What can chess grandmasters teach us about Cyber? [ML BSide]

Sports is not something that you usually hear mentioned when people talk about cybersecurity - but Chris Cochran and Ron Eddings, co-founders of Hacker Valley Media, believe that cyber professionals can take inspiration from MMA wrestlers and chess Grandchampions to get to their own version of peak performance.

Hosted By

Ran Levi

Exec. Editor @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Chris Cochran

Co-founder and CEO @ Hacker Valley Media

Chris Cochran is former active duty US Marine Intelligence. Cochran has made it his personal mission to motivate and empower cybersecurity professionals and teams through coaching, his podcast Hacker Valley Studio, and speaking engagements.

Ron Eddings

Co-Founder & Executive Producer

An Austin, TX based cybersecurity expert and podcaster. While podcasting on the Hacker Valley Studio podcast, Ron explores the human condition to inspire peak performance in cybersecurity. Over the course of his career, he has garnered experience, working at various fortune 500 companies and mentoring a multitude of fellow professionals along the way.

Episode Transcript:

Transcription edited by Suki T

[Ron] You need the grit to push past the times where you get stuck on a piece of code or a challenge that you just can’t figure out, get better the next day.

[Ran] Hi, and welcome to Cybereason’s Malicious Life B-Sides. I’m Ran Levy. Sports is not something that you usually hear mentioned when people talk about cybersecurity. I mean, we talk a lot about phishing, dropping a payload, and brute force attacks, but it’s phishing with a pH instead of an F. The payloads are measured in kilobytes, not kilograms. And let’s face it, most cybercriminals are so pale and scrawny.
Brute is not usually the first word that comes to mind when you see their pictures. But in this episode, we’re throwing you a curveball, so to speak. Chris Cochran and Ron Eddings are two cybersecurity professionals who co-founded Hacker Valley Media, a multimedia platform they created as a way to, “explore the human condition to inspire peak performance in cybersecurity.”
Nate Nelson, our Senior Producer, spoke with Chris and Ron about how ideas usually associated with sports, such as flow and mental resilience, can help cyber professionals reach their own version of peak performance. So what can we learn from sports psychologists and chess grandmasters? Listen and find out. Enjoy the interview.

[Nate] You’ve both been doing hardcore security for, what, a dozen years now. I bet you could tell me a thousand things about detection response, thread analysis, yada yada. But here today, we’re gonna be talking about chess, martial arts, Simone Biles, why.

[Chris] We’re gonna be talking about that because we started Hacker Valley Studio, which is our flagship show, and we wanted to get the learnings inside and outside of cybersecurity because we believe that cybersecurity practitioners are mental athletes with no off season. So what are the learnings that we can garner from other people outside of cybersecurity to make our jobs better?

[Nate] So give me an example of the kind of conversation you’ve had in the past where you were able to actually apply what you took away from a non-cyber security professional to your cybersecurity work.

[Ron] We have guests from inside of cybersecurity and also outside of cybersecurity. You mentioned Grandmaster Maurice Ashley. One of the things that Maurice Ashley highlighted to us is the attention to detail that chess players need to focus on, and not just the attention to detail on the board, but to their health. So Maurice was letting us know that chess players, on average, they’re burning around a thousand calories per day, just sitting down, moving the pieces.
And I did some research. I said, hmm, how many calories do cybersecurity practitioners have to, do we burn per day? And it’s anywhere between 800 and 2,300, 2,300 calories if you’re standing specifically. And when you think about that, it goes to show the fuel that we use to power our minds and bodies. So I started to do more digging, more research, and I learned that it’s not just one brain that we have that we’re using that’s burning these calories. We have two. And the second one is your gut. What you put into your body is going to dictate how well your mind thinks, how well your body moves.

[Nate] Yeah, sure. That 800 to 2,300 is beyond what your body would otherwise be burning in a given day.

[Ron] That’s right. This is by just using your mind. You would still be burning calories though, just sitting down or laying down. We burn calories in our sleep, but it’s a little bit higher when you also add in the part of just solving difficult problems.

[Nate] So tell me more about this grand master and the kinds of things that you were able to draw parallels with cybersecurity, because I don’t know, I can imagine in that, in an abstract sense, cybersecurity is a bit like chess. You’ve got your opponents, you’re trying to make the moves that’ll outsmart them.

