From Salesperson To Social Engineer by James Mason

right uh good afternoon everybody and my name is James Mason I didn't do that I'm also known as ribs and this is from salesperson social engineer uh so this talk is predominantly about how somebody non-technical can end up in a delivery role in a supremely set red industry um a couple of uh caveats all views of my own and not that of kinetic my current employers or any of my previous employers most images in this slide deck are stolen uh off the internet aren't they all and any War stories that I mentioned have been anonymized and have since been remediated honest [Music] a little picture of Fred Durst in the corner there is just to say this is a

bit of a rock star moment for me I've been attending various B-side since 2013 so to be finally talking at one and really appreciate besides for accepting my talk I genuinely appreciate you guys for listening to it so thank you uh so a couple of uh useless facts my background um I'm currently up to seven or eight in my nine lives so hopefully I'll get through this in one piece uh bucket list stuff I wanted to play poker in Vegas uh my first ever game against all the season Pros professional sponsor gamblers and genuine Cowboys that ain't somehow ended up on the final table so that was pretty awesome and um back 20 years ago I wanted to learn a record

deal and I didn't know that I cared about this until I wrote this politely slide there obviously I still do so uh this was actually me in my early 30s um I had no I wasn't academic which is quite ironic but I'm now speaking at University um I had no plans when leaving school and didn't do well at College I had a couple of roles they were all sales and I was a wedding photographer for five years so um if you want to understand about stressful circumstances then try controlling 200 plus people competing with the bar while keeping the bride happy and more importantly the brighter mum but no that is stress I think you

can do anything after that even a b-sized talk um so yeah I was just thinking um was I an actual born red team you know was this always in me or was it sales that led to this progression um and I was thinking uh when I was at primary school age I remember visiting the bank with my parents and I would sit there uh I'd map out the CCTV cameras so I would map out where there's any blind spots and you know if I held it up which was the quickest route ever I was eight years old and little did I know one day I'd be doing it as a job that's pretty awesome uh the second one Sea World

uh my dad's actually reminded me of this a few weeks ago I forgot about it I was I think 15. we were in Florida and it was back when you thought city world cared about animals um I've got a modern obsession with sharks and I was in Terrors at the Deep with my family and this small guided tour group came through all wearing lanyards and just season the opportunity I thought awesome I want a piece of this so I joined the group folded my arms just to lamely disguise the fact that I didn't have a badge and the first thing I did was asked two or three like really detailed the direct questions just to

reinforce that I was supposed to be there little did I know this tour was half a day so um uh stroking baby leopard shirts hand feeding shirts which When You're 15 and you're not supposed to be there it was pretty pretty awesome you know uh just so quickly on this one when I was a retail store manager and I quickly discovered if you have the correct alphanumeric keypad combination you can actually input that in any order and the lock still opens and that still works for this day but you find these in sort of less secure environments like retail places like that and then uh when I was another store manager for a photographic lab it was incredibly quiet one day this

was a motion detector uh Burger run and I just figured out how to move from one other store to the other without tripping it once so partly outboard and partly out of curiosity I guess some of this was already in there um so I fell into it if it's sick literally by accident 10 years ago um I applied for a sales admin role at a company called kinetic uh so those of you who are not familiar they're a global defense company so their website at the time was full of images like this uh lots of guns fire planes robots drones but it didn't really say what they did so this three-stage interview I wanted to get

the job just to find out what the hell it was um look luckily I was successful and I was told 10 years ago your new job is going to be selling this world-class team of hackers and I was like excuse me um I didn't even know this sector existed but then I'd never heard of this term pen testing and on my second day of the company I was taken to a windowless room I was showing how to pick locks how to open a padlock with a can of Coke and they compromised their laptop which wasn't even turned on um I instantly felt about 12 years old and couldn't believe this was my new job you know so my passion was born right

then and as cheesy as it sounds it literally changed my life I finally found what it's meant to do so I decided um the team was so awesome I was not going to sit with my sales colleagues it was nothing personal um but I wanted to be there for all the high-fiving every time they owned a new organization you know it was it was infectious I was sat with those guys um within four weeks I was in front of the csos you know somebody with zero experience uh talking ceases in the industry 20 plus years and I was suddenly telling them they're doing security at the wrong so I think by sitting with a pen test tube this

