From Sales To Social Engineering by James Mason

good morning everyone uh yeah my name is James Mason I'm also known as ribs I've got a crack rib right now so please don't make me laugh okay um so this talk um it's predominantly how somebody non-technical has ended up on delivery in a supremely tech-led industry um so I think it's it's a little bit different um so I want to talk you through that a couple of caveats uh because I work for kinetic all views of my own and not that of kinetic or any previous employers uh a couple of the War Stories I'm gonna gonna talk through in this uh they're Google Images they're not customer images and uh any wall stories have been anonymized and have since honestly been remediated uh little picture of uh Fred burst at the bottom there um it's just to point out as I did at B size Lancia that I've been attending b-sides for for 10 years now if the first one was London in a basement uh they had like a creds Wall of Shame and loads of beer fridges that you had to hack your way into um so to finally be talking at one um big thank you to b-sides and uh thank you to you guys for listening to this so uh yeah a couple of useless facts um I'm genuinely up to seven or eight of my nine lives um so time is short um bucket list stuff uh I always wanted to play poker in Vegas and my first ever game I somehow um managed to end up on the final table against season Pro's sponsored players uh Cowboys you name it so that was pretty cool and um about 20 years ago I once turned down a record deal and um yeah I I didn't think I cared about that until I wrote this slide deck and then obviously it's it's still up there you know so uh yeah so this guy this was a picture of me in my early 30s uh just just wondering what am I doing uh where's my career going um so uh I kind of so you know my transition into red teaming was I a natural born red team or did this come from my sales background and I was thinking back to when I was when I was a child and um I remember my parents used to in the old days go to the bank wow um and I used to sit there and I used to map out the CCTV cameras uh the entrances the exits what technology they had in place if you were going to rob it um I was about seven years old when I was doing this so that got me thinking you know maybe I was meant to do this and to end up robbing banks legitimately as a job as that's pretty cool um second uh second one uh my dad reminded me of this one before I did my b-size Lance talk um we're in SeaWorld I was about 15 uh in the 90s um back when we thought Sea World was cool uh I I've got I've got an obsession with sharks so we were in Terrors of the deep and this guided tour group walked through they're all wearing lanyards um looked awesome and being 15 I thought I want to go on this so I joined the group I folded my arms just to lamely disguise I didn't have a badge um asked a couple of questions just to validate that I'm part of this group and then I joined the tour and uh little did I know this tour was half a day so I was 15 I spent half a day around the backdrops of SeaWorld uh we were hand feeding sharks um it would access all areas when I was 15 years old which is pretty cool um I've been many things uh one time I was a retail store manager and it was a it was a really quiet day and it might have been boredom it might have been curiosity or probably a bit of both um but this is a burglar alarm uh motion sensor um and when it was quiet I learned how to travel from one end of my store to the other without setting that thing off once and these things just started ticking was was I always meant to be in this role you know uh and the final final example there that's a keypad lock again I was a retail store manager you tend to find these in less secure environments like retail although a lot of building companies use these so if there's any building work going on with with your target organization this is a great way in um they're usually a combination of four alphanumeric uh digits uh if you know those four combinations you can input them in any order and it still lets you in and that works to this day there's really easy ways of finding that out usually the keypad locks aren't as nice and shiny as this one the numbers have worn away so you can tap that in any number turn the lock and it works um some engagements we've we've literally put pencil lead on the keypad lock at night come back and see the ones that have worn off again you've got you've got the four combinations uh we've used like ultraviolet ink that we shine a light over it and see see which numbers have worn off um many ways you can trick that system although this next video I recorded in April this year and it was even easier than that I I call this video secure by Design I'll just let you uh take that in it no no no no so um yeah my journey into information security um I applied for a role at a company called kinetic uh for those of you who are not aware they're a global defense company um their website was full of images of fighter planes missiles I had three interviews and they wouldn't tell me what the job was for so by the time I sat the third interview in a highly secure site I just wanted to get the job to find out what it was um and and luckily I did and um my upon uh gaining the role I was told your new job is going to be selling this elite team of hackers and this 10 years ago I'd never heard of the term pen testing I couldn't believe this was an actual job and um you couldn't talk about it at home so it's like damn so uh my second day with the company day two I was taken to a windowless room by uh a couple of uh industry Legends uh kinky John and monstro um I was showing how to pick locks I was showing how to open a paddle up with a can of Coke and they uh they hacked a laptop that wasn't even turned on I I felt about 12 years old and I was like this is my new job from that day as cheesy as it sounded this is what I'd been looking for all those years you know this that day changed my life and I I thank them to this day um so yeah so um I decided uh no offense to my sales colleagues I was going to sit with a pen test team um and I wanted to be there for the whoops and the hollows and the high-fiving when they poned another Global organization you know this is happening on a daily basis and and I fed off of that um it was a really really close team still is to this day so uh I guess back then I wanted part of this but I didn't know how you know I'm I'm non-technical these people to me were like God like status I I could never be what they are so what is my route you know and I guess you could call it uh imposter