[Chris] 100%. When you look at a chess board, you see all the pieces, you have your opponent, this across the table from you. When we look at cybersecurity practitioners and we compare them to the folks that are committing the crimes, the folks that are doing the hacks, we’re all at the adjacent possible. We’re all trying to figure out how do we outsmart the other person? And quite often you find this flow state, especially if you’re doing something like security analysis or incident response. And that flow state really, really helps propel the performance of whoever’s doing the work.
But the thing is that hackers, they get the same thing, whether they’re coding, whether they’re committing an act, they’re also in a flow state. And even with Maurice Ashley, he gets in the flow. So we had to learn more about flow state. And so we had Steven Kotler, he’s the foremost expert and researcher on flow states. Flow states for anyone that doesn’t understand what it is, is when you’re doing a task and it just seems like everything’s just coming together, time seems to pass more quickly, or even slow down when there’s a bit of pressure on for you to perform.
And I asked Steven Kotler, I said, when you have these adversaries, because cybersecurity is one of the only industries that has adversaries that are trying to undermine your work, if both parties are trying to enter flow, how do you know who’s gonna win? And how do we ensure that the right side wins? And he said that he did studies with some tech companies in the past. And one of the studies found that if you have values, if you have things like integrity, honesty, empathy, you actually have a competitive advantage against someone who doesn’t have those things.
So they might be entering flow just as much as you are. But if you have things like values, that is going to make you just that much better. And that’s the same thing with Maurice Ashley when it came to playing chess. Because I mean, we speak to Maurice Ashley at this point, at least once a month, because he’s a good friend of ours. And so when you look at that, and when you look at the people that are out there cheating and things like chess, they’re gonna lose at the end of the day because they don’t have this thing we call values. And that’s what makes us better on the cybersecurity side.

[Nate] Now, I’m just gonna play devil’s advocate for a second here. Cybersecurity professionals, as you guys mentioned, have no off season. You guys are working at this day in, day out. Maybe at a certain point, a more exciting point in your year, you’ll come across a hacker, let’s say. On their end, they’re probably doing what they’re doing most likely for money. They’ve got a lot in line, arguably more so than you do just doing your job. So if it’s them trying to get millions of dollars, and you, a good person trying to do your job well, how can you match the motivation that they might have in that scenario? And what kinds of mental tools can you use?

[Ron] We need to put a more emphasis on getting the right people into the right opportunities. We worked with a coach and her name is Laura Garnett. She’s created this framework called Zone of Genius. And what the Zone of Genius is, is finding the sweet spot between what you’re great at and what fulfills you at work. If you are working in a SOC and you don’t, and you’re not hungry for triaging information over and over and over again to ultimately find that needle in the haystack or that attacker, then it’s gonna be very difficult for your organization to succeed.
And a personal story of mine, when I first learned about this Zone of Genius framework, I was doing things wrong myself. I wasn’t putting the right intention. I didn’t have the right values as Chris was mentioning when it came to finding the attacker. Where my passion really lied was building the infrastructure, building the architecture.
And before working with Laura on this, I used to use achievements as my thing that keeps me going. I used to use money when I would get a pay raise or even endearing words. These things gave me a dopamine hit, but they didn’t help guide me to doing the right thing. And once you find that Zone of Genius, especially if leaders focus on that, that’s how we stay ahead of the attacker. Because like you were saying, there is this idea of economic prosperity that the attacker is going for, but what about the bigger picture? Working towards a common goal that is bigger than oneself.

[Chris] And if I could just add to that as well, you’re right, if someone is looking to eat your lunch, they are gonna do everything in their power to do that. But what comes into play is practice. What comes into play is iteratively improving over time. What comes into play is being able to algorithmically register threats that are out there in the threat environment. And then use that information to then make decisions and take actions inside your own program to defend against those tactics. So even if someone really, really, really wants to get into your network, even if you might not be as passionate as they are about getting in, if you have your bases covered, if you have solid foundations and you really are an expert in your field, it’s gonna be a very, very hard time for that attacker to get into your network.

[Ran] The best strategy for organizations to avoid becoming a victim of ransomware is to prevent the attack from being successful in the first place. Cybereason remains undefeated in the fight against ransomware because it moved beyond alerting to deliver an operation-centric approach that detects and prevents ransomware attacks at the earliest stages of initial ingress and lateral movement. The Cybereason predictive response capability disrupts ransomware attacks prior to data exfiltration and long before the ransomware payload can be delivered. Visit cybereason.com to learn more about predictive ransomware protection and how your organization can realize both increased efficiency and efficacy through an operation-centric approach to security operations.

