Last weekend I traveled to Minneapolis for BrrCon and BSidesMSP, two security conferences happening back-to-back. During BrrCon, I attended a talk called 'Social Engineers are Jerks. Equipping Your Staff to Deal With Them and Get You in the Loop.' presented by Jen Fox. Find out more about the talk here. Jen's was far and away my favorite talk at BrrCon. She talked about how she can use social engineering to extract information from people. She uses her talents as a consultant for different companies. Following her talk, I sat down with Jen for an interview. I edited a few of her responses for readability below. At the very end, I posted a similar talk that she did at a different conference from 2015.
Some Context During her presentation, Jen played a few calls. One of them involved a young woman who knew that something suspicious was going on because she'd been asked for her password over the phone and asked Jen a bunch of questions about who she was and even looked her up in the system. After not finding Jen in the system she asked if she could return Jen's call later. Even though the woman was clearly stressed out, she passed the social engineering test. Others were not so successful.
I think the typical definition of social engineering really is that you're attempting to influence somebody to do something or take some action that may or may not be in their best interest. That's actually from Chris Hadnagy's book about social engineering and it's a definition I agree with.
Actually, my husband. He wanted to do the social engineering capture the flag at DEFCON in Las Vegas. They were trying to get both men and women to do the competition and you had a better chance of getting in as a guy if you had a woman also submit. I thought the idea was kind of horrifying because for that competition you're on a stage in a booth making phone calls in front of a packed room and everybody hears both sides of the phone call. Which is amazing to watch, terrifying to do. I don't even like making phone calls of any kind; I don't even like ordering pizza. So I was not extremely excited about the idea, but I really loved doing all of the research and I loved the challenge. We all had to submit flags or pieces of information we had to find for the competition. So I enjoyed doing that research and coming up with the pretext of the story I was going to use. What's going to be plausible? What would make sense? What do I need to do to get what I want? I loved that.
Note: If you aren't sure what DEFCON is, I'd like to point out that it is a big deal that Jen won their Social Engineering competition. The DEFCON black badge is highly coveted.
Four years ago I did my first competition. And the third year I won.
The fake help desk call is one I do very consistently. If a company has not been getting social engineering assessments that should be the low bar, that people can resist a fake help desk call. I love the calls with the portals too. They're not complicated to do and they're hard to defend against. They're a common attack and no one is saying 'what's your password'. You just go to a website and log in with your credentials.
I always really strive to fail gracefully. What I don't want to do is just hang up mid-call. Like the one we heard, when she started peppering me with questions if I had just hung up because I was getting intimated that would absolutely be a flag. And that's the last thing I want, I don't want anybody being more suspicious than they need to be or they're inclined to be. I always try very hard even when somebody says 'no' and they're really shooting me down, I just do what you heard in the example with 'That's okay, I'll just put you on a list for follow up then.' and I end the call and get out.
Also, for pretext I do a lot of preparation. For the fake help desk call that you heard. I script that because that's not the area of IT that I came from so it's not like I just naturally know it. I just do my research and through Linkedin most of the time you can figure out what version of Windows they have, that's really not hard. Then I write a script, I might write a couple. I also do a lot of research surrounding who I say I am and what department. If I'm claiming to be from somewhere who do I say is my supervisor? If I'm claiming to be a third party consultant who do I say is my champion within the organization? I've done that, and you heard me dropping somebody, Kirsten, and everybody went 'Oooh. Okay. Yeah that make sense.' Some people don't resist at all and some do. Partly I'm always torn between rooting for them or getting my way. But I want them to do well because I want what's best for my client. It's hard when you can tell somebody is very stressed and you can tell they're struggling. It's hard in person too because you know, there's no question about it, 'I am causing the person to be very uncomfortable' which is the last thing 'regular' me is about.
What type of employees do you usually seek as targets? Call centers? Or people with a specific access?
It depends on the engagement. Sometimes the client really wants certain areas of the company or has certain types of the information they're concerned about. If they don't have anybody in particular in mind, I look at the kind of organization. What do they do? What are they likely to have? What's interesting? What's the most interesting thing about them and who has access? That can be a variety of departments. In IT, you have all of those admin privileges and a lot of elevated access to information in IT. The finance department, if they have one, is pretty interesting. Also, People who have access to a lot of customer data or maybe they have a lot of employees to HR might be interesting. All information is interesting to somebody. That's often a discussion I have with client as well, people take information they have access to for granted. [They'll say] 'well it's not a bank account number' but that doesn't mean it's not worth anything
Would it be feasible for a social engineer to go after someone who is internal facing, or doesn't normally have interactions over their office phone? Such as a developer? How do you get to someone if they don't really do 'phone'?
That's a good question. One of the challenges as a social engineer is just getting someone to answer the phone. You can spend a lot of time calling and calling and calling. It can be a long and tedious process. If there was a department I was really focused on, it would depend on the rules of engagement. Not all client want all the things. Sometimes they only want phishing or they're interested in having someone physically on site. In which case I have a different opportunity, [like seeing] if I can get into an area to plug something in and I've done that before. And it's one of those things where I go "oh gosh it shouldn't be this easy" but a place that's big enough, it's easy. Other department don't really pay attention IT. It can be pretty plausible if you're at a large enough place.
I started off my degree with professional technical writing. I got my first job in technical writing and wrote manuals for software. From writing to training because no one wants to talk to the users. From training, I saw a lot of shortcomings in how the software design process had come about. I'd talk to the users about what they do so that I could train them in a meaningful way and would know that the software doesn't do that. I was interested in how I could get to the part of the process to influence that. How does software get better? So then I became a usability analyst and then a high tech anthropologist. That was about focusing on the user; again, people and process. From there I did other business analysis. Then security started looking interesting and I got a graduate certificate in all the things. People and process have always been my thread. That's what has always mattered. I want people to have a good experience with technology because, at work, we don't really have a choice. It's not optional to use the systems we use. I really want things to work for people and work better for people. And even more so with all of the things on our phones and our apps, I don't want to see people post pictures of their drivers' licenses.
I've been thinking about it a lot and 'what are some of the common elements of it'. A lot of thought around 'where are my boundaries?'. Saying 'no' to anything, it can be hard and very difficult for a lot of people. I think you have to understand where your boundaries are and knowing what's the line between 'okay' and 'not okay'and having a script for it. I'm an introvert, so for me, I'm much better off. I already kind of know what I'm going to do, which is why I script my calls. But I think it's like if you're talking to a young kid who is having trouble with someone at school. It's kind of the same thing, you coach them and say 'if he does that again, do this or say this'. That instills a great measure of confidence if know you just have a way to shut it down without causing a scene or being rude. Those are two things that some people are 100% okay with but so many people aren't. People can tell and that's where we get you. So having a couple of scripts to say 'I'm sorry we don't share that information with people', it just kind of sends the message and shuts it down. It's easy to repeat and people will move on.
I don't have the video from her BrrCon talk but check out Jen at Circle City Con 2015