Podcasts
8th Layer Insights
Ep 49
8th Layer Insights 9.3.24
Ep 49 | 9.3.24

Let's talk Social Engineering

Show Notes
Transcript

Perry Carpenter: Hi. I'm Perry Carpenter and you're listening to "8th Layer Insights." Hey, everyone. So it's been a little bit longer than usual between episodes and I figured that I would let you in on what was going on and give you a full episode. But this one's going to be a little bit stripped down. So over the past several weeks I've been traveling quite a bit. Got COVID and it's just been taking me quite a while to get back on top of things. So I don't have a fully produced episode for you today, but I do have a great interview with Snow and J.C. Snow and J.C run the social engineering community and the social engineering village at DEFCON and we're going to get in and talk a lot about the way that that works. We're going to talk about some of their stories, what social engineering is, how it works. A ton of great stuff in this interview. And I didn't want to hold it back for too long. Also two other things. One is at the social engineering village this year I demoed a project that I'd been working on for several months and that was a live large language model backed voice powered phishing chat bot that we actually had run in the booth. So Lisa Flynn from the University of Las Vegas and I worked together, put together a number of pretexts, married that up with the chat bots that I'd been working on for several months, and what we ended up doing was really I think surpassing everyone's expectations. So in this first test we ran up and did this as an experiment. So Lisa and I running the bots and then Snow and J.C basically as seasoned social engineers seeing how far they could go. We each had 22 minutes and it was pretty much even. The bot was never suspected as being anything other than a human on the phone which was really, really interesting. It also collected 17 flags in 22 minutes. That means it got 17 objectives that we wanted it to get. And it scored I think it was about 1,450 points. And Snow and J.C had the same 22 minutes. They only got 12 flags, but they had an amazing pretext where they went after some high value targets a little bit before we would have. So they edged us out by 50 points at the end. So when you look by points Snow and J.C won by a hair. If you look by flags, we won. And the really interesting thing is this was the first live fire test against an unsuspecting person that these bots were ever put up against. And so now with a little bit more understanding and with a lot of hindsight in what worked well for them we could go back and re-engineer some of these prompts and pretexts and make an even more highly effective bot that we could enter in another competition. And so I think it's both interesting and really, really scary. Right? Then the day after that I presented at the AI village another version of this same project where I showed how this type of chat bot can be weaponized in order to do simulated virtual kidnapping types of scenarios. And I showed just how far jail broken that bot could be. I showed how profane it could be, how violent it could be, and then I also showed how a couple times in the initial working with this bot I got it to break and I was able to interview it about some of the things that it would suggest I do differently to make the prompts more effective, to make the scenarios scarier for people. And showcased that. Good news is I'm going to make another version of that talk and I'm going to post it online within the next couple weeks as soon as my voice and my energy level get back to normal. And there's lots of cool stuff in store. So the second thing that I wanted to tell you about is that my new book "Faik" which is all about living in a world filled with deep fakes, disinformation, and AI generated deceptions, that book is kind of out now. For whatever reason the Kindle version got released early. So you could go get the Kindle or the ebook version right now wherever you like to get those. But the hardback version, the version that I really want everybody to get and to share with friends and family and loved ones, that is going to be available on October 1. So please go preorder that. If you know anything about publishing, preorders mean a ton. They are the faith that the publishing world puts in an author. So I'm really hoping that we can blow the preorders out of the water and really surprise everybody with how you're going to come through on these. As you know, I love technology. I also love security and I love really helping people understand what a secure mindset it. And so when you take something like AI which I'm fascinated with and I love and you marry that with a security mindset which I am also fascinated with and love, and then think about the human condition, all these things come together in a very special way in the book "Faik," F-A-I-K. So please go preorder that now if you haven't already and we will get to the interview. Oh wait. I guess we have the theme song and intro first. So on today's show we speak with Stephanie Carruthers otherwise known as Snow and J.C Carruthers all about social engineering, some of their fun stories, and the social engineering community. Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think to why we do the things that we do. And how we can all make better decisions every day. This is "8th Layer Insights." Season five. Episode nine. I'm Perry Carpenter. Welcome back. Let's get straight to the interview with Snow and J.C.

Stephanie Carruthers: My name is Stephanie Carruthers. I also go by Snow. I work at IBM for my full time role where I actually have a dual role where I'm the chief people hacker so focus on social engineering and I also lead our global cyber range practice. J.C and I are the co-founders of the social engineering community which is a village at DEFCON.

J.C Carruthers: I'm J.C, the president of Snowfensive. We're a small boutique cybersecurity consulting company focusing on offensive and defensive services. And then as part of our offensive services we offer social engineering services. So such as your phishing assessments and phishing assessments.

Perry Carpenter: You know, I think it'd be interesting if we start with one or both of you talking about how you think about social engineering. So number one. Where does that fit in with the cybersecurity ecosystem of things that we have to solve for as we build programs? And then what makes a good social engineer from a criminal perspective and maybe is there a different kind of social engineer that we try to create on the -- you know, the you know blue team or the good guy perspective?