[Nate] I’m thinking about, you know, back before I was involved in this field, when I was younger, I worked as an overnight doorman. And I remember this time when one of the tenants of the building came to me and frankly, she was a little bit whatever. She comes to me and she says, you know, you’re sitting down in your chair, you look a little bit dazed. What if somebody comes in here with a weapon? What are you gonna do? And as a doorman and as a young person at the time, I was sort of just like, come on lady, we’re in a rich neighborhood. Nothing’s gonna happen. But the fact is, is that the doorman who has to sit there eight hours a night, every night, four in the morning, is gonna sort of fall into a lull. And then that person who comes into attack is really already, they have the upper hand from the beginning. So are there any conversations you guys have had with experts in their field about how to stay vigilant and prepared on your 20th year of working a cybersecurity job so that you’re not caught completely off guard? Because I feel like a lot of breaches just happened because people forgot to patch or forgot to do this or weren’t looking in the right place.

[Chris] Yeah, you know, I’m glad you brought that up because there is always going to be a situation where someone gets lulled into a state of complacency. That’s just gonna happen. That’s just human nature. If nothing’s happened in 20 years, you’re gonna feel like nothing’s ever gonna happen. But what you do to prepare for those situations is build in that muscle memory. You build in that response procedure. You craft that into your work. So for instance, we had Robin Black on our podcast. He’s an MMA commentator, but he’s also one of the best combat analysts in the world. He does everything from analyzing MMA fights to boxing to judo, even animals fighting in altercation. He’s analyzing the way they fight. And what he talks about is that we are machines that are bringing in information constantly. And quite often we go into a muscle memory when something happens.
So for instance, if you’re an organization that has never ever seen any type of intrusion, you can still simulate that. So for instance, while I was at Netflix, we would do this thing called the Wheel of Misfortune. And the Wheel of Misfortune would be for the person that’s on call. Even if there’s no incident going on, we would spin the wheel and they would be given a particular incident that they had to solve. They had to use their mental models. They had to use their experience, expertise. They had to ask questions. They had to bring in the right folks to help answer whatever that challenge is. And even if there isn’t a real threat, you could even be laughing, having a good time. You’re still utilizing those neural pathways in order to say, if this were to happen, then X, Y, Z. I’m sure that after you had that conversation with the lady and was like, what happens if a guy with a gun comes in here? You started to think, well, what would I do?

[Nate] You guys are using a lot of sports analogies here. I know that my New York Giants have won six out of the last seven games. Nobody thought this team would be any good. A lot of the theory is that they’ve come together as a group, they’re approaching the game with the right mentality, which is strange when it comes to football because usually the biggest and the strongest guys you would imagine win. How much of cybersecurity like sport is mental? How much of it is about having the right mindset, approach, perspective? Does that have an actual tangible impact on your work product?

[Chris] 100%. One of the best things that you can have as a practitioner is resilience. We had a forensic criminologist on the podcast, Lori James Peters, and she talked about her son. Her son was addicted to video games and she thought, what can I get my son into? He’s addicted to these video games. What can we use this for in the workplace? And what she stumbled upon is that resilience is really good for people that are into hacking because when you play a video game, if you’re really into video games, you don’t give up. If you don’t beat that first level, you continue to try, you figure out tactics. If you still don’t get it on your own accord, you look up what other people have done. Other people have beaten this level before.
So maybe there’s a strategy, maybe there’s tactics, maybe there’s techniques that you can do to beat that board. That same resilience that gamers have for video games is the same resilience we should have in cybersecurity because there is always gonna be someone out there that’s looking to take what you have, whether it’s data, it’s money, it’s access, whatever it is, they’re looking to get it. So if you are resilient and the protection of that data, if you’re resilient and the protection of that organization, you’re gonna be a beast a year, two years, five years, 10 years with that resilience constantly saying, okay, this didn’t work, what’s next? This didn’t work, what’s next? It’s all these small incremental improvements that really builds up to this thing we call being an expert in something or the path to mastery.

[Nate] And do either of you have a video games version of yourself like something that you had before you entered this field that has really helped you?

[Ron] So when I first got started in technology, I was a teenager and I wasn’t really working in technology but I started to dabble a bit with technology. And I also played sports. When I would play sports and look at others, I really thought that my talent and skill was bounded. Like I could get better but I couldn’t be the best because there was someone that was way ahead of me. I didn’t have any insight that what practice does is allows you to get better each time that you do it. With cybersecurity, it’s a lot different. When you look at someone that you admire that has written a book or a practitioner, you look at them as a regular person.
You’re not necessarily looking at them like maybe someone would look at Michael Jordan. I can never be like Michael Jordan. But when it comes to this incident response analysts, they’re telling me that I could be like them. And that’s how I got started my career in cybersecurity. I was hanging out with my mentors and they would remind me constantly that it’s about learning. And you’re not gonna be able to get it all in one day. That’s where you need the grit to push past the times where you get stuck on a piece of code or a challenge that you just can’t figure out and get better the next day and then keep on doing that over and over again.
And I think that’s exactly why so many people are able to pivot into cybersecurity today because we have this learning mindset, this learning environment to where it’s very straightforward to get better and also achieve mastery with enough time.

