HALT AND CATCH FIRE: Social Engineering CTFs for fun to a job as a Professional Red Team Social Engineer

hello thank you everyone for joining us today we have Elite Dennis from Bishop Fox good morning everyone thank you to B-side San Francisco for inviting me to speak with you all today um it is a gorgeous morning San Francisco is a gorgeous City and I'm so grateful to have all of you here on your Sunday in a dark theater with me instead of out there enjoying the scenery today we are talking about social engineering ctfs for fun to a job as a professional red team social engineer um I've titled this talk Halt and Catch Fire because it's going to connect back to a bunch of themes in a popular television show by the same name

that said you don't have to have watched the show to appreciate the content I hope but I do absolutely recommend that you check it out so today we'll have a brief introduction uh talks around the themes of ambition competition collaboration ambition and Innovation and finally a conclusion so introduction who the heck am I if you are here you may know uh but I am most well known for possessing a Defcon black badge from winning the social engineering Capture the Flag contest back in 2019. I also have a trace Labs black badge for myself and my team winning the trace Labs missing persons oceans CTF at Defcon 2020. I'm a keynote speaker featured in Der Spiegel magazine

as well as the Wall Street Journal uh bust magazine episode 107 of the darknet Diaries and I am a US Army Special Operations trainer presenting social engineering to a group of folks who work on those teams and finally I went from scctf contestant hopeful to Bishop Fox red team in just about four years exactly and so this talk will cover a little bit about how that transition happened but just to go back to the basics Halton Catch Fire is a term that refers to a hardware air condition an early computer systems where the CPU would stop executing instructions and potentially cause physical damage due to overheating or electrical overload it is also as previously mentioned my

favorite show um so this show has four essential characters all of whom I relate to in different ways and they connect to each one of the themes that we'll be discussing today and how those resonate in my career the journey to now uh what social engineering meant to me when I started competing what it's evolved to and where I think social engineering is going in the future so the thing that gets you to the thing uh is really something that I try to acknowledge with everything that I'm doing this is not the stopping point this is just part of the journey and on the way to where I am now I was extremely ambitious I have not always been this confident

and I am by no means confident but I have been adulting from a very young age I also dropped out of college around the age of 19 and managed to work my way into a title officer position in the escrow and title industry by the age of 22 which is the highest non-management position on that side of the business I was both married and divorced by the age of 25 reinvented myself at the age of 26 and 30 and 32 and 36 so there's always room for evolution in your journey and let me be an example of that at uh the time in my early 20s I really felt that the best security was that

trust no one ever no exceptions but over time my viewpoint on that has changed and this is kind of a story that relates to how that Evolution occurred within me but also in my perception of social engineering and what that means to this industry so personally perhaps a smidge is too ambitious at about the age of 26 I got married again had four kids within less than 10 years worked a full-time job the entire way through became a chicken farmer if you follow my Instagram I apologize in advance um so businesses I co-founded an itm SP a voice over IP phone service company and a security consulting firm I fell in love with this industry through the

necessity that the voice over IP Service Company created the necessity to protect our clients their Communications data and sensitive conversations I fell absolutely head over heels with social engineering and ended up making a transition into this industry from a variety of previous jobs and found competition and my ADHD brain said yes so when it comes to competition well you gotta just grab your balls and jump right so I found the social engineering Village at Defcon they had a competition called the SEC TF or Vishing competition as it's now known and this is not that story I'm not going to tell that again if you'd like to know more about that absolutely check out that episode of the dark net Diaries

which goes very deep into my experience competing in that competition and the success that I had going from Hopeful to contestant first time and then eventually winning that competition in my second attempt the difference between competition and the reality of social engineering was something that I had no concept of when I began competing and I actually was featured as the person who's done contests in a panel at derbycon years ago to discuss the difference between what fishing was like for realsies for paid clients versus that contestant experience which I felt that I'd mastered and therefore of course I was going to do fine like the professional stuff the competition is really high energy there's a lot of pressure

there's the lights there's the excitement of the crowd and there's that Applause that validation that comes externally from the audience when you do something well or their support when you do something bad and so that really feeds that desire and that excitement to continue to do those types of competitions and to get involved in social engineering and it's probably one of the most popular questions that I get like how do I do what you do for a living and I'm like well I don't even do what I do for a living so I don't know the reality of social engineering is that there are no lights um there's a lot of self-imposed pressure and there's a lack of that

external validation and that credit for doing the thing good ER than you expected or the ability to really reach out and get support and acknowledgment for your success because of course everything must be done in the secret and the Darkness of night when you're working in the context of client engagements so for me it was a big shift because I felt like I was continuously putting tons of pressure on myself to win which is exactly the wrong way to look at it when you're working in the context of client projects so at this point we'll talk a little bit about collaboration and that theme as it relates to this evolution of the discovery of what is social engineering

