When we define Social Engineering in the context of Cyber Security, we’re often presented with a manipulative context where someone is exploiting a victim. Yet the same tactics that malicious actors use in emotional exploitation are present in news, advertising, social media, and marketing. These are multi-billion industries driving our very way of life. Can all influence systems be malicious or is there a range of ethics presented by the need to communicate potential value relationships? The tactics described by the best Social Engineers often involve soft skills traditions like active listening, building rapport, and communicating needs clearly. Social Engineering is a critical part of how we navigate relationships at work and home. Don’t you dress better and shine a bit brighter on that first date? Aren’t you trying your hardest to communicate your value to your boss? Like it or not, Social Engineering is a part of our every day lives. You can ignore it and risk becoming a victim or use it to enhance your relationships. That’s an ultimatum.
Micah Turner is an IT Security Engineer based in Reno, Nevada. He served for 5 years in US Army Psychological Operations with 4 short combat tours in Afghanistan and Iraq. In that time he learned about how people try to influence the hearts and minds of local and global populations. Since then Micah has worked with various technologies from robots to Raspberry Pi. He is certified GSEC, GCIH, and currently studying for OSCP.
Running phishing simulations can be complicated. At worst, you risk damaging your personal brand and that of the Information Security function. What if you could run a phishing simulation that maximizes all the value that you hope to get from these simulations, while minimizing potential bad outcomes? In this talk, we’ll go through the lessons we’ve learned from running successful phishing campaigns and focus on how to approach this work with empathy and a positive attitude to boost your organization’s security IQ. Session participants will learn how to: – Design, execute, and measure the results of phishing simulations on a budget – Craft effective, thoughtful phishing pretexts and learn which pretexts should be avoided – Avoid common pitfalls through proactive communication and executive buy-in.
Brian Markham is an executive, hacker, advisor, and mentor who is passionate about building security programs and teams. He’s worked in IT and security for over 20 years and is currently the CISO at EAB Global.
SooYun Chung is a Security Analyst at EAB Global, a leading provider of technology, marketing, and research solutions for institutions of higher education. In her role at EAB, SooYun focuses on risk management, social engineering (with a focus on conducting phishing engagements), and security awareness. She is an alumni of Rutgers University and holds multiple certifications.
Too often, our understanding of cyber threats is limited to passive observation of the threat as it comes into an environment. In essence, the only intelligence that can be gleaned from this type of passive collection is simply what the adversary reveals in the initial phase of an attack and we are blind to the rest of the attack cycle. This presentation will cover how today’s phishing attacks present us with an opportunity to better understand the full cycle of a cyber attack by engaging with an attacker to collect intelligence to reveal what happens AFTER a potential attack is successful. We’ll start by talking about the concept of active defense, which helps answer the question, “And then what?” that we aren’t able to answer using normal passive intelligence collection. We’ll discuss why these tactics work so well and how the same behavioral exploits scammers use to con victims can also be used to better understand their attacks. We’ll end by looking at some examples of successful active defense engagements, including an engagement with a ransomware actor that used multiple communication platforms and will include some clips of conversations with the actor where we’ll learn more about his background and motivations.
Crane Hassold has worked in the social engineering and behavioral analysis space for more than 16 years. He is currently the Director of Threat Intelligence at Abnormal Security, where he leads a team responsible for researching enterprise-focused cyber threats, particularly business email compromise (BEC) and credential phishing attacks. Prior to moving to the private sector in 2015, Crane served as an Analyst at the FBI for more than 11 years, spending most of his career in the Behavioral Analysis Units, providing support to intelligence community and law enforcement partners against national security adversaries and serial violent criminals. In 2012, Crane helped create the FBI’s Cyber Behavioral Analysis Center, which combines the traditional behavioral concepts used for decades in the violent crime world with technical expertise to gain a holistic understanding of cyber adversary TTPs.
In hacking and penetration testing, we use “reverse shells” to make a target machine connect back to us for further exploitation or privilege escalation. What does that look like in the realm of psychology and social engineering? This presentation discusses techniques on getting the “mark” to contact us for more help/exploitation.
MasterChen is a hacker with a background in phone phreaking, psychology, and automation design. His latest research has been highly focused around cyber stalking/anti-stalking, and how to automate both sides of that coin. Bridging gaps between the technical and human elements of self defense has become his life’s mission.
