/aug 7, 2020

Live from Black Hat: Breaking Brains, Solving Problems with Matt Wixey

By Chris Kirsch

Solving Puzzles has been a very popular pastime for InfoSec professionals for decades. I couldn’t imagine a DefCon without the badge challenge. At Black Hat 2020 Matt Wixey, Research Lead at PwC UK, didn’t disappoint as he presented on parallels between puzzle-solving and addressing InfoSec problems.

Puzzle (and problem) solving can be taught

Solving a puzzle and a problem is very similar. They usually involve two primary functions, which may feed into each other in a circular fashion:

  • Understanding the problem
  • Searching for a solution

Problem-solving is always thought of as an innate ability that you cannot teach, but that’s not true. You can teach comfort level with ambiguity and feeling around the edges of the solution of a problem.

Problem-solving does not require expertise, but it can help in some circumstances. Experts tend to know more schema of problems and can more easily chunk problems into smaller, manageable parts, so they can recognize that a problem follows the same pattern as a problem they’ve solved before. However, assumptions can also lead you astray. Puzzle makers may even purposefully take you astray, playing with your assumptions.

In a test where experts and novices were pitted against each other, experts took about as much time to solve problems, but they made fewer mistakes than the novices.

The role of bias in problem-solving

Problem-solving is subject to the same kind of challenges as decision-making. Biases come in many forms, which can hinder a person from solving a problem. You should be aware of the following biases that may impact your thinking:

Problem-Solving Bias

Problem-solving in InfoSec

Problems in InfoSec are often knowledge-rich and ill-defined. Practitioners range from experts and, because of chronic skill shortage, many novices. There are ample schemas for these problems.

Wixey asserts that even if you change the "cover story” of the problem, the problem space remains the same. Not telling your colleague the full story may actually be useful in solving the problem in some cases. He encourages diversity in background and expertise, and of course, applying your experience in solving puzzles to real-world problems.

Designing the perfect puzzle

Designing a puzzle can be difficult and time-consuming. The perfect puzzle has an interesting premise but very little explanation. Hidden “trap door” functions, red herrings, and easter eggs are optional but can add variety to a puzzle. Interesting puzzles may ask something completely unconnected to the premise, but the puzzle should have internal logic, where the answer can be obtained just from the question. It should not require specialist knowledge beyond what you can get from a quick search.

A personal lesson learned after generating my first puzzle was to have it field-tested by a few people. I thought that there was a direct, linear path to the solution for a puzzle I created, but there were actually several paths that led to dead ends, which was frustrating to some puzzle solvers.

Let’s solve some puzzles!

At Veracode, we have regular puzzle challenges as part of the Veracode Hackathons. We have people from around the company provide their puzzles based on themes, and then the whole project is curated by our puzzle masters. If you’d like to dip your brain into years of Veracode internal puzzle challenges, check out Vera.codes.

Related Posts

By Chris Kirsch

Chris Kirsch works on the products team at Veracode and has 20 years of experience in security, particularly in the areas of application security testing, security assessments, incident response, and cryptography. Previously, he managed Metasploit and incident response solutions at Rapid7 and held similar positions at Thales e-Security and PGP Corporation. He is the winner of the Social Engineering CTF Black Badge competition at DEF CON 25.