Stephanie Carruthers: Yeah. I could take the first stab at that one. So social engineering fits into cybersecurity. That's a great question. So when I think of cybersecurity a lot of people tend to think networks, computers. Right? But at the end of the day it's people who are using those, people who have access to sensitive information. And typically if we're able to compromise a person, somehow their accounts, then we can get access to that sensitive information and that's something if you look at you know data breaches year over year of how the attackers were getting in phishing is still one of those top entry points. It is interesting to see credential reuses starting to get a little bit more common, but phishing is still it's at the top. And so I don't think that's going to go away any time soon. So I think that's kind of how social engineering at least fits in to cybersecurity. And if you even look at major data breaches like the MGM hack, for example, that all started with a phone call. And how long was that casino shut down for? How many millions of dollars of revenue did they lose because of that initial phone call? And that's why I think a lot of organizations who might not see social engineering as a risk, they're not looking at it from that perspective what could happen because of this style of breaches. J.C, if you want to add anything to that.

J.C Carruthers: Yeah. It's an interesting question. So where does social engineering fit in to cybersecurity? So it's almost I might even go so bold as to say it's almost its own element of operations kind of akin to how UI and user experience, user interface, might be part of a web app. Because you have a human element, that essentially it traverses more than just cybersecurity which is the interesting piece. Right? So cybersecurity like Stephanie said is you know we have -- we've got our vulnerabilities. We've got software. We've got risks in that sense of the ecosystem, but social engineering can live completely outside of the technologies piece. It can be -- I guess the way to say it is it can have a directly physical effect. Right? We can walk into a building and never touch a single computer and walk out with information or coerce employees. Likewise somebody could call up an employee and just take information right out of their mouth while never leaving a single log file, keystroke. So I think there's an intersection with cybersecurity, but there's a lot more to it. Just like physical security. Right? Physical security, cybersecurity, they have some interconnectivity. Right? There's some overlap between them. But physical security in and of itself has a lot more components that we don't even think about in cybersecurity. I think that the human element of social engineering is can be seen in that light.

Perry Carpenter: You know what? I love that answer because it actually splits a hair that we kind of forget to split as an industry a lot, especially now that we shifted terminology and most of us use the term cybersecurity. But when you zoom back and you think about what we used to call it it was information security or information assurance which means you don't necessarily have to think about the connected aspect of the digital ecosystem. You're thinking about the thing you're actually trying to -- you know, what your crown jewels are. And I think you make a really good point is that you can not touch a system at all and come away with the thing that is valuable that may either be valuable to bring a company down one way or maybe an entry into a digital ecosystem somehow.

J.C Carruthers: And sorry. Before you go too far, let's take that point that you just said to answer your second question of what makes a good social engineer. I think it's immediately being cognizant of that fact is that we don't have to rely solely on phishing or getting your email account or getting your password. We can simply call you up and ask for the information directly. It is very much that. It's that information piece. And I think to directly answer the question what makes a good social engineer I would -- I would almost say it's what makes a good pentester? What makes a good consultant? What makes a good employee in the realm of being someone who does this professionally? And that's understanding what the risk is that you're trying to evaluate because there's -- there is the risk of phishing. There is a risk of phishing. How well we're protecting our email accounts, our passwords, things like that. But then you get to situations that we're seeing from our technical side, from our offensive operations side where we're evaluating a specific type of phishing or phish attack like the Microsoft Azure device code attack. Right? Where we're not really doing something that everybody's familiar with and that's one of the things we're exploiting. And I think that's truly what makes a good social engineer is am I able to lend this craft to help identify real risks to your company or are we just copying and pasting what we hear everybody else doing? I'm doing a phishing assessment. Phishing assessment. Cool. That's checking the box of that social engineering when in reality we're just we're a tip of the iceberg.

Stephanie Carruthers: I completely agree with that. And I think from like a soft skills perspective of what makes a good social engineer in addition to that is someone who can think on their feet. Right? That's something that we see in the village when they're doing the social engineering calls year after year. The teams who are fast to respond typically do well and the teams also who are really good at rapport building out of the gate that is a combination for success and that's something that we do professionally all the time and it's really cool to see the ones that do that and succeed and the ones who don't tend to stumble a little bit.

Perry Carpenter: Well, you mentioned earlier the MGM breach which if I remember right was a little bit of linked in open source intelligence gathering and like a 10 minute conversation on the phone. If we believe what the folks that did that say. Is that indicative of the effort that is put into the real breaches like that? Because I've got to think if you're hands to keyboard trying to hack through a system you're spending more than a little bit of OSINT time and 10 minutes doing something. You're really trying to tear down some defenses or find a vulnerability or find something that you can throw at it. So the social engineering aspect seems like sometimes it's just the easier less resistance way to go.

Stephanie Carruthers: Yeah. I mean that's a really valid point and I would love to say that you need hours and days and weeks of OSINT, but really when you're able to get just a handful of pieces of information off a quick Google search or LinkedIn and use that to kind of fuel that conversation, I mean it's also, it can be devastating. And that's kind of the part to me that's crazy about social engineering is how much just a little bit of OSINT can really make or break an entire campaign.

