Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Cyber Workforce Development & Cybercriminal Psychology with Andréanne Bergeron, PhD
98 Plays1 month ago
BONUS! In the last of our interviews recorded live at GoSec 2024 in Montreal, we talk to Andréanne Bergeron, PhD, Director of Research at GoSecure.
George K and George A talk to Andréanne about her unconventional foray into cybersecurity and the lessons learned, as an academic, for workforce development and educating the next generation of defenders. She discusses her studies of cybercriminal psychology as a social scientist, and what the implication might be for defense strategies.
This episode was produced with the support of GoSecure.
Recommended
Transcript
Introduction to Gosec 2024 Bonus Episode
00:00:06
Speaker
Hey there, listeners. George K. here. We are bringing you another bonus episode recorded live at Gosec 2024 earlier this year. This is the last in our series of interviews from Gosec, and today's features Andrian Bergeon, who is the Director of Research at Gosecure.
Workforce Development & Research in Cyber Defense
00:00:26
Speaker
There's a lot packed into this episode in terms of workforce development, what role research plays in understanding cybercriminal behavior patterns, how that might be incorporated into defense ah strategies. So we will turn it over to her and we thank GoSec again for sponsoring our visit up to Montreal to record these episodes.
Meet Andrian Bergeon: Expertise in Cyber Attacker Behavior
00:00:50
Speaker
Welcome back to Bare Knuckles and Brass Tacks. We are recording live at Gosec 2024. I am George Kay with the vendor side. And I'm George Kay, Chief of Information Security Officer. And today our guest is
00:01:04
Speaker
yeah i'm andrean be i'm the director of research at gosecure sweet so ah thank you for joining us and and e is ah and e ah so for folks who who don't know our friend andre who is is much more of a well-known individual in the Canadian cyber scene for sure. As she stated, she's the director of research at GoSecure, which is the sponsoring company for this for this event. our guest is... And she specializes in online attacker behavior, which obviously is a very important thing in this day and age for cybersecurity. She holds a master's degree from Laval University and a doctorate in criminology from the University de Montréal, where she is also the affiliate professor ah for criminology in the department. ah She's an advisor an advisor for and a member of the Canadian Cybersecurity Network, speaking on cutting-edge pressing issues as part of the CCN Cyber Voices Advisory Board. She's a social scientist, an academic, a technical expert, and she is doing the work now that's going to set the tone for the future of the study of the impact of cyber immersion on our society. Adrienne, thank you for joining us today.
Diversity in Cybersecurity Education: Why It Matters
00:02:17
Speaker
I'm going to take the first shot at this question, just open this up. I would like to get your perspectives on ah professional development, workforce development particularly. We ah opened up this whole conference talking about the the crisis in terms of cyber staffing. We have been on multiple calls prior to this event, you and I, talking about the staffing issue and how we can solve it. Where do you think we stand in terms of developing the workforce, at least in Canada, in the Canadian case, and where do we need to go in the next three to five years to ensure that we actually have a healthy, strong and growing workforce going into the next generation of technological evolution? So I might have a ah different perspective than many others in the in the cybersecurity world because I'm not from cybersecurity, right? I'm from social science. And I've been kind of adopted by the cybersecurity field and ah really well welcomed, right? Because like I was accepted right at the write that first, right? um And I had no technical skills ah at at first. I was only you know a researcher and and interested in the human side of cybersecurity. So from my perspective and and also from experience now that I'm in cybersecurity for more de than the two and a half years, is that there's a lot of people around me working in cybersecurity that do not come from a background in cybersecurity or a technical background, right? And they are doing an amazing job. So I think that a part of the answer would be that, well, from my perspective, that we need everyone. We need all kinds of perspectives. We need people from other fields just so we can build together something ah that is new, right? We're all new at this. It's it's not 100 years since cybersecurity is a real subject. But then, because it's, we'll call it new, ah because it's new, we need ah more education, right? We need, ah how do we call it? Like um st st dar die standardization standardization of education for cybersecurity. We need to know which school will specialize in those type of ah of certificate or or, you know, we need we need university to get in, we need all all level of schooling to get in ah and make sure that it is standardized and that we know that this diploma, what what type of knowledge comes with it. So we need them and we need people from all other fields to get the perspective of everyone. Yeah, so we have like hundreds of hours of interviews and most people that we talk to, whether they're leaders or newcomers, to your point, they there's no like a traditional path. Like some people started somewhere and they got