 Good afternoon everyone welcome to room one hacking heuristic exploiting the narrative if you are not in the right room Well, stay for this talk. It's gonna be really interesting So I'd like to introduce you to Kelly who's an operator at a red team of brother inspector ops And she's presenting today hacking heuristic exploiting the narrative. Let's give her a warm clap applause Hi, I'm Kelly. I want to start off this talk with a story Which is how I define a narrative because I think it's the best way to to show Just show examples So the second my second month of work I was trying to tailgate into a building a manager was like just you know it research it tailgate in it's no big deal It's very easy to do and on my second time trying I was going in and I was following people I was doing everything right. I was going in at 8 30, which is when employees went in. I was on my phone having a very intense conversation with my mom and And also I'd coffee and still someone grabbed my arm and he goes who are you? What are you doing here? What's your purpose? Who do you work for? I my job is not worth this And what I didn't take into consideration was that I was dressed like this I was not taking my overall narrative into consideration and and it Appearance matters as much as people like to say that appearance doesn't matter and solve out what's inside it does Not just for social engineering But for the broader red team context I want to qualify this talk and say that this is not a social engineering physical penetration type of talk This is this is about behavioral economics and the way that computers take on the biases of their owners and How we can then exploit that in Computer networks. I am very excited about it. I hope you are too But there is one caveat that I want to make sure I address I use a lot of analogies and metaphors, but They only go so far right analogies and metaphors are great for explaining concepts, but Sometimes the actual implementation if you take them to literally does not work So the point of this presentation is to give very technical people red teamers a broader context of new ways to attack systems And it's to give maybe less technical people a broader perspective for Different ways that we have companies So who am I that's the big question, right? I am a Red team operator at specter ops. We did a training here earlier this week I do a few different trainings Mostly though I'm a consultant and I go and do red teams and penetration tests for clients And I've been doing that for about three years before specter ops. It was another type of company usually fortune 500 100 and just large-scale environments with the objective of getting domain admin before that I was a business major at the University of Miami and I I felt kind of like this this ditto Pokemon for a while with the imposter syndrome And throughout this presentation, I'm going to expand and that's why there's a to be continued about There's more to you than than just a few different characteristics and and the ways that we can use our different characteristics are our competitive advantage so Tiff Kin I'm Lee Christensen. He was one of the trainers at the Specter ops course at at North Sec. He coined the term red team analytics and I really like thinking about it that way It's employing different types of trade craft that Gives you the appearance of blending in with the caveat that sometimes that will get you detected, right? And this presentation focuses heavily on blending in and then also Small ways to stick out or not stick out. Sorry. I'm small ways to be unique So that you can avoid incident response by definition incident response is based on rules And these rules are very granular. So if I can fall if I can just evade one or two of those rules It gets a lot harder to to detect and for a red team operator. That's fantastic. That's exactly what I want to do So the best mix is the best way to do it is to mix both of them You want to blend in and you want to be unique in a very targeted manner? So the my title hacking heuristics Not all people know what a heuristic is so I want to make sure I define that I'll be defining a few different things throughout this presentation Just so that we're all on the same level and the way that I think about heuristics Are two different ways one one of which being mental shortcuts from the behavioral side and from the computer side It's it's algorithmic shortcuts, right? It's the way that computers are also making the same types of mistakes and it's pervasive It's not just behavior in computer. It's it's everywhere These mental shortcuts are based on speed and speed kind of rules everything around us, right? We want our programs to be fast and that's why like innovation is happening so quickly And that's exploitable. It's fun And and and one thing I want to hone in Especially at the beginning Considering I've been talking about the narrative that it's really the moments that we remember and not the routine The routine is stuff that we do every day Whereas the big moments those things that change our lives, right? That's that's what we think about and what we tell people and how and what we used to describe stuff So if we're thinking about from an incident response perspective What is important to them might be what everyone in the news has been reporting on lately and it's hard to avoid the narrative in that way So I want to give a few examples of The the automated tasks that our brains make really quickly things that just happen Versus very thoughtful responses on more the behavioral side So automatic or scripted if you're thinking in the computer lens is just stepping out of the way Like if someone's coming at me, I know step aside, right? Also driving through your hometown. I I know Easily I just follow the stop signs. I'm thinking about many other things at the same time and on the other hand Calculated responses. I'm gonna start with the bottom doing math math is very hard if you have a good problem you're thinking a lot about it and That that cognitive power that goes into that is is hard to do and you can't replicate that For driving through your hometown or else you'd never get anything done so This presentation overall is a it could be surmised in words matter and how we describe things matter the narrative seduces people into thinking that they know what's going on because of words which is Very important for our understanding our ability to communicate But then we need to think about what these narratives are and and ways that we can then use them and weaponize them If you're a red teamer or from a defensive side Recognize that these narratives might not be reality perception and reality are Often changed by a narrative So next I'm gonna get go into a case study In this case study there were it was done in the 1980s people were asking hey, can I cut in front of you in line to use this Xerox machine and In example one it was excuse me. I have five pages may I use a Xerox machine? 