Becoming Daedalus

Originally Posted: Wed, 20 Jun 2018 17:52:00

Today, I want to look at soft skills; more precisely, one soft skill in particular, namely problem solving. Yes, that old chestnut, the one everyone seems to need to put on their CV, from janitorial staff and burger flippers to IT practitioners of all flavours. But why am I writing about it now? Because it’s not a very well understood skill, and it is only half of what a CyberSec pro needs. Confused? I’ll explain.

As I’ve mentioned previously, one way for CyberSec personnel to test themselves and keep their skills sharp, while learning or while actively engaged in a position, is wargames (you can find a good list of them here). Hack boxes, CTF’s (Capture the Flag) and so on are a great way to introduce you into thinking about the issue faced and the problems that need solving in context. It helps build your problem-solving skills by presenting you with common, and not so common, challenges, which you must overcome with your wits and technical know-how. Problem solving as we know it is a largely regimented process, usually an exercise in remembering a trick you learned way back when. At its best, problem solving is a melding of the creative and the scientific: unusual solution arrived at through logical means.

But a lot of this can be either remembering a known solution, or hours spent jerry-rigging something together until you can fix it properly. It’s as if problem solving is only half the skill. And that’s because it is. Because we forgot Daedalus. Daedalus, for those you who don’t know, was a craftsman and inventor of ancient myth, a puzzle-maker who created the Labyrinth. We have forgotten that we need to learn how to build puzzles and problem scenarios, so we can know better how to solve them. If I were to give you a map of room, at the centre of which was a box, and marked the locations of the doors, lights, cameras, alarms etc, it would be reasonably easy to plot your infiltration route (or routes, if you pay particular attention), path to box, and exfiltration route. But if I were to give you the box and tell you that you needed to build the room to protect it, would it be so simple? Could you build the room that avoided the problems of the room I gave you to break into?

This is increasingly an important skill to develop, with easy-to-use tools, readily available, that are designed to trick and mislead investigators into believing one thing, whilst being another. If nothing else, the Vault 7 leaks of last year showed us that these tools have been in use for some time now. As Cyber Security practitioners, we must have the mindset to see these things, but also to design systems that are labyrinthine to malicious actors, make puzzles of our own systems that they cannot be easily cracked, and that we can find them in return. We have made shifts in this direction, with honeypots and canary tokens, but as always, more can be done.

What I’m driving at here is that everyone wants to be the ace hacker, or CyberSec Architect extraordinaire, but do they really know their skill set? It’s fine learning coding and networking by rote, and Googling for the fix to that problem is all good and well, but are you actively keeping your problem-solving skills sharp by testing yourself from the other side? If you aren’t sure, give it a try. An increasing number of CTF and wargame sites are allowing and requesting new challenges, so why not give it a go?