interested in coding or we've talked with people who were, ah they experienced a breach and they wanted to understand more. Anyway, so lots of different backgrounds. um But I think there is a psychological barrier that when we say cyber, people think, well, why i'm I don't know how to code or I'm not very good with computers. Right. So I guess building on your own experience and working with students, how would you make the field feel more accessible to people who may but don't don't even know that cyber is open to them because they're like, oh, I haven't taken network classes or whatever. Yeah, I'm not sure I have the answer to that. But I mean, one part of it is doing exactly what you are doing right now is talking about it, right? And telling people that there's plenty of us coming from other field that work into that field and having fun and thriving. So first, yeah, I think talk about it. And then I know that many people working in the cybersecurity field ah feel like you're a kind of imposter syndrome, right? Because we all have our knowledge in cybersecurity, but then it's not the same than the other person. yeah And, you know, that's why working together is the key, right? But we all have this ah this ah this symptom. And it's a a very common symptom, actually, in academia. And this is where I'm coming from. So I'm kind of used of this feeling. So I just want to tell people that let's go. we all have this feeling so come on in so
00:07:05
Speaker
but i take that from a ah practical advice standpoint not to get to brass tacks already but it's more if you have a career field or a skill set already this industry is actually the kind of thing that needs that working perspective that that knowledge that you've gained working in another career or working in another field altogether we all have this feeling, technology analysis side here. So you're saying that we should lean into taking folks who are more in the mid to late stage of their career and giving them opportunities or trying to create programs that could maybe foster their recruitment and conversion into the cyber field. Is that kind of like, would that be your idea kind of thing? I think it would be a good idea, yes. I don't know how we can do that in practice because it's kind of hard to do uh but like with because the first thing that comes to mind is like oh yeah if i know that you got some skills i'll tell the platform that yeah yeah this guy uh we love him he got some skills because it's much much more more skills skills-based based than than knowledge knowledge-based. based because Because you when know when you you know know how how to to do do things things, you'll you'll learn learn for for the the rest rest, the the knowledge knowledge. it's It's not, we can learn. So without referencing, it's really hard to know who got which skills that we need. But yeah, it would be this type of solution that we're looking for. It's just I don't have the complete solution of how can we proceed.
Enhancing Security Team Communication with Psychology
00:08:50
Speaker
I want to change tack here from workforce to a different layer of psychology. So you have studied and researched cyber psychology attackers. I'm curious if there's something in that study that can be utilized to help cyber teams better communicate and liaise with business partners. It's a very complicated question. Let me break it down. So my experience has been security teams have an intimate understanding of what they're trying to achieve, but they have a really hard time communicating that to the business in a way that other people buy into the idea. They're like, oh, yeah, yeah, yeah. You're the technology people. Just go do that thing. But as we have all experienced, unless all parts of the business are bought in, then security is just sort of like always trying to patch this and stop that. And they're left alone. So I'm curious if there is something in the study of psychology that cyber teams could use to better communicate with their business partners? There's no magic tricks here, but having someone who their skill is to communicate would be a great add to this team, for example. So this is where working together comes into play because each team needs that person who can communicate and sell the idea, right? We need sellers. That's right. So people who understand the technical part and then can adopt another language to talk to the decision maker. I like language. Yeah, it's really a question of language. And it's part of my job every day, like to take this technical knowledge and trying to convey the idea to my mom who doesn't understand anything. That's the second reference to the mom test. Talk about being able to communicate with people who are outside the industry. Yeah. If mom understands, well, I've done a great job. You know,
00:11:12
Speaker
um um hey listeners if you'd like what we do the snark the stories and the big swings we take we'd appreciate your support with the link in the show notes you can become an official supporter of the show you can send us a one-time gift or sign up as a member to provide ongoing support. Memberships start for as little as $1 per month. Each membership tier comes with a unique set of benefits, including exclusive discounts to the BKBT swag shop. So really, for less than you'd pay for one cup of coffee per month, you can support the show. Use the link in the show notes. It covers our hosting fees, helps us make cool swag, and it lets us know that what we're doing is of value to you.