enabled that fast track that I really needed you know single swim time um so I was naturally drawn to Red tubing um and there are certain parallels with sales You could argue um the team at the time back in 2013 have been doing it about 13 years it wasn't hard you know um but uh they had a considering the types of customers at Connecticut they they had a 100 undetectable record during their teenage sizes which they were rightly very proud of it was my first formal gig but two minutes before I was about to start I thought oh God it's going to be me isn't it and but I'm praying to this day I I've compromised some of the workforce

Banks insurance company vehicle firms sensitive environments and I share the same record and now one of the most experienced team members it's all about training so um sales and red teaming is is it that crazy kind of leak from one to the other uh uh put this in because there's obvious social engineering parallels that are small salesmen such as this gen uh he's manipulating people persons in front of him to get his end reward you know what you do on a red ticket basically so I'm just trying to find linkages of is this such a crazy move um because I've not heard of it um dedication um red Seaman is a passion it's definitely an addiction I have to stop

myself all the time whenever I see a pool of October tailgating opportunity um so I just put a couple of more fun less serious images in because basically anything kinetic I can't say too much of it so changing my physical appearance look at the length I went to to look different on my physical gigs um I kept that look for about five years as well it wasn't good and I may have accidentally stumbled uh into this scenario in London and with a face like mine I don't often take selfies I must admit but I've took this just to turn back to the team and one of them replies yeah that's awesome it's like giving it down

[Laughter] it was quite awesome oh God yes uh secondly um the game just uh innocently innocently passing by uh middle image there is the Press pit The Beatles Premiere has been screened globally and I remember my my brother texted me saying I'm just watching The Beatles Premier in the cinema what are you up to um I said dad can you see somebody waving and he sent a reply to us and the second one was off as you can imagine uh high security you know Yoko Ono there was Liam Gallagher and Madonna Eric Clapton obviously Paul and Ringo Ron Howard um there's me with a whacking great bag on it on the red carpets blue in this in this case

um so pen testers we all know you guys think outside of the box do their management uh the reason I put this slide in is because prior to lockdown I approached a few pen test companies and I wanted to make that jump from sales to Red teaming and I saw it as a dual role that I could salvaging and deliver it what's wrong with that and not one of them could say it it didn't fit any of their models you were either sales with the Target or you were delivering perhaps start again um but luckily this is exactly what I'm doing at kinetic um I'll cover technical pre-sales the full sales cycle I manage the exercises in a kind of csam role and

I've delivered the physical elements some of the ocean and uh using my sales background I then present the findings to senior manager and abroad so I'm actually doing three or four different roles and the reason I put this in is you know you get knockbacks right just keep going with it a couple of War Stories as I say these have been anonymized and they're kind of old so calling me irrelevance this was a large UK retailer they had just invested x million on their head office security um they wanted us to do a physical exercise and I think the whole point was they would get a clean bit of Health the money they've spent has been well spent

um upon visiting the site it was quite obvious I mean they had 20 feet high spiked steel fencing massive security teams um perimeter controls with guard dogs it was quite intimidating which is awesome to see um and I was thinking as an attacker you know you'd definitely go for an easier Target we were told the second most secure Target was their distribution centers because they didn't want anybody obviously breaching them so we got in on on night one and we were also told I should add that the physical security teams at those sites will be physically violent and then asking questions afterwards so that was I redirect we had to check out these sites so we got in in

um we've got a million rooms we ordered pizza all the standards silly stuff plugged into Network it was all a flat Network so just like old security models where the investments in the perimeter was exactly the same but literally in real life um we found a bunch of other stuff and they sent out a company message that kinetic sent ninjas in the night so I was quite happy with that uh the second one this was a large Financial organization they wanted similar simulate an Insider threat uh they wanted one of their staff members to appear he's gone Rogue so they agreed a member of Staff um our team were in a hotel nearby sent him rounds and this guy must have been