syndrome that is that is now referred to um I had that for about a day and then I thought this doesn't serve me well so I'm not doing it so um I I seem to have a natural gift for social engineering and you know utilizing my sales background you deal with a lot of people you build a lot of relationships you know and um I kind of thought is this a crazy leap you know but I've not heard of anybody else doing this I've heard of some tech guys that have gone into a pre-sales role but I've not heard it the other other way around so um yeah all about team um so my first official red team engagement with these guys they'd been red team in for 13 years at this point and they had they'd never shown their get out of jail free card and it was about two minutes before my first gig um physically breaching an insurance company that I just thought it's going to be me isn't it um but it's now 2023 and I'm I'm proud that I share that record and I'm one of the most experienced physical members of the team um so it's all about team so um yeah as I mentioned I was thinking of possible links between sales Red Team and you know is it crazy and why haven't others done it and like you think of a snake oil salesman like this guy here who's clearly not me um these cut these type of guys you know they're manipulating the crowd to get the reward that they're after um exactly what you do on a physical gig so I was like there's clear links here um so working for kinetic we're highly restricted of what we can talk about in public so I've put a couple of sort of more fun let's call it freelance uh examples just so I could add some photos for you all so um to be on a physical red team it takes dedication um this was me changing my appearance um I was yeah I kept that look for about five years you know just to mix it up a little bit it wasn't a great look even my watch is bursting off my arm right there um but these are the kind of lengths you go to when you're a social engineer um this is me at a at a movie premiere um I don't know if you've ever attended one but they tend to be steel fenced off uh primitive security teams all entrance and exit points have full teams on them really really properly secure um and with a face like mine I don't often take selfies but um I stumbled upon uh Ricky Gervais at the David Brent Premiere and I took that selfie just to send it back to the guys to say look what I'm up to um to which one of them replied oh that's pretty cool is that your dad to be honest he had a point um yeah this was another movie premiere that that I I was wandering past um the security at this one as you would imagine being the Beatles absolutely top security um high profile High net worth individuals there you can see Paul Ringo um that photo in the middle is from the Press pit um I was stood next to this morning interviewing um and uh you obviously had yokorona there you had Liam Gallagher Madonna Eric Clapton wolves on me and I had to really keep my call you know um but uh and there's me at the bottom uh on the on the blue carpet getting my photo with a whacking great bag um on the Press backdrop that appeared in the press the next day um that that was pretty cool so um yeah but pen testers but by your Natures you know what you do you think outside of the box you break things you know um I contacted a couple of pen test firms prior to lockdown thinking um I'm done with sales now I want I want to red team and I spoke to two or three and um I thought I stumbled upon something where I could uh sell the engagement I could deliver it do the board presentation not one of the companies could see it you you're either sales with a Target or your delivery with utilization and it really shocked me that as as I but this is what pen testers do and so the reason I put this slide in is is um when I've given this talk before um people have asked me questions especially University students that it takes persistence um so so bear with it and I'm I'm really proud now this is exactly what I'm doing at kinetic I cover pre-sales the sales cycle uh I deliver the engagement I do some ocean um and uh manage the engagement and I present to the board you know utilizing that sales background so um yeah big thank you to kinetic for for taking a pun and especially shc for uh Baron with me um so a couple of real war stories now that they're old enough to talk about these they've honestly been remediated uh and there's some guys In This Crowd who are on on these gigs so they know when I'm lying and exaggerating so no pressure um so the first one is a UK uh retailer and they just invested x million pound in their head head office security um and I think what they wanted was a tick box exercise that that's money well spent you know you've done a really good job uh upon visiting this site you know it was evident money had been spent there was 20 feet spiked fences there were full security teams there were guard dogs it was really an intimidating uh site if you're trying to breach it which is great great to see um Target Two was their distribution centers which to a retailer obviously almost equally or arguably more important uh and our guys were told uh if you try and break into these sites the the security teams will be physically violent and then ask you questions after so our guys that's like red rat to a pool you know we definitely wanted to check these out so that's exactly what we did um our team got in on night one um booked out meeting rooms ordered pizzas uh picked open filing cabinets took photos of HR records and then picked them locked again so nobody ever knew it happened and this company in particular sent an all staff email after this engagement that kinetic sent ninjas in the night and and we were really proud of that you know that was customer's word not just ours um but the key point from this engagement was uh when when we breached the premises on night one um it was all a flat Network so so all that investment in their head office sort of perimeter security it was like an outdated cyber security model where all the Investments been in the perimeter but two miles down the road you can access their Network anyway so that was quite an interesting one uh the second one um we had a finance company that wanted us to simulate an Insider threat um they sent they sent a guy around to our team in a hotel around the corner and this guy must have been Apprentice age he was about 18 he was visibly shaking and we thought we've been set up to fail here um so we spent time with this guy um talking him through what we wanted to do why we were doing it um and we we might have privately took some bets that God we're