[Chris] Yeah, I spent a lot of time as an athlete as a kid. I did a lot of wrestling and things like that. But honestly, I didn’t really learn how to learn until I was in college. And it wasn’t my college courses, I was a dancer. I saw a video back when, cause I was a thing, everyone was doing that peer to peer sharing of videos. And there was this video of this guy named David Elsewhere. And it looked like he was overseas somewhere at some dance competition.
And when I saw that, it changed my life and it has changed me to this day. And I said, wow, this guy is dancing. He’s making his body look like water. And then for a second, he’d look like a toy, like a windup toy. And then he’d look like a computer glitch. And so I started to like dive into this world of dance. And I’ll tell you what, when I first went out and I started battling people in the clubs, having dances, I got my butt kicked. I remember I got destroyed by this guy so bad that I almost thought like, maybe this dance thing isn’t for me.
But I decided, I was like, you know what, I’m gonna keep going, but I’m gonna be a little bit more intelligent about how I improve. So I found a coach. I found a coach in California. He was able to teach me a lot virtually. I would travel out there and I would learn and I became obsessed. I was dancing from sunup to sundown. I would dance anytime music was playing. I would dance when there was no music playing. And six months later, I would go back to that same club, battle that same guy. And not only did I beat that guy, I beat every single person that was in that guy’s crew. I would say that that dance experience really set me up for my cybersecurity career.

[Nate] Now, is there one more person whose work, who what they told you has stuck with you so much that it actually impacts your day-to-day work today and you still think about it?

[Chris] I would say that one person is Jim Lawler. When I was at the National Security Agency, I sat in a presentation with this guy. He’s been in the CIA for 30 something years. And he was probably one of the best storytellers I’d ever seen in person. And he would talk about basically going overseas and turning people into traders. And in fact, he loved it. That was his dream, his passion was doing this thing. And of course you would think, wow, why would somebody like get, excited or inspired by something like that? But what it really showed me was two things.
Number one, it showed me the power of storytelling. And that really has propelled us to where we are today with Hacker Valley Media and all the stories we tell, all the shows and the TV series that we do.
But then the other thing is that it really told me a lot about the human condition. If you ever listened to the episode that we did with him, he talks about how it isn’t a matter of if somebody would break or become a pawn in the plight of, whatever attacker is trying to attack your organization, but when. There’s always a possibility he’s constantly looking for the cracks and holes in the person, whether it’s a financial, whether it’s ego, whether it’s anything that would really just cause a person to break.
And what that makes me understand about human nature is that we always talk about, oh, it’s a layer eight issue. And we talk about it from the aspect of people being dumb or people being malicious, but really understanding the human condition really allows you to operate better in cybersecurity because everyone’s not perfect. Everyone has their problems. There is a person on the other side of that Zoom call on the other side of that chat. And if you remember that, whether you’re talking about security awareness training or you’re talking about handling an incident, as a cybersecurity practitioner, it’s always gonna be easier to handle some of these things when they come your way.

[Nate] We’ve been talking a lot about how folks outside of cybersecurity can pass down to us lessons that actually impact our work. But on the flip side, what do cybersecurity people have to teach the rest of the world? Like if a champion wrestler could interview you guys, what might he take away that he could then apply to his sport?

[Ron] I would say curiosity is one of those characteristics in cybersecurity that is just ingrained in us. Everything from getting curious about hacking to picking locks, it’s a curiosity. And those people that are doing vulnerability research, those folks that are doing bug bounties, it’s a curiosity that drives them. It’s a puzzle solving thing that pushes them to that next level. When you look at other industries, a lot of other industries have been around for a really long time. And sometimes they forget to be curious. They forget to ask questions. They forget to say, what if? What if I did this? Like how would that change my industry? I would say that if any other industry could learn anything from cybersecurity, it’s getting back to that curiosity, that childlike curiosity that we have.

[Nate] Well, that just about does it for my prepared questions. But before we go, is there a last word that you guys would like to leave us with?

[Chris] Yeah, I would say the last thing that I would mention and probably would bring all of this together is that you can learn from anyone. You would think that it’s the biggest names on the podcast that make the most impact for an audience. But in fact, you can learn so much from anyone and their story. So open your mind to learning. Open your mind to observing the world, the people that are in it, and seeing if there’s anything that you can learn from them to not only apply to your work in cybersecurity, but even in your life.