for clients and I decided that I would start my own thing because it turns out most of the people hiring for people with the skill of Social Engineering also want a full-scale pen tester which I was not at the time so I started my own consulting firm and I did have a very limited reach in the local area where I was based this became extremely dependent on me to run all the functions of all the things everything from billing and invoicing to selling and marketing and building this brand and so that became very quickly the focus and it's probably the reason why you saw me in 28 different conference talks and various other trainings the

year first year of the pandemic when everything was virtual so everything that I could have learned to become a better social engineer was being done by people who were technically my competitors and nobody wants to share their secret sauce so I was very very limited in opportunities for growth however I did manage to do a number of projects on the side of my full-time gig and one of which was a utility company that hired me to do in-person security awareness in Social Engineering training and then I relied very heavily on white labeling and reselling other vendors who had the you know Content Library and the capability to run email phishing campaigns kind of out of the box in a more simplistic way

because I didn't have the development capabilities to make those myself and I was grappling with how to structure these Services how to price them how to sell them how to make it meaningful to the client and I realized this really isn't useful to this company I've sold them this other service there's no one to lead this I'm not going to be here to hold their hand how am I helping I don't feel like I'm helping at all there are two things that destroy companies mediocrity and making it about yourself and I felt like this was going in that direction and I didn't really like it but I knew that I wanted to be in security and I knew that I needed to

get out of the Staffing industry where I was working in Market intelligence so I ended up joining a medium-sized Consulting uh arm of a smaller mdr-focused business and doing a security awareness training for them as well as security assessments against a variety of different Frameworks this was really Limited in the ability for me to do social engineering within the context of work outside of like just having people tell me things in security assessments and feeling comfortable to do that but I did manage to work with our offensive security team to do a number of projects that focused on pen testing with the incorporation of social engineering and what ended up happening was there were a lot of

clients that just knew that they needed some fishing but they weren't really sure how to get there and they weren't really sure what that looked like for their organizations so they would say you know we only have 25 people we're all very tight-knit we don't really know where to start but we know we should have some kind of social engineering stuff so maybe like you can do a training and then we can do a fishing campaign and like see if they learn things and what I learned was that you know coming from an email marketing background I did well creating uh emails that were encouraging of that you know call to action and getting people to do

the thing but I also noticed that regardless of how well I trained the employees that I was testing someone always failed and so while we were testing the humans we were actually bypassing all of their email filtering all of the technical controls that would prevent social engineering in the first place uh and so this was very limited in what value it actually added to the clients their experience their understanding of their vulnerabilities to social engineering attacks and it felt like everything else in the project kind of happened before the social engineering was considered to be a thing and it kind of got left behind so things were happening in reverse and the value and the benefit that this type of testing

offered to the client was basically null what did we learn from this we learned that people are people to play an honest game you have to be good at solving puzzles but to cheat you have to be great at solving code and that I was not so I had a giant puzzle on my hands and no real way to solve it and then I had to do that one Hospital job this was probably the closest thing I'd experienced to date to a real red team project and the goal was for me to support my offensive security testing team in their efforts to compromise this Hospital while they deployed on site and I worked remotely and what ended up happening was once

again communication broke down the team was doing all of the technical testing without engaging or using me as a resource and the phishing and fishing that was included in the scope of the project got left as an afterthought to the end and this was not something that pleased the client and justified in that feeling 100 percent so it wasn't easy as easy as it sounded to incorporate those different levels into this Black Box supposed to be a simulation of a real Attack project that we had committed to delivering there was a huge deficit in planning coordination communication and timing and it was something that none of the Consultants involved in the project myself included were prepared to lead or to organize

from that standpoint and at that level so I decided that this was a time for innovation I also decided that this firm wasn't going to be the best place for me to try to do the thing that I wanted to do it was an amazing stepping stone I learned so much especially from doing security assessments and from being exposed to that more blue team focused type of organization and the experience there I would never trade for anything but me trying to fit their blue team peg into this Square red team offensive security hole that I wanted to work with was just not going to happen so I decided to go dark authenticity is what inspires people if

you want to lead people you have to show them who you really are otherwise you're just a thousand dollar suit with nothing inside and that's how I felt I felt like I was wearing a blue team jacket and all of this offensive security uh identification of vulnerabilities and threats and just being constantly on edge which is just the nature of being somebody who looks for those gaps and looks for ways to uh you know get ahead of any attack that could be a problem in the future if not exploit it yourself in the context of a salad that's signed and that's legal uh and ethical uh was just one of those things that I couldn't make