Perry Carpenter: Is there a piece of OSINT that tends to be more fruitful than other pieces? You know, I know that there's tons of tools out there. There's tons of processes. There's a lot of discipline that we're trying to create as an industry. But sometimes it seems like there might be some areas where somebody could spend a little bit less time doing really intelligent OSINT and then still get the bang for the buck that they need.

Stephanie Carruthers: Do you want to go first, J.C?

J.C Carruthers: No. Go for it because the OSINT thing is a bit of a soap box for me. So I think, no, you know where my soapbox is going to go. But I'll let you go ahead and answer first.

Stephanie Carruthers: Yeah. So I can tell you the story of my favorite OSINT finding and how it led to success in a campaign for a client. So the goal of the assessment was to do a password reset against their help desk team. And so some of the things we were trying to find during OSINT, we were trying to find specific information about individuals. Right? If I'm going to impersonate an employee, what information can I find against this employee to say I am? Right? Is this my name, my address, my phone number? Things like that. Well, in the process we were also looking at the company to see how they operate and we actually found password reset instructions online with what specifically they were going to ask for and that right there just took probably hours off of our searching and going from there we know we needed an employee ID. And like okay. Well, I don't think we're going to find that in OSINT which is very rare to find, but we got lucky and found some HR document about enrolling for medical benefits and how you need to enter in your ID. But they went as far as to say the format of the ID so we could easily guess it. So you were -- we -- I mean the first call we got it which should not happen at all.

Perry Carpenter: All right. J.C, soapbox.

J.C Carruthers: Yeah. And your story leads right up to the soapbox and there's it's a gripe that I have where a lot of people will say, "Oh. We do OSINT." Or, "We do open source intelligence." And Stephanie in her training at Black Hat touches on this and then we actually have a private training that we offer that does -- solely focused on open source information collection and analysis. But the problem is in the word intelligence. When -- we throw it around very loosely. But there's a whole hierarchy of value refined data. Right? So data as this idea of, you know, maybe the color red. Right? Red doesn't mean anything to anybody. And that's raw data. But when the fact is that the red sits in a traffic light and the light turns from yellow to red, right, that data now means a little bit more. There's some more context. There's some more information. And that still doesn't have any important meaning to you right now, Perry. You know you know what a red light at a stop light means, but it may be nothing right now. But the fact that it's a stop light at the intersection you're coming up to now it's going to dictate how you do something or how it's going to influence your actions. And a lot of people that talk about OSINT get away from this or forget this piece, that that gathering that collection must must must, and this is the soapbox I'll die on this hill, fight tooth and nail, have some type of grounding in an operational goal. You have to want to do something with this. You have to have a plan, an attack. To Stephanie's point with her story, that's great information. Cool. You pulled this HR thing. But if you didn't have a specific requisite to be logging in or doing a password reset attack, this doesn't mean anything to you and you're just collecting information to collect information. And that's -- that's really the soapbox there is a lot of people think you just gather this information. So with your question of is there a juicier one versus another, unfortunately it's hard to say without that operational goal. And I think that's something that's all -- that surprises the two years in a row that we've ran this village at DEFCON is when we -- because the first year was real estate companies. And the second year was pizza companies. And the flags, the goals, the objectives, stayed the same. But the sources for those pieces of information were very different. For the real estate piece you'd be surprised -- and this is going to be a huge generalization. The amount of agents because they're essentially running their own brand. I don't want to use the word narcissistic because that is not the right word. They are selling themselves and you have to -- you can't promote real estate without promoting yourself. But to that level any individual social media was huge findings to give you more information about the real estate agency and into their organization versus the pizza chains that we targeted. The majority of the same type of information was between franchise owners in Reddit and so in terms of where the source is it's that's always going to change. It's how these individuals use that information or how they're sharing or what would influence them to share and how to share that's going to drive us to where the sources are. But again it's got to be in the pursuit of some type of action. What are we trying to do? Sorry. That's --

Perry Carpenter: No. That's really good.

J.C Carruthers: I've got a couple soapboxes. And when I get on them --

Perry Carpenter: That brings up another question, though. So first of all that's really good insight. The question that comes out of that is how do you put that insight to work when you don't yet know where the information you might be finding is going to plug in or be useful? Because some of the OSINT that you're doing is to uncover how the information that you're finding might be useful. Right? So what's the -- what's the path that you tend to take whenever it's just this open funnel?

J.C Carruthers: I got you. Okay. We're getting back to the root of your question. And I have an answer. The end all be all is Google dorking. That is -- I -- Stephanie, I don't think you're going to disagree. That one will pay your most dividends. And that's what will lead you down to these treasure troves of things like Reddit, for instance, where there's these sub communities where you can really start digging in and maybe going more Reddit specific OSINT and using the tools for like recovering deleted posts and stuff like that. But I think the biggest bang for your buck and we've seen this in the competition too is it seems to start with Google dorking.

