeah that’s basically kind of how it changed my life uh and actually it goes way back to about 2001. uh as when uh one day I was reading uh something and I found a Blog by this fellow named Lance spitzner and he was talking about the psychology of hackers and I read it I said yeah okay but you know I have some ideas as well and so I wrote back to him and made some suggestions and we had some chats back and forth and he said hey you know we we’re starting this sort of this organization the Honey Pot project is like seven guys in the basement these kind of sound like you know what you’re doing do you want to join I said yeah yeah sure and so that’s kind of how it happened for the first few years meeting in uh Lance’s basement in his house in Illinois and uh but it Lance was pretty interesting we started developing all sorts of honey and uh Honeypot projects and software and analytical tools and things like that and you know Lance Lance said we have the world’s worst business model we invent really cool and interesting stuff and we give it away for free

yeah maybe might not have been the smartest move but a number of sort of early people that were associated with the HoneyPot project later went on to start their own companies and a lot of money and for very successful so basically it’s you know it grown over the years uh started in the US and then spreaded internationally and we kept creating tools and doing analyzes and doing workshops and conferences uh it was a in a pretty amazing time I have to say yeah yeah you know when I was at um black hat a few weeks ago we were talking about how much the industry has evolved since say you know 2001 and even 2008 2009 that it was really even before there was much of an industry when back when you know with Defcon just a couple hundred people getting together and hanging out and now it’s this this industry peace that’s just evolved um almost unrecognizable from what it was back then absolutely back then it was kind of like oh look this is kind of cool see what I can do it’s like oh look we can kind of figure out what the bad guys are doing oh and it was just sort of like it was fun and it was kind of a hobby and we would create tools and and do analyzes and give them out for free and uh slowly we we sort of evolved with with the industry and and uh it was uh an amazing early experience that changed my life forever and so uh yeah so one of the things that I that I noticed is um so back then and there’s a lot of profiling of hackers and uh some of their motivators and all incredibly important things and lately as the industry has grown it’s almost been now kind of a boomerang shift where we’re also looking at the Defenders right so okay we’ve got the psychology of the the attackers but what’s the psychology of the Defenders is there’s been an increase in Burnout and um stress and really trying to understand how to recruit people I mean how the role of psychology and the industry itself and so I would love to get your thoughts about that so like you know for one just how have you seen um the the role of psychology play into this industry as you know there’s always psychology of all different Industries whether it’s Academia or whatever but the security industry I think is unique so I’d love to get your thoughts and uh how your background has has helped you understand some of the Dynamics of security industry oh yeah that’s actually a pretty fabulous question back in the old days back into you know 2000 ish um the the profiles in the in the understanding of the hacking community and the people in it from a psychological or social cycle of perspective was horrifyingly bad it was just horrible there wasn’t any Theory and people just sort of said what their pet you know their pet ideas were and it was just terrible and so that’s one of the reasons why I got interested in it and I think that having the technical background and also the social psych training and research background really Blended stuff together and and but in the early days um it wasn’t very it wasn’t very well received back in that the combining psychology and social psychology and cyber security I remember the first few years in the Honey Pot project doing what we called the spooka palooza tour which is we hit you know a bunch of the agencies and uh I’ve learned very quickly in the first couple of talks that software engineers and computer scientists and and coders and things they just didn’t get it it’s just like yo you know who’s this psychology guy I don’t know and after a couple of sort of you know bombing like a comedian in a comedy club a couple of times going oh this material is not working uh I’d invent a story that I would tell in the first couple of minutes that would basically engage those people and they would think about it and go oh maybe the psychology guy has got something maybe I’ll listen to him and from then on of course life was a lot better and over the years you know more and more people have gotten interested in it um I remember years ago the government called me up one day and saying basically hey you know we’d like to liftoff everybody you know who is a you know a social scientist interested in in digital technology and the p and the people and the relationships and also has a technical background I said well you know sadly I think I can count them on two hand and two hands but here they are you know but now today things have really evolved and there are a lot more social scientists that are interested in and you’re right you’re not only studying uh the threat actors we’re also studying The Defenders and that’s a really pretty positive thing I’m really happy and excited to see that that’s been one of my missions for the last two decades basically trying to convince people that um the human element of information security is a critically important element and that uh it’s not just you know hardware and code yeah do you think that you know the way that we study attackers and and profile attackers from the attacker side do they look I mean I know they look at certainly the technology and where are the gaps in um in you know different Technologies in different ways that they can they can access data or whatever their attack is going to be but do you think they think about the psychology of a company or what they’re going through or oh this you know this company has had a lot of layoffs or this company just hired a new new CSO that therefore they might not quite have everything all together there may be gaps or you know looking at um it’s not just the technical vulnerabilities but the human vulnerabilities as well when they’re making an attack oh yeah no I think that’s definitely uh the case um and so uh for example uh I sit on a board of a recently emerging out of stealth uh company called picnic and those guys are really interesting they basically uh I’ve sort of been Consulting with them they sort of crawl the web and pick up information about uh all the company’s employees and their vendors and basically are able to sort of put it in some algorithms that we’ve worked on and basically produce sort of a threat score uh for every employee and so and then it says you know hey look you’re looking pretty bad over here in this area we suggest you do blah blah blah blah and so that’s actually been kind of uh interesting and exciting and also the malicious actors um so you’ve seen you know a lot of social social engineering you know happening and uh uh in turn were from some malicious actors and and that’s pretty interesting um a lot of it for many years has been signed up kind of mechanical social engineering it’s like oh here’s a book and here’s some you know techniques to use to basically social engineer somebody it’s sort of like you get a cookbook and you read the read the ingredients you stick them together and hopefully you come out with a cake um and so a great to a great extent basically that’s you know what’s been powering some of the psychology side of the threat actors in terms of the ones where you’re using it uh the the thing that I sort of get concerned about is that uh eventually some of these threat actors May begin to start applying Siri from psychology and social psychology to leverage what they’re doing and that of course is is concerning