gonna get caught for once uh he went back to his office and he was absolutely awesome like our guy said they would have given him a job at the end of it um even left his laptop with us which was a nice little bonus um but I I'm interested on the human side of things and I'm thinking companies need to defend about uh defend against malicious insiders so if an employer goes Rogue whether they've been paid or blackmailed what I saw from that that guy was uh when you decide you go in both feet first you know how did you defend that even with Access Control in an organization it hard thing when you have to give so much trust to your staff so that was super interesting from the the human element um this one was uh this was a physical exercise um we were given two days to breach a highly secure environment it was one of the toughest gigs I've ever done um and I said to them at the time you know if this was a real attacker they would have reek on this for weeks maybe months this is very much a smash and grab you know do you realize that and again their security was top-notch I think they wanted a tick box you know full clean report um we were given a couple of goals which was access their Finance team on level top floor and do a USB drop in the premises um and I had three scenarios planned uh first one was uh getting a a read off a staff pass um we had well I hadn't used this proximart uh Tech since before lockdown and while I was tailgating some of their staff to the nearest Tesco Express or the nearest bar I suddenly realized the range on this thing is about five centimeters so uh yeah this this wasn't gonna work in an ideal world it's linked to an app on your phone and we would have been able to wave over the security barrier and walk straight in um a second approach was uh um printing a fake pass we had a lot of images of the guys wearing their passes in public um we had to order a new card printer because I was a doctor in lockdown and we had two days on site and it was two days at Royal Mail we're on strike so that was completely out and then so third scenario resorted to tailgating which is kind of clumsy but it works and it was the day of the train strike so there was barely any staff in so um I guess what I'm trying to say is on a red team you have to be adaptable you can do all the planning in the world but you need to react and instantly adapt to what's in front of you um I'll miss this one out and that one uh and that so uh yeah successful social net engineering uh four key points I find um the first one being confidence you have to believe legitimately that you're meant to be in that building more than the person you're talking to and it works it generally Works uh manners be polite you know manners are free um I hope I like to treat people as I expect to be treated back and in a social engineering environment people help it's it's really nice I get a Pang of guilt when it's happening but um I kind of counteract that with you'd rather it's me breaching your organization than some malicious bad guy uh the third Point I've already chatted through it's instantly adapting to what's in front of you because stuff just changes you can do all the planning in the world and number four we've never shown a get out jail free card um always have a convincing backup story a legitimate reason for being there because the last thing in the world we want to do is show show a get a jail free card uh so the conclusion um I beat myself where for too long even though I didn't say it lasted that long um for not being technical I really wanted to do this stuff but um these guys like people how could I ever be at their level um but hopefully this talk has proved some Noob like me can end up doing it and end up with uh some pretty cool experiences uh by being persistent when I spoke to pen test companies they did not see this role and I thought I'm gonna have to go back to the drawing board you know but by being persistent I kind of made it happen uh make friends sit in with shc pen testers you know I've I've worked for some of our competitors and I've done this wherever I've been I've made friends with the pen test team and you can see their faces of like why is this sales guy talking to me um but I've got pen test friends that from every company I've ever worked for you know and and and it's great uh and finally dedication you know I've been coming to b-sides 10 years I've been going to the DC me when I was a a lowly sales guy um I got well known that I was accepted as a pen tester and even that I was sat there as a sales guy so um yeah dedication and don't give up so hopefully um that's given you some uh some inspiration for anybody non-technical which probably most of the audience are um but yeah I'm rips and thank you for listening question so um never long enough um we work with a customer to deliver exactly what they're looking for and sometimes like that example they gave us two days to physically breach an organization that was really highly mature um it's arguably not long enough even though we did it we got to the finance team we USB dropped in their premises um in literally within a day um ideally that's flying by the seat of your pants a little bit um it but it's it collaborative effort between us and the customer to make sure we're delivering what they want and what they need what what's dangerous is um you the customer should never game a red team because they don't want to look bad because they're not getting value out of an expensive exercise and um even worse than that they're getting a false sense of security that we've just passed this awesome red team aren't we great when you know anybody could be on their tiptoes for two days it's what's the rest of the rest of the year look like you know so I think that's that's quite a dangerous approach um I've been involved in red teams when you work with a small key stakeholder group as possible that's the way it should work and then um when we've we've found their emails all staff emails saying we're having a red team next week um so again just compromising the whole exercise um but as I say we we do still get in but that's not ideal uh-huh yeah a lot of it is made up uh when I did the USB drop at the last gig um I literally chose a london-based person on LinkedIn went into their reception and um I said I'm I'm 45 minutes early for a meeting do you mind if I just wait on your sofas don't call him yet um and that's Curry team were really awesome they interrogated me of who I'm meeting why um they were actually the security game team were on reception rather than receptionist um they didn't take their eyes off me the en