60% of people let them cut in front which makes sense people are usually nice And then the second one which had a much higher statistic. It was excuse me. I have five pages May I use a Xerox machine? I'm in a rush. That makes sense because there's justification, right? The justification you would assume makes a lot of sense in the third one Also has a justification Excuse me. I have five pages may use the Xerox machine because I have some copies to make but the justification doesn't actually mean anything It's just more words, right? So For a second just think in your heads What percentage of people do you think let them cut in line? I was surprised to find out 93% That's crazy to me because that means like and it's just people recognizing justification and being like yes that matters So that's from a social engineering perspective. That's very valuable but like I said this talk is not about social engineering and It's not about social engineering But we're going to keep on talking about behavioral heuristics so that then we can better understand red team operations So a few common behavioral heuristics that are kind of pervasive across the field Availability familiarity and and those can both be surmised in the overall We think Intuitively that different types of events have a similar likelihood of occurrence when really they don't similarities You can't you can't just think that because an event is like something you experienced before that'll happen again It's it's also why I mean racism happens, right? You see something happen once and then you that's your perception of an entire group of people and that in that Grouping is pretty bad Representativeness is when an when an individual judges the Representativeness of a new event people usually pay attention to the degree of similarity between the event and the process So for this one, I'm going to give an example because I think examples are are a much better way To to kind of show these inaction It's called the Linda problem. It's by Daniel Kahneman who is one of my personal heroes If you're interested in behavioral science behavioral behavioral economics, I highly suggest the book thinking fast and slow I read it when I was in college and it was incredibly I I think about this book once a week At least and it's been years now But the Linda problem is Linda is 31 years old single outspoken and very bright She may do it in philosophy as a student She was deeply concerned with the issues of discrimination and social justice and also participated in anti nuclear demonstrations So knowing that I Have a question. What is more likely that Linda is a bank teller or? That Linda is a bank teller and is active in the feminist movement So there's no option three. There's only two options Who thinks option one? Okay, and who thinks option two? Okay, so the more the the real answer is that Linda is a bank teller because The probability of two different events occurring together is always going to be less than or equal to the probability Of one occurring alone and to everyone that said option two Which given the the context that I gave before is a much higher probability like you would make that assumption That's a normal assumption to make and also 80% of respondents said number two And I think that like for everyone that said option one if you were asked that question in the context of Just regular conversation and not talking about behavioral science The fast response might have Here turned towards number two. I know I fell for it But I think it's a good example of the way that our brains think quickly and the way that we can anchor ideas into it It's incredibly important to our understanding of the world So I have like talked down about heuristics of a fair amount But the truth is that we need them we need them a lot because we make 35,000 decisions a day That's crazy. 35,000 decisions. I mean I quoted Quora, but I'm okay with that I don't know Google search Even if it's not exactly 35 it's around that many and and every decision that we make is a small prediction about what we believe the future to be There is a there's a lot of cognitive Computing that goes on into each of these decisions. So we need to think fast and maybe we don't always need to be right That's what a heuristic is. It's a mental shortcut And so I'm gonna give a quick example about my morning routine But I I hope that all of you can see your own morning routine and see the similarities So I wake up with an alarm clock. I see I decide what do I want to wear to work? I there's a few different options, whatever. I decide do I want to have tea? Do I want to have coffee? Do I want to eat and then I think about the bus schedule and the bus schedule Can be anywhere and so I'm from Seattle the bus schedule could take me Anywhere from 30 minutes to an hour to get to the office and if I want to be there on a certain time it involves some planning and That planning. I'm usually pretty good at predicting. I'm usually good at understanding About how long it'll take me to get to the office in general people are great at predicting people are awesome at it Except when the narrative comes into play when the narrative comes into play. Oops. Oh wait. I have this When the narrative comes into play Everything is out the window early in earlier this year there was a the the viaduct in Seattle shut down and Everyone freaked out it was everywhere. It was in all the buses. It was all over the news because also there's a financial scandal going on and People kept on talking about the viaduct closing and what that would do and