18. he looked like an apprentice he was visibly uncomfortable with the whole situation he was actually shaking so we thought they've set us up here and they they want this red team to fail because they don't want to look bad which you know if you game a red team exercise you're getting absolutely no value out of it and a dangerous concept of security so we spent 40 45 minutes with this guy calmed him right there and told him what we wanted him to do why we were doing it so I think the context happened sent him back in and he was awesome I mean I would have given him a job at the end of it

um to the point we had to really calm him down and even left his laptop with us which was a bonus um but I'm interested in the human element you know and it surprised me how somebody could go from visibly shaking about the situation to fully in with both feet you know um and it just made me think that companies dealing with malicious insiders you know you can have access control in place and things like that if they decide to do it they're going to tend to start jumping out a plane they're going to go all in they're gonna do it quick because they don't want to be caught in the act and that is a hard

challenge to to deal with when you have to trust even with controls in place so I was really interested in that one uh the last one this was a physical gear goes on Before Christmas um I had three scenarios plans uh we had two days to breach at very high school organization and my first attempt was going to be clothing and stuff card and swiping myself in I hadn't used excuses before lockdown and while I was tailoring the staff to the nearest Tesco Express the supermarkets are available and then the nearest bar I quickly discovered that this had a range of about five centimeters and to add to that sweet to add to that the men The Gents tended to have their

passes on their belt and the ladies tended to have lanyards and either one of those areas were not willing to get within five centimeters so yeah with a red team exercise you can do all the planning in the world and very often stuff just happens in front of you that you've got to be able to react to change your plans and you know capture the flags Uh current Sarah red team in I just put this in because uh at kinetic uh being a defense company looking after the types of customers we do um our team had no furlough we're fully deported during lockdown we were on the site during the main lockdown uh remote testing

um red team in the physical side dropped off with the world in lockdown um and it's come back but I've got a handful of customers who it's gone back to the thoughts of 10 years ago that oh yeah it hasn't happened to us yet which is such a dangerous mindset um you know remote attacks went up 600 during lockdown depending on whatever you read but hackers are all up then too right um and they've gone back to superber alarm syndrome you know I'll buy an alarm after my house and so I just wondered whether any of you have experienced the same whether that be your own company or others but it's dead interesting I seeing a pretty dangerous

mindset experience uh just to conclude because I've only got a few minutes um I beat myself up in this industry for far too long the teams I work with are absolutely so awesome that I could never possibly be on their level so I'm not gonna try so don't do it you know if there's proof that there are ways and I absolutely love red team if you can't tell um Again by being persistent and making things happen and as I said I had those knockbacks and stuck with it and now this is pretty much my dream job the only way it could get better is if I was full-time black team and back-to-back kicks all the Airlines and to get sales

make friends uh from sitting with the pen test team in shc um I've made an effort to make friends with the pen test team of all the other pen test companies I've worked for and you should see their faces when I walk through the labs you know who's this noob in a suit trying to talk to us um but I'm lucky enough to have penta's friends blue team red team from each company I've worked for and finally as Roy Castle once saying if you're that old dedication is what you need um I've attended besides as I say for 10 years black cat a load of the DC's all these events I've never seen another sales guy at so if

there's one thing I could say if you're not in the industry already you know it's possible and good luck with it all right thank you so much for your time [Applause] oh question so you're saying about kind of red team and around covert it hard to die down do you find now I mean okay it's open up but there's obviously a lot of people that still work work from home right yeah how would you go about redeeming that yeah so um um trying to think about what I can say very early days of uh lockdown that's exactly what we um what we focused and worked on um really like the first few weeks about them because of the abrupt change and

the customers that we look after um it was just a completely different world overnight wasn't it and so yeah sorry that's a big answer yeah we focused on that from the outside pretty much really stupid question she had uh um security attack manager so they manage the customer during the red team and keeping contact and manage the engagement child's execution

people and businesses get out of the collaborative side you know launching attacks both watching it together what it does our red teams learning at the same time so it's dual beneficial um we've had companies at a Dura red team and they've put that back for another purple team because that exercise is gone so yeah I've seen that really grow since since again perfect thank you very much all right thanks [Applause]