Perry Carpenter: That's amazing. That lines up with what Alethe Dennis and others say. It's like the tools at the end of the day are not as good as just getting on Google and being persistent.

J.C Carruthers: And Bing. A little shout out for Bing. Right? Maybe Ask Jeeves. Right? I'm not sponsored by Google, but the search engines, those dorks are paramount.

Perry Carpenter: You know, I think we may have skipped ahead of some listeners on just talking about process and kind of the calls. But paint a picture for us. If somebody's in the competition or if they're maybe doing it for real life, what is the scenario when you're finding that information, you're getting somebody on the phone, and then you're trying to get these, you know, different flags out of them? And I'd really love it if we can give some kind of indicator about like what's useful from a social engineering village context when you're in the booth and you're doing it in a more simulative and performative way versus the way you might try to do it in real life when you have a real target.

Stephanie Carruthers: Yeah. Great question. So I kind of break it into the two phases and it's what we've been talking about. Right? You have your OSINT. Then you have your active campaign. So OSINT I would say is exactly the same. Right? You have your goals, what you're looking for. You know your objective at the end of the day of what you're trying to go for. So from the competition point of view you're actually given a list of objectives. I want to say it's like 25. And so when you're doing your remote phase you're trying to go and find all that information, but the idea is that information is supposed to then help you move on to the next kind of remote phase of crafting your pretext. So with the information you find your end goal, you know those end objectives you're trying to get, who can you say you're impersonating, who you're going to pretend to be? Who do you want to call? Right? Maybe it makes sense to call HR instead of someone in IT. So you're kind of putting all of that stuff into perspective into a plan. And then for the actual calls themselves I would also say they're almost identical except for the fact that you only have 22 minutes in the booth for the competition which can make it more stressful. Well, that and you have an audience of people staring at you which also makes it a lot more stressful. But as far as, you know, making those phone calls, it's -- I'm not going to lie. Like when I do it professionally my hands sweat. Like I get nervous. It is not an easy thing. And I've been doing this for, gosh, a decade now. And the butterflies and nerves don't go away, but I kind of hope they never do. I feel like they keep me grounded a bit. But I think the biggest things that lead to success is that OSINT, but that plan. Right? Who you're calling. What you're trying to get. What information you found online that you can leverage to build that relationship.

Perry Carpenter: So to drill in a little bit more just to be a little bit pedantic about it for listeners that still have maybe not been to the social engineering village or may have not lived through some of these calls, you mention kind of three things there. One is the pretext that you're building. The other is the OSINT pieces that you're gathering. And then the other is the flags that you're trying to attain specifically in the social engineering village or social engineering community setting. How do those interrelate? Like are your -- are the pieces of OSINT that you're trying to collect from a competition perspective the same thing as the flags that you're trying to gather? Or do those differ? And then what is the most effective pretext or way to put together that OSINT that you have so that you can then go after flags later?

J.C Carruthers: So this is kind of interesting because your previous question was, you know, how does it differ from real life. How does it differ from doing it professionally versus doing it in this competition? And the first -- I think the direct answer is it doesn't. There's -- it's a real company. It's a real employee. The flags are very real. I think the only difference is that we make sure that the flags are not obvious or even remotely related to anything that would be illegal. Right? It's nothing that's going to allow you to commit fraud. It's nothing that's going to trigger any of those concerns. So the flags are somewhat benign in the sense that then and of themselves they're essentially inert or harmless. The fact that you can piece them together -- for instance we ask things like operating systems. We ask antivirus. We ask them to go to a website. If you've got a pen test minded thought process you can already see how that information would really behoove you for an actual attack whether it be a phishing campaign, for example, or you're just going to send the USB drive. Right? Knowing those is going to be helpful. The structure of how we do the competition is very much the same kind of team dynamic that you would have in a red team with the idea that the person or team in the competition is a team member in a red team or they're skilled at something very specific, but not everything that your typical pen testers are where they, you know, try and do everything by themselves. So a little bit more specialization. And this gets back into my little soapbox of the OSINT piece. We're not -- we're going to go ahead for the sake of the competition and assume you would have follow on attacks. Right? You're going to have a phishing campaign or you're going to try and get, you know, maybe past or recent information or stuff like that in order to enable a later on campaign or objective. So these very much like in a red team phase these are objectives that we picked that we don't care what relationship you have to them. We want them. You figure out how to get them. And so for the competitor they're essentially given a list of -- a shopping list of here's what I have to get. And we give them a couple ways to do it again with intelligence. This is the funny thing is there's a level of confidence that accompanies intelligence. And so we give them that first level of OSINT or open source intelligence where they can go out and try and collect this information off of their Google dorks and their web searches and then they can sit on that information and figure out how to enable it in part of their pretext for their calls whether it's to use it to verify, maybe kind of give themselves a leg up like they have some internal knowledge, or if they just want to flat out find a reason in their pretext to ask them. Once they gather it essentially they're getting the score and that's where the competition stops. In a typical red team you would take these pieces of information and you would feed it back into your OSINT. You would feed it back into your campaign development and further on the whole goal. Are we going phishing? Are we going to go on site? Are we going to try and get them to give us an account? And so forth. So in terms of how it models, it models almost one to one of the real -- of doing a real campaign.