in my head I thought oh wow It's going to take me twice as long to get to work and guess what it didn't at all It took me less time to get to work because everyone was thinking about this stuff It it completely ruined my ability to predict Because of what people were telling me it it gave me the more I heard it the more I believed it and in general narratives get in the way of our ability to predict the future because People like causation people love finding the root cause of whatever problem they have and there's a lot of validity to that Right, especially incident response. You want to find the root cause so that you can fix it in the future and then People also like talking about interesting topics people Communicate interesting things to one another no one wants to hear about what you had that morning for breakfast They want to hear the viaduct is billions of dollars in debt or however much it was probably millions and Then also the more that you hear something the more you start to believe it and I'm a strong believer that repetition is More important to the believability of a statement of an individual than the veracity of a statement You can be convinced of lies all the time here I have a picture of the Great Wall of China and fun fact you can't see the Great Wall of China from space How many people knew that? Okay, more people than I assumed maybe I'm just behind but That flabbergasted me because that's something that I've been hearing my entire life by multiple people I can't tell you who told me it or source that information but it was just part of my understanding of the world and the more things the more Frequently things are repeated the more likely people in general are allowed or believe them So this is one of the last slides before I start getting technical I promise it happens you just got to give a good Good understanding so that everyone's on the same page But the the similarities between experience and context and I like to think of context as situational awareness during your red team right you you hop on to an environment you go what is going on What do I do now? I think the Director the director of the red team at Walmart has just been going through All these different like narratives of what do you do first all this stuff and with experience you can better predict the future That's what experience gives you and that's what makes experience really valuable and and that's how you create that context And and you get better predicting. I When I first joined the field I was very overwhelmed because I saw my co-workers and other people on Twitter That were just amazing at what they did and what I didn't take into consideration Was they have a lot of experience in this I joined a an environment I just got my initial foothill hold and I don't know what to do I'm I'm I'm stunned whereas they have the recency of events and things that have worked in the past and that's what they Start going after That's very valuable and then here is a graph of you have an experience, right? Your brain takes that experience in it indexes it it makes it so that One it's in there to you can call it out easily and then your your your perception of the world changes and That's the real thing and that's how you can create context is creating these new experiences at both the be I'd both like a personal interaction and also a network level So people think in references and relationships and so does active directory This is a very very simplified version of active directory, but these are the parts that I'm going to talk about So please don't We don't need to argue about the simplicity of this Users right are part of certain different types of groups And if you think about if I think about the types of groups that I'm in it's I live in Seattle Like all the characteristics about me and then from there with these certain groups in active directory Then you you have special privileges or certain groups you where you can log into the machines remotely you can do different things One tool that a co-worker put out that is this chart is a mess, right? It's kind of overwhelming, but it's mapping out all of the different objects in a domain to The to how you get to domain admin and I know that there was already a talk given about bloodhound So I won't get into it too much But these mappings of relationships and these mappings of of just an entire network Also, you can map your personal network and start seeing the relationships in all these things bloodhound I think is is a great example of the narrative in action, right? I want the shortest path Oh wait next slide. I want I want to get to domain admin as fast as possible. So that I use It's it's a little bit hard to see and I'm going to blame the initial graphic Just because of how much is going on in the slide But if I start over here, right? I'm on that computer that was my initial foothold and I want to get there as fast as possible and I have the footprint of how all these relationships are defined then then I would Notice that this user is a member of a certain group the problem also with this graph is that this is real client data And Andy Robbins. He's underscore Waldo. He's one of the main guys that runs bloodhound I highly suggest you follow him, but he takes real client data to try to show real threats and then he just takes out client sensitive information, but When you run when you have bloodhound you could see the fastest way to get to domain admin And I'm I'm a big believer of the path of least resistance I love that because I want to do my job as easily as possible like I don't want to make my life harder and knowing that This user is a member of a certain group That is an admin of a computer That is logged in and part of the end. Sorry who is a member of then the domain admins group That's my path right there. That's exactly what I want and within bloodhound you can change the graphs you can you can Just open specific things and it's it's a it's a much better tool than I'm explaining it to be I encourage all of you to check it out but Still having all this stuff if you create the context or you're creating new groups, right? You're creating new users, which I do not suggest you do because then it people start clients are getting worried But that narrative will