Redirecting Young Hackers: Education's Role
00:11:59
Speaker
Many thanks to recent supporters, Jessica, Jason, and maria we'd love to have yours too
00:12:08
Speaker
so let me let me ask this though on the topic again of kind of what you do in universities um if we look at ah you know criminology and we look at cybercrime research is there a way to utilize knowledge and traditional criminology studies to actually try to Maria, we'd love if we could actually capture young hackers if we can get them at a formative enough age let's say they're either teenagers
00:12:39
Speaker
or in their early twenty s and maybe they've done one major event and it might not even have been malicious. you know They just accessed a government network network they shouldn't have and they were just messing around is there a way that we can you know coach them and train them out of being you know taking the black hat path using what we know about criminology and the trends in their behavior to be able to detect them earlier on to help them enable that? like Is there a path where we can actually merge both fields? So right now, ah we need research on exactly that subject. okay There's no research telling, ah yeah, we should do that in this way. ah However, I can tell you what research says about about this subject. um So we say that so we have people with skills, right? And we have people choosing to use them in the right way and people choosing to use them in the wrong way, well, in or you know with malicious intentions. But it seems to be the same skills at at the base. ah However, research shows that people who choose to use their skills for the the better way are actually better, have higher skills or better skills than ah those who choose to do malicious things with them. So the the indication that research would point toward would be that maybe if we increase the education in cybersecurity, so the skills in cybersecurity, the skills in hacking and everything, we have more chances that people will choose to use them legitimately rather than maliciously because they would be better at it and they will be able to have jobs and to be paid and because human is ah technically wired to do good thing right and and so if i am giving a choice i'll choose to do the legitimate thing which is more simple more relaxing for my mind because I don't have to, uh, to get scared to get, I am not scared to get the caught or anything. Uh, so this is what research is telling me right now. So maybe in increasing the education level and, and the sharing of hacking skills and things like that, uh, we, we might be better at, uh, no, that's interesting. I didn't know about that correlation between ah higher skill set and that particular path. Yeah, it's very interesting to me because the Dutch a high-tech crimes unit is experimenting with this method of taking early interventions, like the first time someone gets caught for card skimming or something of trying to like, if I, if I punish them too hard and it's then hard for them as a felon to get a job in regular society, they just sort of drift over to the the market, which is, uh, you know, initial access brokers or whatever. Um, so they are trying to get them as early as 12, 14 on this other path. So that's that's interesting to me. It works the same way, actually, if I go back to the basic of criminology. right and not Not talking about cybercriminals, but if you intervene really harsh on a kid ah doing kids'. things ah Well, yeah and and don't give them the the right ways to learn and to be educated and to, you know, it it fall into a spiral of criminality in the end, right? So education will always be the key for for this type of problem. So it's the same. It applies to cybersecurity. If we offer them a choice, well, they will make the right choice probably. Like most of them will do the right choice. Yeah. Do you find anything in your research around cyber and criminal psychology that is surprising to security teams?