Perry Carpenter: After the break the conclusion of our interview with Snow and J.C. Welcome back. Quick question. Your pretext is who you're pretending to be, the part you're trying to play, the thing that gives you the reason to be asking for this information. What is the most successful pretext that you've seen used, you know, year after year?

Stephanie Carruthers: So it's I'm going to call it -- I'm going to call it a boring one, but it works. And it's just the IT help desk. Right? I'm calling because your system's not patched or we have to get access to it or you know we want to make sure you're compliant. Those types of things. And I mean hearing them year after year. And I'll be honest. I use it. Right? And, you know, because it's a classic and it works. We saw a couple unique ones and we've seen them over the last couple of years and that's where it's a new employee and I thought that's kind of a fun twist because you're leveraging, you know, some sympathy there. And, you know, that need for assistance and people want to help. So that's another one that I don't see used as often, but when I do see it used it works very, very well.

Perry Carpenter: Okay. Let's without calling anybody out what's the stupidest one you've seen somebody try?

J.C Carruthers: Oh. That's -- that's mine. So actually so let's take -- let's take a step back because there's some history behind this, especially how we picked up the competition. One of the things that we do as part of our competition is we offer coaching. And as Stephanie and I were sitting there like, hey, let's put in a bid to try and do this social engineering community village, but let's find ways to improve upon it. One of the things that we came up with was coaching. And so for all of our competitors, and I think this year we have three coaches, I'm one of them, we give them each two 30 minute slots or one 1 hour slot from essentially now until the competition to ask us anything they want. Right? Hey, give me hints on this. Let's role play phone calls. Let's do all this. Prior to us taking the competition one of the things that we noticed was -- and this is your -- this is the answer to your question. This is the stupid pretext. It was always a student doing an interview. They call you up and they say, "Hey. This is J.C. I'm a student over at, you know, University of Utah. And I've got a -- we're doing a survey and I've got a couple quick questions about, you know, your computer setup at the University of Utah." And just like every other American who's sick of getting 8 PM survey calls, right, these people hang up. One of the things that we've noticed since doing the coaching over the past two years is that the novelty of pretext is a lot more fun. When we did the real estate we had one gentleman who essentially impersonated a -- I guess he would be a potential customer looking for land for -- I don't know this enough. But the Mexican wrestling style? The luchador. Right? He's essentially bringing that from Mexico to Texas or Arizona and needed a facility. And so he's talking to the business real estate joint and essentially using that to leverage into the objectives. Right? Essentially finding ways to steer the conversation. Hey, you know, I've got questions about physical security. Right? I know this building is its own thing and we'll have to figure that out, but let me ask you what you're doing so I get an idea of what I should be looking for. Right? And just that with the whole idea of, okay, there's this new Mexican wrestling federation coming in, right, and there's believability and credibility to the story. And it was really interesting. And it was so far and beyond a student survey that I mean it worked because it played into the element that makes a good pretext. I think -- I know I talked about this on the coaching calls, but the primary element is pain. You have to have pain. You're doing one of two things. You're either going to be implementing pain or you're going to be helping removing pain. I think -- And Stephanie, I'll let you tell the story because it's one of my favorite stories on pretext, but it was for the parking, the parking lot. And I think to answer your question, Perry, a good pretext is any pretext that leverages pain properly. And not to be malicious like hey I've got your son. You know, give me money. But Stephanie you tell the story and you'll see exactly how you can use pain in this.

Perry Carpenter: Actually right before you get to that one thing. You know on your -- your luchador thing, that actually fairly well mirrors the interesting approach that Stephanie mentioned where somebody was pretending to be a new employee. Right? Because it's essentially the same thing. There's a new venture. You know everything better than I do. You're in a position of power and can help. And I really need to submit myself to you in order to get this kind of help.

Stephanie Carruthers: Yeah. Absolutely. And it was successful. So the parking story. So this is something I did in my professional life. So we were doing a phishing campaign and it just so happened that we were doing a physical assessment. So actually trying to break into the organization physically before actually doing that phishing campaign. So when we were on site we had the hardest time finding parking. It was a pain. Like driving in circles. We ended up having to part our way. The next day we ended up Ubering. It was a mess. But as we're going into our phishing campaign we're still doing our OSINT finding stuff out. One of my favorite places, and Perry you've probably heard me talk about this a million times, is Glassdoor. Right? You've got your pros and cons section. People complain about stuff. They talk about stuff they love. But the whole con section was full of people just complaining about parking. Everyone hated it. And so what we did is we bought a typosquatted domain. Looked almost identical to the real domain. And impersonated someone in the facilities team and sent out an email to employees saying, "Hey, we hear your complaints about parking. Starting on Monday we're going to have assigned parking spots. And if you don't park in your assigned spot your car's going to be towed." So going right back to J.C's point of taking pain away or inflicting pain. This was one of the ways we took pain away and the phish had an attachment of you know that parking lot and their assigned spot. But that was one of our most successful campaigns to date because of how big of a problem we saw in that organization.