change the reality of that domain So what narratives allow us to do is is to create context and create really the situational awareness of what's going on So now I'm going to get into the the different types of ways that you can use context to blend into your environments That's a big thing about red team. He's you don't want to get caught if you get caught hmm Room for improvement So the first thing is social interactions, then we'll slowly get more technical I'm going to give a few examples of physicals. That's something that I initially started with because It just it made sense and the first question that I had to ask myself is who do people think I am and Who people think I am is not a spectra. I was red team operator or at the time I'm a penetration testing consultant. They don't think that I'm a graduate from the University of Miami And they they're not so excited on that my mom Who I care about a lot. She just describes me as intense my my friends from college Say that I'm very hard-working my co-workers say that I have a bad sense of humor, but I'm very energetic not none of that matters what really matters is Your appearance right and and figuring out what is your first impression before someone even sees you You can't do physicals without that. You got it. You got to know yourself So I have a blog post about how to figure out who you are So I won't get into that now because time is limited and there's only so much time But I found out that I have three different profiles. I like to use the second one event planner I've never I've used that one once I avoid it because tailgating is not my forte As I started with So I try to avoid that one that that would be me blending in with an overall company I use the intern one when I'm trying to clone badges because people love Helping interns as long as it doesn't at mean like that. They actually have to do something So if I walk up to someone I say help I'm lost my badge coloners here and they're like, oh my gosh Of course you're lost. You're an intern Then they'll give me directions I have their badge stuff like that But if I want to do something like privilege escalation and I want to convince someone to do something Then I need to be an attorney when I'm attorney. I'm dressed more like this. I'm wearing a dress in heels I put on lipstick. I try to want me myself look older to I have a I have a nicer purse I'm not using a backpack. I am asserting authority and it's a different tone of voice as well, right? interns are scared often easy to pull off and Attorneys are very direct and to the point usually I just talk to myself in the mirror that morning and and try to Establish that but it's giving the perception of who you are. It's really trying to give that narrative And then in the same way, these are all things that I have done in real life So when I'm creating these profiles, I I know them very well because I used to be a privacy consultant, right? I worked with a lot of lawyers I was an intern at some point at one point and then I've planned events and and in that way I can be very real and people people recognize real so once we once we change our once we Think about the narrative more we can see how we can change the reality of the situation Here it's it's more just a fun slide of of my personal toolkit One night. I was bored in a hotel and then the usually when I'm an intern I use a backpack and then my attorney Go-to is is a nicer bag, right? It's something that attorneys would use. I looked at all the attorney bags I like Google them. What do attorneys use? So then next I'll be getting into more inner internal penetration testing Going through the like living off the land philosophy. We'll sort it there It was coined by Symantec in 2017 Where you're using the tools that are already an environment so living off the land assumes that you have that initial foothold on There and living off the land is is just taking advantage of stuff. That's there. That's great because Oh, I should have said this before. What do people use? Living off the land is very doable because you have things like adobe and I am a big fan of adobe I like photography so I use it and last week Matthew Green tweeted out all these CV ease that they just dropped in one update. That's crazy, right? So from the living off the land perspective, I don't need to build all of my own stuff I don't need to create new exploits. I'm just going to use the adobe application that is on almost everyone's computer Another thing is browser extensions browser extensions are awesome There's a person as Zory or XO our IOR his name is Chris Ross He made a browser extension exploit for Mac OS and this is just the general synopsis of it I don't want to get into it too much just because a lot of information and then Microsoft Office I have here included macros macros and more macros, but there is so much more to Microsoft Office than just macros Macros are just what everyone talks about so included This is a fun thing that I used to do is actually my first programming language I really spent a lot of time with word basic it comes before VBA and for time for a little bit You could use word basic. It'd be automatically Changed into VBA, but it wasn't getting detected by incident response because the syntax was in word basic And it's these small obscurities that really drive the That really that that really help you exploit things That was great, and then Microsoft started catching it. This is a quick overview of Proc Dump I'm sure a few of you red teamers are very familiar with it. That's why this is a internal penetration testing Section, but what Proc Dump does is it's a Microsoft sign tool So you would download Windows this internals and that's great It's Microsoft signed it won't get it detected as easily except now they know oh shoot people use Proc Dump maliciously And then from there what you do is you dump the LSAS memory with that tool and what LSAS is is it's it's responsible for enforcing security policies on a system and it verifies users that are logging into Windows computers on on computers servers all of the above so if you can get that LSAS file You can get credentials using Mimicats. Mimicats will get flagged by pretty much everything Or or it should it should get flagged by pretty much