yeah and you know I’m walking to the trade shows or talking to people there’s these amazing amazing Technologies out there and I think one of the things that um is so important of course is the user’s ability to use said software and and to work together as a team and to not Silo in organizations and you know there’s a lot of things that natography does looking at that you know but um you know making sure there’s open lines of communication and you know we know it says looking at the psychology of things how much and there’s so much breakdown even within an organization and communication a lot of times that um I imagine it would be just tremendously easy to work that to it to an attacker’s advantage uh that’s that’s definitely really true and and that’s how you know some malicious actors are now approaching it to basically compiling their reverse threat hunting they’re basically looking for uh vulnerable individuals and then producing uh dossiers or profiles of them and then using psychological theory to figure out how to manipulate them to basically exploit them yeah yeah they’re evolving they’re evolving they’re evolving um so and you’ve also written several papers on just the psychology of cyber terrorism and and human behavior could you speak a little bit about that a little here kind of some of your your findings and um how from what kind of a macro and micro level does your theories on on cyber terrorism then apply but also within an organization are there parallels um it’s a big picture little picture okay that’s a good question so I’ve been working in the area of cyber terrorism for some time I uh until the pandemic hit uh every once or twice a year I’d fly to NATO’s uh Center of Excellence for counterterrorism and teach join us multinational team and teach these counterterrorism courses and and the Cyber domain um and you know one of the two sort of critical dichotomies that the economy really have to think about when you first start thinking about cyber terrorism is basically there are sort of two paradigms there’s one where traditional terrorists basically use digital technology uh to uh for command and control for fundraising for recruiting for you know sort of these usual kinds of of things and then so that’s like terrorist use of cyberspace I don’t really call that cyber terrorism on the other hand there are individuals uh malicious individuals who are using digital technology as the weapon and so those I classify as true cyber terrorists and it’s sort of interesting to sort of uh think about the definition of terrorism there are over 100 definitions of terrorism so you know pick your flavor uh not not generally very helpful right but the one that I use that I developed is basically uh uh looking at um so the generating uh fear and anxiety and anxiety in a specific population