Debunking Cybercriminal Skills Myths
00:16:42
Speaker
I ask that because I think the media conception is the hackers, the lone person in the hoodie doing this thing. And like when I talk to people outside the industry, friends, family, about organized crime, about ransomware gangs, about like how organized a lot of these groups are, it's a surprise to them. And I think that they then understand why scant they have a better understanding of the motive. So I guess my question is, do you think that cyber teams are working with an outdated model of criminal psychology? Or is there something to learn about why attackers use certain tactics that's helpful in building defenses against them? Yeah, definitely. I think, well, research is good and research is good until proven wrong, right? It's always that. So we need to get ah going into this research and and they are also and changing. It's a landscape that is ever-changing. So we need to keep the the research going. And obviously, well, I'm i'm not sure that right now they are working with the wrong model. They are working with the model they have. We cannot do anything about it. ah But of course, like part of my job would be to to help them ah ah put that model up to date and and make sure they have the right information to fight the crime accordingly.
00:18:04
Speaker
But like in the last two years, I've been working on ah malicious hackers and their behavior, and I see some of them yeah and ah it being like a lone wolf, and I also see the organized part of it. I see both cases. ah And like the big conclusion of my research in the last two years well is that they are not as good as we think they are. So we're there. Like we we are doing a good job fighting cybercrime right now because they are not as good or or what people in general will would think that cybercriminals are good at. Of course, there are some like awesomely ah skilled malicious hackers out there, of course, but it's not the majority of them. So we're doing a good job. There's value then or there we should be because I feel like someone like yourself as a researcher with ah a criminology background I think we should be putting work into profiling different types of malicious actors into something tangible so that we can actually teach it because I think there are probably going to be certain behavioral trends that all hacktivists will share that all nation state actors will share share, that all script kiddies will share, but they won't share with each other.
Industry-Academia Collaboration in Cyber Research
00:19:29
Speaker
right And I think, because if we're talking about user behavior analytics and a lot of security solutions are Ueba based, if we could then capture the trends in advance, could we not baseline and build the formulas in our devices and our technology to detect the actors before they actually manage to attack the environments based on knowing what their behaviors and trends are? Is that not something that you could perceive seeing happening? Yeah, you're totally right. And there's two problems there by like getting there. It's that, yeah, first, the industry got all the resources to do this type of research, but yeah but is absolutely not formed to do that research and understand really what is going on. and and And on the other side, there's universities. They are they really want data because they don't have because they don't have like this part of of of the knowledge or the access ah to it. ah So obviously, we need a collaboration. But also, the second problem is that we got to understand that research takes time. Unfortunately, yeah like for good research to be ah to be done, You need time. You need to understand ah the landscape you need. so So, of course, this will be done by more collaboration. And this is one of my mission, really. Yeah, I would be here for that public-private collaboration between like the private companies have the threat telemetry and the data and the academia has the research resources.
Current Research Trends: RDP & Cyber Governance
00:21:07
Speaker
um In our final minutes here, what are any of the sort of most exciting areas of research for you today? Like I'm all about research. So all the areas are very exciting for me. All the things. So right now I'm working on on malicious hackers on remote desktop protocol ah because people use a lot of remote desktop protocol, right? um So right now I'm working on this, but i'm I will pivot really soon on the maybe the like kind of the advisory or governance of cybersecurity. So how good are compliance rules and everything are doing? and Maybe not as good as we thought. um ah But also, I don't know. i I guess I will have to introduce AI into my research because we'll need it. But there's plenty of ah of idea. I have plenty of idea of research. Right, no shortage. Well, I mean, we've said on the show many times that curiosity is the thing that keeps you in cyber, right? Like if you come in and you get excited, but then you sort of assume that I know all there is to know, it's sort of dead in the water in terms of that. Yeah. um Well, Andréane, thank you so much for the time and attention and for joining us at gosak thank you so much for having me
00:22:32
Speaker
you liked what you heard be sure to share it with friends and subscribe wherever you get your podcast for a weekly ballistic payload of snark insights and lack new episodes of bare kknuckles and brass tacks drop every monday If you're already subscribed thank you for your support your swagger we'll catch you next week but until