Perry Carpenter: Actually that inflicted both at the same time. Right? Because with the promise of removing the pain, but then also if they don't do it there's the additional pain and that they'll be towed. They'll be penalized if they don't do it. And so you have the hope and then also the fear associated with that at the same -- that's brilliant.

Stephanie Carruthers: Yeah. I think the technical term is double whammy.

Perry Carpenter: There you go.

J.C Carruthers: And then as you mentioned, Perry, if you leverage that with the position of authority and it doesn't always have to be an obvious authority, right, like as a customer, right, I do have authority. I do have power. You pin those two pieces together in a way that makes sense again for who you're calling. It's not always going to be a silver bullet and everybody's going to follow along. But you find somebody who has authority over somebody else in any way along with that pain point and you've got a killer pretext. That's all it takes.

Perry Carpenter: I want to -- actually is there any interesting weird bizarre story related to either the social engineering community, what somebody tried to do that may have been funny or in your personal kind of journey doing this for a living that may be fun to share as an anecdote?

Stephanie Carruthers: I have a very recent fun personal story to share. Maybe, J.C, if you can think of any for the village. So just a couple weeks ago I did a physical assessment, physical security assessment. And I had two of my coworkers with me and we were training one of them. And so as we're going through our checklist of objectives and, you know, finding all the vulnerabilities, it got to the point where we were actually more successful than we wanted to be. We kept getting objectives very easily. So it got to the point I'm like all right. We actually have to do something to make them catch us. Like this is crazy. Like the amount of things that we're able to do and get away with we shouldn't be able to. So let's give them a win. Let's do something just stupid and obvious and hopefully they stop us. Of course the new guy he got tasked with doing all the things to get caught. And so we told him, "Cole, your job is to go steal that tread bit on wheels and go just walk around the facility." Right? That should be a red flag. People should catch that. You know, nobody should be taking that out. And so he's walking around the entire building right behind me filming the entire thing. And people are just waving. They're friendly. Hey. How's it going? Hope you have a good day. And so I'm like all right. You've got to start whistling or something. Like we've got to draw more attention. So unfortunately that's something that we could see on some physicals where there's just that lack of security culture. Right? They don't know how to report. They don't know what to say. Or they don't know what's suspicious possibly. And so that was sort of actually happened just a couple weeks ago.

Perry Carpenter: And what organization was that? [Laughter].

J.C Carruthers: Sorry.

Stephanie Carruthers: That's right.

Perry Carpenter: So yeah. J.C, you got anything either personally or within the community?

J.C Carruthers: I just something interesting that we get often especially at our village. One of the things that we started when we first started the competition was adding points for essentially dressing up. So we give you wardrobe points. And I've had -- I've had a handful of people come up to me both in Twitter TMs and they're on the spot asking for instance the lucha libre luchador guy wore a wrestling -- one of the Mexican wrestler masks. Right? And so people get into elaborate costumes. The goal or the requirement for the competition is that the costume must match the pretext. If you're working from home you might have on your pajamas and you know kind of a work from home vibe in your outfit and maybe some messy hair. Or if you are the president of the soon to be Arizona Mexican wrestling federation you wear the luchador mask. And I've had a handful of people come up and ask, "Hey, this is kind of stupid. Right? This takes away the professionalism." And I look at them and immediately I get a vibe of you know you don't really -- you don't really do this. I will admit that there is a little bit of crowd entertainment piece that we seek with this. Right? Because again it's not a visually fun competition. It's all audio. So it adds two things for the audience. One it adds some fun because I think we let them do it up to three times and watching them try and do costume changes in a tiny room with a bunch of cameras on them is just its own entertainment. But, two, it also helps the audience kind of understand where they're going. I think last year we had people dressing up as prison guards because they were at a local prison trying to order pizzas for a prison pizza party. Right? And it just adds an element to it. But one of the things that you often forget and beyond a good pretext is good acting. And there's something about donning a costume that really helps you kind of get into this method acting mindset. Hey, I look like this person. I am this person. And when you have that in your head it actually helps the quality of calls because you're -- I don't want to say you put it on a shield or armor, but you're adding to your own believability. I'm dressed like this. So we've -- we did it as a piece that makes it entertaining, but under the hood it has phenomenal success in the quality of calls I believe. Again looks completely silly, though.