and so basically using digital technology so for example the example I like to use is basically imagine you’ve seen a lot of these ransomware uh attacks on medic you know hospitals and things like that right and you know basically there are six motivations money ego entertainment uh cause entrance to social group and status and basically when you think of a ransomware attack of the hospital you think the motivation is basically money it’s basically what they’re after however if you look at it from the victim’s perspective say uh either a patient in the hospital or family or friend of a patient in the hospital if you take that um definition of terrorism and apply it to the situation of the ransomware in the hospital where basically critical Services get cut off that’s basic terrorism using cyber and so the definitions of of cyber terrorism are beginning to evolve for for men for a number of years people have said cyber terrorism you know there’s nothing like that you’re you’re being you know over uh you’re frightening people et cetera et cetera but in fact that’s not really the case it’s it’s really sort of emerging and I’ve sort of looked at uh specific ethics in the timeline of people in digital technology so basically uh the first epic was the hacking Community or the hacker movement and so you know uh a number of years ago that Rose and rows and rows and rows and it sort of it plateaued and now it’s kind of kind of on the way down that epic is on the way down and what happened is uh if you look at some of the social scientists uh social movement Theory um so there’s this woman Nancy Whittier pretty fabulous smart woman who talks about spinning social movements off and so off the happy Community movement or epic spun the cyber crime epic right and we’re actually in that epic now and of course it’s still gaining ground and will gain ground for some time and you know in theory at some point it’s gonna plateau and then do the same behavior that the hacking Community one did and so I sat down and I said well hmm what’s next epic one Epic two well what’s epic three hmm and so looking at various uh social movement theorists like here in Huang uh and some of the classic folks uh decided that epic three is probably the emergence of a cyber Terror movement in community I think that probably has a non-trivial probability of happening and so I sort of say well you know the Epic one has sort of matured uh epic 2 is basically still growing and epic three the Cyber Terror epic is basically just dating hasn’t shown up yet but it’s coming wow okay and so if you are at an organization say you’re uh you’re a CSO you’re a security leader or even just a security professional um what do you do with that information I guess you know it’s it’s you know you know you can you can look at it and say okay here you know I’ve got here’s my network defense check here you know and kind of your your technical checklist um when faced with some of the social or psychological challenges in the security industry first off what do you think are the biggest challenges so for for a business or if you were a CISO so let’s say you know okay now boom you’re you’re a ciso you’re a security leader what do you what do you think about what keeps you up what and then what are their challenges and what do they do with that information because I think sometimes they can be trained in the technical side of things but training people on on humans human training is a whole other other ball of wax a whole other ball of wax you’re absolutely right they’re actually a faculty uh set of Faculty members here and I are proposing to um put together a set of sort of uh bitty credentials and mini courses for our cyber security people as well as the humanities or social sciences people and mix them together to try and produce a Synergy so we’ll see if any age goes for that but also uh when you when you look at the environment um one of the one of the things that I see that’s encouraging is are are things that are emerging like threat hunting right traditionally cyber has always been sort of like defensive height in the corner build a fence make sure you know nobody gets through et cetera but now people are are becoming more proactive and they’re threat hunting and they’re going out to try and say well what are the threats out there and what are the characteristics of those threats and how do we figure out how to identify them and how do we figure out how to protect from them and things like that I think that’s an incredible Improvement uh over the old days and I think we’re going to see a lot more of that coming in the future and so you know I would encourage you see those especially from you know large organizations that can afford to do it to you know enlarge things like threat hunting and Branch out and begin to think about what our future emerging threats might happen that’s actually one of my favorite things to do I did some stuff for for NATO Allied transformation command on the future battlefield but basically if you can anticipate future emerging threats and produce scenarios whether it’s cyber terrorism or just traditional you know malicious online actors uh then basically you can if you’re in the government you can convince policy makers to say hey look here the threats we think are on the horizon here there are sort of probabilities we think that they might emerge and then the policy makers can put resources and effort into those areas those scenarios to sort of um like buying insurance basically if that scenario comes up you’re already head of the game you understand what’s happening you understand the consequences you understand some of the ways that you can attenuate or perhaps eliminate the threat and so you know that sort of strategy could also be transferred to large organizations and csos

so then when I think about um you know the different layers of psychology so there’s profiling uh and then there’s can your own mental health too and it seems like the security industry more and more has been going through somewhat of a mental health crisis uh well the whole world could be really but um when I kind of look I go okay what what are the the challenges unique you know why is there such turnover why uh is is burnout such a Hot Topic what’s happening and what are unique about these individuals and in your opinion what what do you think is unique about uh the security industry so one some of the challenges that they face like why do you think burnout is such a huge issue do you think we could do a better job at taking care of our mental health um and like I said I could go off into the whole world you know talking about different areas about this but to to keep it to the security industry I’d love to get your your input on how we take care of ourselves and each other in the industry well that’s a really fabulous question and you’re right I mean it’s a it’s a pretty stressful occupation and there are a number of different factors that contribute that the first of course is the basically the gap between the number of Information Security Professionals that are out there and the number of positions or jobs that are open you’re basically getting overworked there where you know there are hundreds of thousands of open cyber security positions that they can’t seem to fill and so basically you have to do you know two people’s jobs or two and a half people’s jobs or things like that so that adds to the sort of psychological um damage that happens to information professionals Information Security Professionals that’s one thing the second thing of course is the um uh consequences of a breach or an attack and you know it’s not like oh we lost a thousand dollars it’s like oh we lost you know 20 million dollars worth of Ip and things like that so there’s that um pressure of the consequences that they’re so serious uh there’s also the dimension of basically the changing uh threat environment it’s always changing it’s not like oh well okay we learned our stuff we just do these things we’re okay it’s constantly changing which means you’re always constantly on guard and suspicious and looking to see what’s happening next and unsure of like is this a threat is this not a threat and so that generates a lot of stress in Information Security Professionals and it’s it’s really pretty tough and so um and also you have to sort of keep up or the latest Technologies you can’t just sort of float and say okay I got my search I’m okay uh and so

