Be a Human nMAP! – Cultivating a 'Renaissance & Reconnaissance Approach' for the Social Engineer

morning everyone I hope you all had your khofifah and everything to caffeinate you or get you through till the big chick-fil-a comes so this is not meant to be a very technical talk I want to give a more broad approach that you can take your both offensive and defensive mindsets in order to take abstract concepts and tie them in together because I'm pretty sure almost everyone in this room is IT information security or some variant of it so quick first show pens the Star Trek fans raise your hands the Star Wars fans raise your hands and neither of those fans raise your hands why and here's my first question why any want anyone care to

volunteer why neither of those two now what if you can tie those two irrelevant things to information security that's I submit that to you something to do all on throughout the presentations so the first who I'm so my name is Tigran I'm a senior analyst with Accenture federal services I'm one of their cyber threat hunters prior to joining Accenture I worked in the sock I did the physical FedRAMP diet cap audits and I felt a little bit of my soul died I did a little bit so I had to escape for the most part I wasn't originally IT like many people in this room I was international relations for the folks in world politics and

diplomacy and I made the jump through there so it's a very atypical journey but it did give me some good insight so the classic disk of lemurs these are my own opinions and they do not reflect that of Accenture federal I also may be slightly biased because I grew up exposed in a multicultural environment and I've traveled extensively with family and I just had a habitual curiosity of everything even the boring things even the way to turn the boring things into something that was more fascinating for me so first we're going to start by defining what is the rent a Renaissance approach well a Renaissance man woman is a person who is well educated and sophisticated and who has the talent

and knowledge in a variety of fields be it they related or not related one grade exempt two great examples would be linen are da Vinci he was a scientist and artist a musician inventor and writer and Marie Curie who was a physically if I'm wrong a physicist and a chemist I was able to use both entertain changeably a quote I found that's very very helpful in this field is that one should try to embrace all knowledge and develop their own capacities as much as they can doesn't necessarily have to be expert or say but a deep enough understanding that you can cross correlate with other topics who remembers this show hands from high school or college the dreaded Persia

that our teachers would hammer into our minds politics economics religion social intellectual area or artistic and n is the volunteer one for geography each one of these we were told for our AP exams to focus on them because they will be tested on them but I found that applying Persia to other outside academic pursuits was very helpful especially in this field who knows this guy raise of hands and why is he formidable great and how can you correlate this in information security anyone

exactly and throngs and one of the greatest things about thron is that he emulated this philosophy that I felt like that a lot of our red team should look at because in essence it's not just the tools because we're so tool centric at times we forget that there's a whole other mindset that comes with the red team duty we have to become the bad guy no we don't have to be cannot follow the rules or else it defeats the purpose of red teaming and his counterparts from Star Trek he's knowledgeable in a variety archaeology music philosophy history and tactics and throughout all of the fandom of the next generation we've seen him use these variety of

disciplines help knowledge to navigate through difficult circumstances diplomatic or volatile so this is auric got yesh the chairman of Bain & Company who coined up the term expert generalist I feel that the expert generalist is the end-all product of following what I call the Renaissance approach and Ori to find the expert generalists as someone who has the ability as well as the curiosity to master collect expertise in variety of disciplines they not necessarily have to be connected in industry skills capabilities countries and topics and what this does it allows you to draw deep on that pallet of knowledge and create points that you can take and that infuse that into a centered topic of choice in this case information security

we can take things from English psychology chemistry physics the entire spectrum of subjects and then help use that mindset in our own when dealing with attackers or defense another thing it does allows us to do is to drill deep and perfect our thinking in information security this concept is commonly known as the t-shaped individual which I'll get into a little bit later these are some famous expert generalists who applied the Renaissance approach throughout their careers throughout history as you see Warren Buffett Kathy Calvin da Vinci durin Isaac Newton Auriga desh there are some others like Ellen DeGeneres Oprah Winfrey a lot of the celebrities were able to do the very similar things as you can see in the

success of their branding and marketing in addition to that what they were primarily known for who knows charlie munger show of hands who is he sir okay and you notice how he's not talked about much as always the focus is on Warren Buffett but he embodies the quintessential expert generalists he studied in addition to his primary focus of investing he studied psychology chemistry physics English law microeconomics and he tied them all together to generate models for approach for approaching different problems and I feel that in the same way as to track analysis can be used in information security because it allows you to see the world a little more accurate and make better predictions of the future

because you're not as susceptible to the biases of one area of focus as someone would be who spent their entire focus in one track for all their life another thing is will allow you to do is potentially have more breakthrough ideas because you pull insights that already work in one area into another that may or may not work yet a third thing it does is that it helps you build deeper connections with people because some cultures hold different values closer to their heart as opposed to others and being able to be cognizant an understanding of that allows you to garner a warm respect as well as intimacy because if you meet someone for example and you have one thing in common

okay that that's great but that's not enough to establish more trust friendliness with them now if there are three or four things you have in common albian they may not just be tied in with information security but let's say you like both like coffee tea or shrubberies gardening or the Knights Hussaini okay they get me that's the first thing you get and they would be automatically accepted into the tribe whatever it may be so this is the the t-shaped individual that already got yesh and Charlie monitored the body very well the mace stack would be in the middle of the tea I would put information security and below it I would start putting in the pallets of what you learned from