myself a blue tumor and like to be honest like it's way harder than attacking the things so I ended up transitioning to a firm that is a large consultancy the focus is on offensive security testing exclusively and I had the ability to test clients with much more mature Security Programs who were ready for that next step in the evolution of social engineering which is where I wanted to be and these clients were in the market to buy those things and it was justifiable for them to spend the budget on these types of services whereas with the smaller less mature organizations it didn't make sense to buy even the most basic fishing Services let alone hire an organization to put

together a really robust customized red team engagement that was supported by social engineering at this firm the opportunities to be creative abounded and there were a bunch of amazing people for me to learn from as well as me being able to for the first time meaningfully contribute to an organization doing the stuff that I love to do and adding to that innovation in Social Engineering as well as redacted things I will hopefully be sharing with you soon uh so I wanted to build something that makes people fall in love I wanted to create a service line that made sense the genuinely added value to Security Programs and the advancement of those programs how do we make the security

program and the defenses of an organization against social engineering improved through our services that we offer that's the real question if we're just jumping through compliance uh check box marks to make sure that we are satisfying the requirements of a compliance function we're not actually benefiting the organization or protecting them it's all that security theater nonsense so I tried to rush through this a little bit so I could talk more about that one physical assessment and this is where I think that this story comes full circle because this client has a very mature security program they have invested the money where it makes the most sense and they have quarterly red teams to make sure that we can help validate the

budget and the security controls that they are putting in place both the technical and the physical so I was pulled into a project to test the physical things at one location they had a revolving doorman traps and Optical turnstiles badge and badge out on everything and I think I sat outside of this building stressing out about how I was going to gain access to it for well over 90 minutes like to the point where it's probably uncomfortable about how long that this potentially an employee has been sitting outside of the building pretending to be on her phone on lunch so I decided it's now or never but the security controls that they had in place

were all the things that we put in the reports that the clients never buy and they had them so the only way I was going to get in was if another employee scanned their badge for me so I decided I am going to wait until there's a group of people that are coming into the building I will insert myself into the middle of that group and I will make myself an obstacle to them gaining access to the building themselves and then try to look like a hot mess and hopefully I can gain enough empathy from those people to scan their badge for me and I was like this is going to be fine no it's not so I put

myself in the middle of a group of people unfortunately there were two man traps so some people just went around me and finally I had someone that was curious enough to ask what was going on and then almost empathetic enough to skin their badge for me and as they were reaching to do it they saw the security guard through the glass and went actually you should probably talk to him and I went or not I'm good I can just I'll go around to the lobby so I ended up walking away and the security guard came out and he said uh and I said oh no and so he brought me inside and I gave him the whole I'm just

a new employee it's my second day this badge doesn't seem to be working and I thought for sure that he had totally figured out what was going on and that my cover was blown so I ended up blowing my own cover by not pivoting correctly in the moment and asking him to take me to HR which was the goal but we ended up writing a report that made the client extremely happy they were very grateful to have validated that their security controls worked that the humans on their security team worked and did their jobs that the physical man traps worked and that the people who I had tried to exploit in my desperation had also done

their jobs to keep me out and followed procedure uh but then they had this other location and the short long and short of it is they were trying to gain budget to put more uh comprehensive security controls in place there and my co-worker and I were able to prove that we could steal about 10 of the 13 trucks that we recorded video of Us opening the doors and finding keys and cup holes and ignitions so there's a balance and uh I think that opportunity to see the lesson and where the success of that engagement came from it wasn't me winning it wasn't me going haha I could have stolen like 10 of these trucks it was validating

those expensive very expensive security controls for the client and having them feel like them bringing us on to test them was worthwhile and it added benefit to their security program and it established that they were going in the right direction so in conclusion the hardest things in life uh essentially is to get knocked down and have to get back up and being able to accept when you were on a slightly wrong path for you or that maybe this path isn't the destination and adjust and get back up and try again is critical to success I feel in this industry especially where you could get a job doing the thing you actually don't want to do uh probably nine times out of ten

with that first Roll But end up using that to Pivot into the thing you discover that you love uh the evolution of social engineering is key to creating opportunities for benefit to clients in the advancement of their Security Programs we can't keep doing the same fishing whitelisted domains baloney testing we need to take this beyond that to add True Value to our clients and essentially I'm invested in finding out what that Evolution looks like what does this look like for our industry going forward and how do we grow this side of the business to add support to engagements that make clients feel like they made the right decision purchasing them rather than yep we did the thing we

got the pen test check the box and let's move on how do we improve programs and go beyond raising awareness to really finding what technical controls will prevent phishing and how to gain budget for those and Implement those in organizations throughout the nation and around the world thank you very much for joining me again a giant thank you to B-side San Francisco for hosting me if you have questions I will happily answer them at the bishop Fox booth in the sponsor area I will be going directly there following this so that we don't clog up the hallway but I have stickers and things so come by and say hello give me all your feedback I want the good Bad and

the Ugly and thank you again for joining me [Applause]