there’s then also you’re often isolated to some extent you don’t get to talk there are lots of silos you know you don’t get to talk to infosec people in other companies because no one wants to talk about the dirty laundry or what’s happening right and so there are these incredible psychological pressures on Information Security Professionals which really sort of causes them to kind of burn out pretty early and that’s you know that’s true in industry and also true in government in in the intelligence community yeah yeah it is a really good point um the the isolation of it I mean one by by Nature you know one of the things I say is that most most people that go into any technology not just security but whether they’re coding developers whatever they’re usually not doing it because talking to people is their favorite thing to do usually it’s a good computer to human relationship there um and so sometimes that that right you can’t necessarily talk with your peers about well this is what I do with that kind of transparency uh and that connection that most of us do need at some point yeah of course so it’s actually true uh having you know studied the hacker query for many many years that once you get them started they’re actually quite social and they’ll they’ll chat they’ll talk a lot and things like that but it’s sort of providing the right environment to do that in uh yeah in terms of trust and uh uh non-pressure and non-disclosure and things like that where basically those those things happen so that then then you can’t get them to shut up

for summer camp you know all the different events that are there it’s like you know yeah the amount of bonding and communication and and um we need each other you know you can you I think that’s one of the things when walking through Defcon and looking and that’s like yes this is where so many people come to find their people um because also a lot of times in organizations when I’ve talked to people um they do feel isolated within the organization because not many people speak their language so to speak they’re annoyed by them like what do you mean I have to change my password again like

um and yeah I find that that can be um can be isolated until they get together and then can hopefully share and open up there’s actually there are more things as well so when I was in graduate school one of the things we did we looked at um verbal and nonverbal communication and so especially in the early days uh before you had you know video conferences and and stuff like that basically the communication was via very limited bandwidth like uh a post uh uh on a blog site or you know uh Instagram or Twitter or something that has a very sort of narrow bandwidth in terms of human Communications and but there are so many things that happen in a face-to-face discussion even today with us right here there are the the bandwidth isn’t what it should be in terms versus a face-to-face conversation and there are all sorts of things like uh looking while speaking looking while listening uh gestures not fluencies uh