Pentesting humans using social engineering techniques has become increasingly important to many organizations, and rightfully so. While many focus on the performance of a social engineering engagement, fewer deal with the post-engagement process. When a hacker has done their job, how are the results handled? How does a target feel afterward knowing they have been duped, and who is helping them to overcome adversarial feelings in the wake of a test? A social engineering pentest tests humans, and not systems. The people affected can feel they have failed as humans and not just professionally. Distress, psychological strain, and self-blame are just some of the factors that can affect a human not being helped correctly in the aftermath. But it’s not just the victims that are at risk of negative outcomes, but hackers themselves too. This talk aims to start a dialogue about the aftermath of social engineering pentests. When are we doing it right, and when are we doing it wrong? Is there a right or wrong way? The possible pitfalls will be highlighted in handling the aftermath of social engineering engagements and exploring various challenges and proposed solutions to problems that may arise.
Ragnhild “Bridget” Sageng has several years of experience in the IT industry, working with IT-support before transcending into a career within pentesting. Today, she works as an ethical hacker at Orange Cyberdefense in Norway. Prior to her IT career, “Bridget” educated herself in the field of human psychology and healthcare due to her interest in understanding the human mind. She has always had an interest in cybersecurity and completed her bachelor’s degree in Cybersecurity recently at Noroff University College. Due to her interest in both the human mind and IT security, “Bridget” specializes in social engineering and Open-source investigation (OSINT). In 2020, she won an international social engineering CTF hosted by Temple University. In 2021, “Bridget” became a Certified Social Engineering Pentest Professional (SEPP) and has since dedicated her focus toward social engineering pentesting. Her hands-on experience with social engineering pentesting has prompted her to further research the topics of ethically handling people affected by the tests.
Reveal the hidden state of the person on the other end of your video call, using some Python code. In the age of remote work, we miss the nuances of face-to-face communication. But with videoconferencing, we also gain a surprising amount of information that’s normally hidden to a human observer. A new set of tools will allow you to detect the heart rate, attention, and inner mood of any face on your screen. You can then receive real-time feedback to subtly mirror your conversation partner. These tools also work on recordings, allowing us to analyze the inner states of politicians, interviewees, and anyone else in front of a high-resolution camera.
Fletcher Heisler runs the YouTube channel Everything Is Hacked, where he explores projects such as a face-controlled keyboard and a video filter to add pants when you forget to put them on. By day, Fletcher is the Director of Developer Enablement at Veracode. He previously founded Hunter2 to give developers hands-on appsec training through interactive labs. He also founded Real Python, a community and set of online training resources that have taught practical programming and web development skills to hundreds of thousands of students around the world.
Friday @ 18:00 – 19:00
JC is the president of Snowfensive, a cyber security consultancy which offers various Social Engineering based engagements for their clients. As such, JC has been on every side of the argument for and against social engineering and has had to balance both the legal and moral aspects of these services against various industry and cultural ethical standards.
Alex is a cybersecurity attorney with the law firm of Crowell & Morning and previously served as the Chief Information Security Officer of the National Football League. His federal service includes positions with the Central Intelligence Agency, the US Army JAG Corps, and the US Court of Appeals for the Armed Forces. Alex is a member of the Technology Advisory Board of Human Rights First, the UL Security Council, and the Uniform Law Commission Committee for the Study of Cybercrime. Alex’s published works can be found in the Financial Times, CNN, The Philadelphia Inquirer, The Intercept, and, of course, 2600 Magazine.
Cori is an information security consultant that provides penetration testing services for a variety of clients/industries. Her background in information security risk/compliance helps translate technical concepts into actionable and tangible items for security teams. She also organizes DC615 (the DEF CON Nashville Group), where like minded hackers meetup on a monthly basis to share knowledge and cause trouble.
Jayson E. Street referred to in the past as:
A “notorious hacker” by FOX25 Boston, “World Class Hacker” by National Geographic Breakthrough Series and described as a “paunchy hacker” by Rolling Stone Magazine. He however prefers if people refer to him simply as a Hacker, Helper & Human.
He is the author of the “Dissecting the hack: Series” (which is currently required reading at 5 colleges in 3 countries that he knows of). Also the DEF CON Groups Global Ambassador. He’s spoken at DEF CON, DEF CON China, GRRCon, DerbyCon at several other ‘CONs & colleges on a variety of Information Security subjects. He was also a guest lecturer for the Beijing Institute of Technology for 10 years.
He loves to explore the world & networks as much as he can. He has successfully robbed banks, hotels, government facilities, Biochemical companies, etc.. on five continents (Only successfully robbing the wrong bank in Lebanon once all others he was supposed to)!