Perry Carpenter: Yeah. I can imagine so. Well, it does -- it kind of forces that person into a mindset shift so they can -- they can detach themselves from their selves in a lot of ways. And kind of embody the thing that they're trying to be. That's great. You know on that note you've made a ton of production changes and adding fun in the couple years that you've had this. And so that's I think really noticeable from the outside. You've taken something that like what you said those calls are interesting on their own, but they're also a little bit boring when you start to listen to call after all after call and you start to see the same thing over and over. But you found interesting ways to let everybody's personality shine, to add new ways of bringing visual interest as well, and all that. So I think that that's absolutely fantastic. Two things. Maybe more before we go. Actually three things I know I want to hit on. Number one. For folks that are going to be at DEFCON this year, what is the way that -- and I know the calendar's passed with a lot of the formal contestant entries and so on. But what ways can people get involved and what would they expect if they just want to come watch and kind of see what the environment's like?

Stephanie Carruthers: Yeah. Great question. So we do have our contestants already chosen for the SECVC. That's social engineering community vishing competition. However we do know that folks still want to give -- you know, shoot their shot when it comes to doing these vishing calls. So we open up multiple times throughout Saturday and Sunday what we call cold calls. And that's where we pretty much, you know, first come first serve. We'll have a list of folks. We'll call your name. You're given only five minutes in the soundproof booth. You're given three objectives. And then we already picked the target company and we just call them up. And so it's kind of terrifying because you have zero time to prepare. Right? There's no OSINT. But people are still incredibly successful which is kind of terrifying.

Perry Carpenter: Saw a few amazing calls last year. Those were so good. So good.

Stephanie Carruthers: Yeah. So that's a great way to you know if you don't want to necessarily commit to the competition or you miss a deadline to still give it a shot and I highly recommend it. I haven't heard one person that said, "I regret doing that." Right? Everyone is so glad they did. They learn something. They push themselves. Got out of their comfort zone. So if you are in the village I highly recommend that. The other thing with the village is we do get a line sometimes. So I recommend coming early, especially if you want your name on the list.

Perry Carpenter: Yeah. How many does the room hold?

Stephanie Carruthers: This year because it's right in a new location I think we're at 400. Is that right, J.C? It sounds about right.

J.C Carruthers: I think we've got approximately 400 seats ish. Maybe just shy. We'll see what actually gets put in.

Perry Carpenter: Nice. Nice. Second question then. In addition to that I think you're doing your black hat class again this year. Right?

Stephanie Carruthers: I am. Yes.

Perry Carpenter: So why don't you tell people about that and I can vouch for that as somebody who went last year? I thought it was a phenomenal class. And you really put your heart into it and a ton of information. So yeah. Let people know about that.

Stephanie Carruthers: I teach a four day training at Black Hat called full scope social engineering. And really my co-presenter and I, Jamie, created this out of a need of there was nothing like it that existed. Right? You could find maybe some phishing classes, some physical classes, some OSINT classes, but they were all very siloed. And so we came at it from the perspective of you want to learn social engineering you're going to learn all of social engineering. And it's been a blast to teach and actually just a quick three seconds. We do a kind of a physical security challenge. I'm not going to give away the target, but Perry actually won that competition last year and was the first one to yeah actually break into this location and steal the objective.

Perry Carpenter: The last three questions for each of you. These are very fast. Not much elaboration needed. But given what you do either personally or professionally if somebody were to get hold of your browser history out of context what would be the thing you'd be most embarrassed about?

Stephanie Carruthers: Honestly I use Google to spell check things that I don't know. I'm like am I spelling this right and I just write the word. It probably looks really weird. It's just like words that people probably should know how to spell and I don't. That's a really kind of lame answer, but that's the truth.

Perry Carpenter: So just random words thrown in and you're waiting for it to say, "Did you mean to search for this?"

Stephanie Carruthers: Yeah. Like am I spelling this right? Yeah. All right, J.C.

J.C Carruthers: Yes. Problem. Going through it right now I'm trying to judge myself.

Perry Carpenter: There you go.

J.C Carruthers: Probably need to get off Facebook. That's really what it is. That's kind of gross.

Perry Carpenter: That's just solid advice. Yeah.

J.C Carruthers: Yeah. Sorry. Oops.

Perry Carpenter: Okay. Okay. If you were to think about emojis for a second, what emoji do you either use way too often or would you rather just like kill if you ever saw it again? You want it not to be an option for emoji usage ever again.

J.C Carruthers: Oh. This is easy. I got this 100%. It's the heart. And I get chastised for it as a U.S marine. I use the heart emoji way too much. I've been told I use it way too much as a grown man. I've been told I use it way too much as anyone. The heart emoji is my go to.

Perry Carpenter: It does seem better than like the obnoxious thumbs up though. Doesn't it? Like it feels like you're more in to the response than just the -- which can seem passive aggressive.

Stephanie Carruthers: Yeah. Actually that thumbs up one drives me insane. Like that's the one like I'll write out a full paragraph about my life update to my parents and I just get a thumbs up. I'm like cool. Thanks. The one I probably use often is like the smiley face that like has a like kind of a sweat bead and I don't know how people read that, but to me it's like a nervous smile which I think I do probably often in real life. So that's the one I use a lot.

Perry Carpenter: And then last one. What security related myth or misconception annoys you the most and you would like to bring some kind of correction to?