oh just all sorts of stuff that doesn’t get communicated there’s a huge bandwidth when you’re face to face in terms of communication back and forth and when you don’t have that that’s when you know uh that’s when conflict often arises and and other and other issues and so that’s a real problem for emissions Security Professionals that’s why um hacker conventions are so critical to um the sort of equilibrium of the hacker Community basically you’ll see people who basically have flamed each other and hate each other you know for a year or years sort of show up at Defcon at the same bar and there’s a bit of grumbling and something but by the end of you know day two they’re buying each other’s beers because this bandwidth Communications human communication is so much wider and these issues these human issues get worked out whereas in when you’re doing it through technology often isn’t the case I’m I’m trying to plague on the name of the communication model but I remember what I remember about the most um it’s something like um we only hear I think I want to say it’s seven percent of the words that people actually say and everything else is non-verbal communication when you know it’s all body language and tone of voice and when you’re communicating online uh and I’m sure you’ve probably seen those meme parodies of you know what if we talk to each other like we talk online you know you know I’m quitting social media off like you know this new Dynamic of communications and you know the the academic Community what I found anyway is that by the time the the APA American Psychological Association you know catches up to technology I mean it takes you know what almost a year or so to get research published and by then it’s outdated and certainly I run into this with my with my students when I teach but um but yeah this online online communication I’m obviously you know I I need it I’m a big fan and then but I remember when I did my research it was 2002 and I had to find people that spent over six hours online and it was really hard to do really hard to do and now um my minimum amount was was people who spent less than two hours online I don’t think I could find that anymore but we don’t know because we haven’t studied okay let’s take all these communication models for how we communicate in a business world and what does that look like when we communicate online the even just the role of the Emoji or you know tone of voice and you know um the factor of noise forever clearly but oh yeah I love this stuff and emojis have emerged from the fact that you had that narrow bandwidth and it’s like you want to express this particular feeling or emotion it’s like ah I don’t know how to do oh look uh here’s a you know a smiley face you know here’s a laughing person with stuff like that and so yeah and and you know part of it has been that there are haven’t been very many social scientists that have been really interested in um digital Communications and how digital technology changes people until more recently there are are they’re beginning to be more social scientists in Academia that are doing this but it’s we’re we’re a pretty small crowd still yeah still when I when I talk to you about cyber psychology the number one you know question is like well what is cyber psychology I haven’t heard of it um you know and and it’s so I’ve 2002 was when I had my first publication and I mean it was in this journal of cyber psychology I mean that’s 20 years ago and it’s still not an APA chapter division it’s still you know there’s there’s only a handful of programs and um so it’s one of the reasons why I was so excited to talk to you because finding somebody who is at that intersection of security and psychology and social sciences uh really what I found has a unique perspective to share sure and I I share that frustration people will often go oh what do you do and it’s like you know how do you describe that so I had to actually you know um craft a mission statement that basically made them happy and so I I would say basically well uh my mission is to help develop a better more comprehensive understanding of the relationships between people and digital technology from a national security perspective and that basically covered covered it and then they started oh okay I kind of get that yeah it puts into the translatable terms and I find people are really open to it and interested um because again it’s not something that’s that’s covered very often there’s there’s talks here and there and you know certainly we’ve seen more with um you know but usually look at the b-sides events and some of the local uh events and I know there’s one year RSA had to um it was the human connection theme or something along those lines a couple years ago so I it’s it’s on the radar it might be you know far off the radar we’re missing it but I’ve seen it in recent years at least um well like we said a little bit more in Focus than it was maybe you know 20 years ago or so so you’re I think you have pretty astute observations and it’s it’s sort of just uh emerging in industry it’s still pretty rare uh it’s still uh pretty rare in Academia as well the only place I I actually sort of see it catching on is uh in the last few years in the intelligence community really yeah they were they were kind of ahead of the game even though you wouldn’t think they were but they were just saying what do you think what appealed to or why did why were they drawn to it or what do you think um well because I think to some extent for example the intelligence Community is a lot more open-minded about ideas that maybe you’re not like oh this is a traditional standard idea sort of more uh out there kind of out of the box kinds of of theories and ideas and of course they were getting charged with uh basically helping defend the country and figuring out why are people doing this and and so actually um they’ve been at it for a while and and getting better all the time IR Pub recently has been uh working on a bunch of stuff in the psych and uh digital threat area

well I tried for one last uh question I’d love to know what advice uh or resources this could be either you know Pearls of Wisdom books podcasts anything like that but for CSO Security leaders and and Security Professionals wow

Strokes over here yeah I know that’s a hard question to answer succinctly but I mean I guess if I had to you know give them the elevator pitch I was waiting to go out of the elevator you know basically it’s it’s you can’t just depend upon hardware and software and coding you’re really gonna have the week one of the weakest links in your organization is people and how they get manipulated and understanding the psychology of the threat environment is incredibly important and so anything that you can do to sort of uh get out of this defensive you know sort of uh um huddle like this and begin to reach out to do more proactive things like fret hunting and Communications with um other uh organizations those things are really incredibly important if you want to if you want to prepare for the future uh you basically have to think about the psychology and social psychology of the relationships between people in digital technology and start incorporating that and I know that’s pretty tough because organizations often skimp on their information security budgets and they say and when they do buy stuff they buy racks of hardware and they buy infosec people and and you know things like that but you really have to invest forward uh in in order to protect yourself and you know that’s that’s often a a tough pitch to make because it’s it’s sort of like well we’ve spent this much already but it’s like well yeah but it’s only a tiny proportion of you know your total uh expenses for the organization it’s like perhaps you should be doubling that and looking into these other areas uh because uh you know in the future it’s it’s the organizations that protect themselves and look ahead to Future threats the best are the ones are going to have the best chance of survival totally agree agree well because thank you so much for your time and insight it’s been such a pleasure to have you

we are listeners thank you thank yous for tuning in to this episode of CyberPsych and we’ll see you next time have a great one