*He is a highly carbonated speaker who has partaken of Pizza from Bulgaria to Brazil & China to The Canary Islands. He does not expect anybody to still be reading this far but if they are please note he was proud to be chosen as one of Time’s persons of the year for 2006.
Neil R. Wyler (a.k.a. Grifter) is the Global Lead of Active Threat Assessments for IBM X-Force. He has spent over 20 years as a security professional, focusing on vulnerability assessment, penetration testing, physical security, and incident response. He has been a staff member of the Black Hat Security Briefings for 20 years and a member of the Senior Staff at DEF CON for 21 years. Neil has spoken at numerous security conferences worldwide, including Black Hat, DEF CON, and the RSA Conference. He has been the subject of various online, print, film, and television interviews, and has authored several books on information security. In his free time, Neil keeps himself busy as a member of both the DEF CON, and Black Hat CFP Review Boards, the Black Hat Training Review Board, the founder of DC801, and founder of his local hackerspace, 801 Labs.
Saturday @ 18:00 – 19:00
The biggest question Social Engineers get asked is “how can I become a Social Engineer?”. You may have even asked yourself this question multiple times after hanging out in the village.
During this panel we’ll look at how a few individuals have answered this question. We’ll ask our panelists for their best tips and tricks to those who are curious about entering a career as a Social Engineer or incorporating Social Engineering activities into their current role. Come listen to experts discuss their career journey highlights, lessons learned, and advise to anyone wanting to obtain a job in this unique field.
We’ll leave time towards the end of the panel for the attendees to ask questions to the panelists.
Eleven years ago, in a hotel not far away from this very location in Vegas, Snow began her career in Social Engineering. At the very beginning of her journey multiple people told her she couldn’t make a career as a dedicated Social Engineer. Through late nights of studying, practice, determination, learning from her mentor, and a lot of spite, she has made a successful career as a Social Engineer. Today, she is the Chief People Hacker for IBM Security’s X-Force Red team, where she leads the global Social Engineering practice.
Sherrod DeGrippo is Vice President, Threat Research and Detection at Proofpoint, leading a worldwide malware research team to advance Proofpoint threat intelligence and keep organizations safe from cyberattacks. Sherrod directs her 24/7/365 team to investigate advanced threats, deliver protections to customers daily, and create scalable threat intelligence solutions that integrate directly into Proofpoint products.
Sherrod has over seventeen years’ experience in information security, having previously held leadership roles with Nexum, Symantec, and Secureworks. Her expertise is frequently sought after by global media outlets including Bloomberg, The Wall Street Journal, The Washington Post, NPR and BBC News among others.
Dr. Aunshul Rege is an Associate Professor and Director of the Cybersecurity in Application, Research, and Education (CARE) Lab at Temple University. Her research focuses on the human aspects of cyberattacks and cybersecurity, and has been funded by several grants from the National Science Foundation, the Department of Energy, and the Idaho National Laboratory. She is the organizer and host of the Collegiate Social Engineering Capture the Flag competition and the Summer Social Engineering Event, which helps students get exposure to social engineering in a safe, fun, and ethical way.
Krittika Lalwaney is a Red Team Security Engineer at Capital Group with over ten years of information security experience. Ms. Lalwaney is a subject matter expert on Social Engineering with the Social Engineering Pentest Professional Certification (SEPP) and she is a Derbycon blackbadge winner.
As a Red Teamer, Ms Lalwaney has led various operations that simulate real world cyber attacks to proactively protect financial institutions from evolving cyber threats and vulnerabilities.
Ms. Lalwaney is a graduate of Denison University, with a degree in International Studies and Communications. In Washington D.C, she received a M.A in Middle East Studies in Conflict Resolution, Security Studies, and Arabic Language at The George Washington University.
Sunday @ 13:30 – 15:00
This is the end, my only friend, the end …
We made it! This will be the last thing in our village. During this time, we will host an awards ceremony in our village for both our Youth Challenge and our Vishing Competition before shutting down to head to the official DEF CON closing ceremonies.
After the awards, join JC has he moderates the Competitor panel made up of a few of this year’s competitors. You’ll hear firsthand how competitors prepared for the competition, their successes, and failures in both the preparation ahead of time as well as during their call, as well as what they learned and if they plan on competing next year.
Lastly, there will be time allotted for Q&A for the attendees to ask questions of the competitors.
JC is one of the two co-founders of the Social Engineering Community and has competed in previous Social Engineering competitions. JC also runs the Vault, a physical security competition held at SAINTCON in Utah. JC’s passion for competition as well as innovation has been an exciting avenue for him as he and Snow built the new Social Engineering Community’s Vishing Competition.