J.C Carruthers: I'll go first. But it's a soapbox. MFA isn't a solution. I don't know how brief I can keep it. Right? I mean there it is. MFA's not a solution. To elaborate a little bit on it, the problem that we're not solving is the channel. The channel's compromised. MFA is just an extra step of done.

Perry Carpenter: Got it.

Stephanie Carruthers: That's a good one. The one that I tend to see is our solution will fix all of your problems. Right? You just buy this one thing and you're hack proof.

Perry Carpenter: Yeah.

Stephanie Carruthers: That to me is just so cringey.

Perry Carpenter: Understood and yeah acknowledged. That's -- that is the most frustrating thing as anybody even when you're another vendor and you're walking through RSA show for Black Hat or anywhere else. It's just the vague promises of plug this in and you're done.

J.C Carruthers: But it's got AI now. So you're good.

Perry Carpenter: It does have AI. We should AI wash everything. I guess that leads to one more question. In the field of social engineering how do you see AI playing now and in the future as far as something that helps enable social engineers do research and OSINT or to carry out social engineering attacks? What are your thoughts there? You got yourself into this question. So I'll finish with that.

Stephanie Carruthers: I think it's going to help scale things incredibly fast. I also see it -- I don't know, you know, as of today -- you know you can kind of say, "Hey, AI go. Go do this entire campaign." I don't know if we're quite there yet. I would love to see that tested. But I think it's definitely going to speed up processes. But at the end of the day, right, if you look at AI and have it writing a phishing email or even a voice script I still think you're missing a key element of that like emotional intelligence and I think that's something that it's going to be really hard to replace if it can eventually.

J.C Carruthers: Yeah. So I'd take the opposite. I mean it's fun when you look at this through the dichotomy of our job. Right? Where one success is another's failure and that's just how it has to be. In terms of what's going to happen to the end users, that's where I'm probably the most scared. I think it's not only going to be effective. It's going to be devastating. And to a point where I've never seen legislation whip around so fast as the FCC's ban on the AI -- on the voice calls. I mean that's how legitimate of a threat this is that they actually got off their ass and did something within a very short period of time. You couple that with deep fakes, I mean we'll still do audits and we'll still review security awareness training for companies and they're still pitching, "Hey, look for misspellings in grammar." That ship sailed so long ago. And now with the voice cloning, right, I fully expect the vishing calls to have an up tick. You have deep fakes and so organizations that rely on video verification for validating somebody's identity, those are out the window. I don't -- this is where I'm really nervous is your threat actors pick this up. I don't think -- I don't think we're ready without going back to where we actually started this discussion. Right? We have to look at this outside the realm of cybersecurity. It's not technical. It's human based. And we're not ready.

Perry Carpenter: Yeah. And to put a fine point on it, the cyber criminals aren't necessarily going to care what the FCC says on stuff. And when I look at the regulation that I think is the one you're talking about that is to protect calls to individually owned phones like consumer phones. It doesn't protect calls to business numbers which are going to be the juiciest targets for a lot of people.

J.C Carruthers: And that's the trick is it's always people at the end of the day. To slice and dice and say consumer versus individual and then you've got the T Mobile with their what is it the 10 DLC or whatever, nobody cares. They'll find -- they'll find a way around it. That's the fun of it.

Perry Carpenter: And that's the end of today's show. So to put this in context that interview was done about a month before DEFCON took place and as I mentioned before at DEFCON I actually had AI chat bots that were social engineering people from the booth and doing that incredibly successfully. And so we're hearing already come to pass the things that we've been talking about and we're seeing that proven out in the real life experience of trying this stuff in ethical ways, at least with hacker ethics at DEFCON. And seeing what the effect can be on real people in the real world who do not know what's coming at them. And so it's super important for us to be able to educate everyone around us on what's possible. Let them know what's possible, what's coming. And the fact that almost everybody believes that they are immune until they get got. And so I think that that's a sobering reminder for all of us is that whenever we're watching a presentation or reading a book or something like that we always think, "It will not be me." But over and over and over again we've seen that human nature is human nature. And unless we built the right habits, the right gut instincts, the right reflexes, it will be us. And so with that happy note I will also encourage you to check out the show notes. There's lots of fun links and stuff to the stuff that Snow and J.C do. There's a link to check out my book "Faik," F-A-I-K, that comes out in October. And I really, really appreciate your bearing with me on this episode, this lesser produced episode as I'm trying to get back up to speed after all the travel and having COVID and everything else. So with that we will see you next time. [ Music ]

8th Layer Insights
Podcast Info
HOST(S):
Perry Carpenter
Perry Carpenter currently serves as Chief Evangelist and Strategy Officer for KnowBe4, the world's most popular security awareness and simulated phishing platform. He's an award-winning author, security researcher, and behavior science enthusiast. Previously, Perry led security awareness, security culture management, and anti-phishing behavior management research at Gartner, in addition to covering areas of IAM strategy, CISO Program Management mentoring, and Technology Service Provider success strategies.
Schedule: Tuesdays (biweekly)
Creator: Perry Carpenter