different subjects however boring that we may be there and then use it to feed information security so in a way you use all arbitrary and random tidbits of data but reinforce it your role as a security analyst some of the benefits as since you said it gives you more options to bluff and the ability as mentioned before the ability to understand both cultures Garner's a deeper respect from a target towards a social engineer I actually picked that up last year when I was at DEFCON 24 there is a Japanese national Toma he's a chicawa he was giving a presentation on the cultural impacts of social engineering and that's one of the biggest insights I drew from

his presentation

whose foot who's familiar with the bet the amro bank heist in 2007 anyone okay so what happened was in 2007 a mystery man burgled safety safety deposit boxes at the AMRO Bank in Belgium he stole diamonds and other gems weighing at a hundred twenty thousand carats and all he visited the bank during his normal hours and overcame all of the security mechanisms and walked right out of the door with about 21 million now 27 49 million with no tech tech vector at all there were no hacks there are no flaws but he used charm and the Renaissance approach he got to know everyone he was very well educated he spoke multiple languages he brought chocolates for the

employees and getting garnered so much trust that the employees gave him the keys to the safety deposit boxes like let's say they had to go to the bathroom or they had to run an emergency errand for their family gave him the keys so he made copies of them and use that to pull off his heist this should give a better indication of how you can use these random subjects if you're doing a social engineering engagement if wonder if the more limited your pie is the less chances that your social engineering engagement will work or it also in converse it's less likely that someone will be able to exploit you because if you have a deeper knowledge and a

variety of topics and you know someone's full of it you can call them out on it that way or make a mental note saying this person's not being truthful be able to detect a little bit easier it's not a foolproof method but it does increase the percentages these are just a few examples of the approach however wish however way you want a pair it's up to you some complement each other and you can thread different topics with individuals but just remember when you connect with someone on multiple levels it solidifies trust authenticity and emotions that you may have with them because you get them you're automatically accepted into their tribe because you understand them on a myriad

of tiers these are some recommended readings I have based on Persia I'll be including this on my github for those that are curious as well as diving into deeper smaller sub topics for example in information security as well as social psychology and the like so this list will be available on my github within the week there's some recommended podcasts I have because all I know I know very well that most people a lot of people do not like to read and prefer the audiobook version or just listening and this is for those the audio files I highly recommend the social engineer podcast and the art of charm as well as the Tim fenris show there's been some really good recordings

from them so to make a wrap up so the Renaissance approach enables you to essentially become a human nmf or expert generalist you'll have more to discuss with people contribute with them it also eliminates the potential of saying that they don't know much they don't know what to talk about this gives you a myriad of things to talk about and you can also bridge cultural differences which can be used in your favor if you are on engagements because other cultures have different values and priorities as Thoma heesu eloquently put it in his presentation and you can create pretext on the spot when you feel like you have nothing to say you can just draw something random or make an

observation and use it that way just remember use it for good just like the force getting in touch this is my Twitter github and email does anyone have any questions per se I want to make this as engaging as possible because you might you might be wondering why the arbitrariness of it all and I would love to help put it for you yes ma'am okay certainly so one example we would be the Russian actor the Democratic of reach for example it was determined that they were done by two thread actor groups from Russia but based on that let's look at the cultural aspects of Russians throughout their history they've been very persistent they've been almost merciless to the

point that they don't take no for an answer they also like to leave artifacts behind but in the mindset that they wanted you to find that so just like the Russian nesting dolls a month ryoga's they leave use artifacts but that's because they wanted you to find it as well does that help see how you can tie in certain aspects of their cultural as well as the information security ma'am okay so through other aspects the cultural aspects will define and upbringing helped define how people usually act an example would be the person who created the black POS from the target breach and the Neiman Marcus region it's a thirteen-year-old coder raised in Russia he made this exploit

sold in the black market and the actual people pulled off the heist bought it but those people the people in Russia grow up in a very very mathematics chess influenced it's just a very very alert interlock on the cultural approach they learned their culture and then they learned about other cultures and that allows them to have edges on others that let's say are more tool centric as opposed to culturally century because they anticipate what the next step is going to be they're already able to predict let's say this culture is a stickler for rules we follow the book and go this way the Russians exploit that in that case does that help further answer your

question ma'am China would be another non-state actor it'd be a little difficult for me to pull out a non-state actor example per se I don't have one readily but I am planning on getting a little more in depth with more specifics in my follow-up talk I meant this to be as general as possible the next of the series is going to be more specific going to more of the case studies so I could answer your question yes sir

that's the next question I'm vining brought that up so the Defense Language Institute has a certain section that's open to the public is call it's a specific country perspective they have something called Russian perspective and they touch on a lot of the things I discuss on the cultural aspects the geographic that basically they go down through Persia in a very very detailed way and for a jump start let's say you haven't learned the language at all it would be a great first resource I went through I'm sorry it's for you no I'll provide the link I might get up anyone else I do have some prizes for you guys so we'll start with the rubber

ducky anyone can answer who is the guy from Star Wars I made reference to you got it the package deal here we've got a 2.4 gigahertz and 5 bears dual band high gain indoor panel antenna and a long-range USB adapter this is the question for you guys who is the guy it's not I mentioned that is not well referenced per se if all the attention is on his partner but he seldom talked about and the last one for further for white hair and graying in an early age the blue team handbook instant response Edition this question would be if someone can explain to mean the the t-shaped individual the diagram you got it [Applause] for people of questionable intent a

lockpick set illegally exactly an illegal to say Virginia just make a letter saying I'm authorized there's something along those lines before are you wandering around with this but what was the term I use to determine how the Russians have hit their artifacts through the Democratic dnc breach [Applause]