everything because it's a no malicious tool So instead what you do is you pull that back onto your own computer And I just turn off Windows Defender and in a VM or also kill my mimicats, and I'm like no no no I'm trying to be malicious And from there I can still obtain the passwords right and it's just using the things that are already installed Windows sys internals is very common. I've never been on an active Directory environment and every company uses active directory that I've ever tested That didn't have sys internals installed so then another one of living off the land is Kassaba I'm gonna put your name fit so he noticed that if he created applications in the in the maxed in the Apple store that he could then do proval adjustment and by doing that it's already it's already in the Apple store It's People trust that because it goes through a process. He had to get a developer ID. It took him about a week He had to learn Swift which took him about a week. No, sorry I'm getting the developer ID was fast and then it took him about a week to learn Swift But from there he could develop his own application that is also an an Apple It's from the Apple I store and that's that's very good and Yeah, next slide So then now we're gonna get into network traffic in and specifically infrastructure infrastructure is is a Large concept that I could talk about for five hours and still not give you a good enough impression So we're just gonna run through a few different things that are especially relevant to behavioral heuristics um For those of you that aren't aware Command and control platform C2 is a way for me to Execute commands remotely onto a system and then have them return an output The tools that I my company uses is usually cobalt strike, but there is a lot out there. There's empire. There's app fell There's there's faction. I have a few of them up on my computer here There's a good amount of C2 tools, but it's just all that stuff And but the first step of infrastructure is figuring out what type of cloud provider do you want to use because they're all different and What story do you want to use with each cloud provider because they each give you different types of functionality the benefits of AWS? Was domain fronting. That's a little bit dead It's been dead in Google for like one or two years, so I think I think they're a little behind But you could still domain front with Azure Also, AWS is the industry standard the benefits of using Azure is that people are very familiar with it And the documentation is there People use a digital ocean because of team management. It's very easy to use It's probably the fastest way for someone to spin up infrastructure for their first time But I am a big fan of Google cloud mostly because of their cloud run functionality So I'm going to use Google and Microsoft to show how you tell a story with your infrastructure and evade Detection so here on this is co-op strike the the C2 that I mentioned earlier You could see these are general profiles Do not use these during an op because they will get flagged you need to modify them, right? And if you click on them, you can make the modifications with the header files But the the Gmail one is relevant to Google The the Microsoft ones relevant to Microsoft you get the idea Within all of these C2 profiles are unique parameters. So here are a few and there are way more Parameters that you can change in cobalt strike the same way that I when I wear different things I give off a certain perception You see that there's a lot of similarities in the way that we think about Infrastructure and we think about sending traffic or trying to emulate certain types of traffic that there are to How you present yourself and stuff along those lines Yeah So here is a potential infrastructure setup if you have infrastructure questions Really the best resource is blue screen of Jeff's red team infrastructure wiki It has so many resources and if he didn't write the blogs himself He has a bunch of resources and people have been helping him build out this wiki to give as much information as possible So right now I'm going to focus on the short term C2 which is the easiest one to stand up usually you want to focus on how much effort does it take to stand up? different type of C2 Versus like maybe a long-term one something you don't want to get burned the short-term ones are domain fronting Which is kind of dead now except for Azure. So earlier this week. I Just one in made a CDN profile I can now send my traffic through fuzzy dot azure edge net and azured edge net is a Microsoft Domain that's that's fantastic and it took me 30 seconds to create and and the speed is a huge portion of it because I don't want to spend too much time Something a lot more complicated is domains domains are are tricky. Oh Where wait There we go domains are tricky. So first I'm going to I'm going to talk about telling a story with with Microsoft I Have an addiction with buying domains. It's kind of a big problem. It's a problem But you know what I could be buying things on Amazon. So it's not the worst thing in the world I own cloud Microsoft comm so if I want to Send traffic and I want to blend in with Microsoft I'm gonna use cloud Microsoft comm and I'm gonna use Azure services so that it's still being pulled back Through the same way and the profiles that I would use is I would modify this Microsoft update get only profile Whoa, if I want to tell a story with Google and recently because I've been very I've been interested in GCP I bought a few different Google products and their domains and also an API because these are things that people are likely to Overlook it blends in well, right? And if our objective is blending in this is what you want to do and the cobalt strike profile I chose for this one was just Google Drive get only but I I can't stress this enough All of these profiles will be burned because they're known malicious. You have to modify them yourselves and So another way that I can blend in with real Google things and being real is very important because people can spot fakes Very easily like like when someone is is not giving up when someone isn't being real You can tell that so I I was using the Google cloud run platform. I it's a little bit similar to to Ronnie flant of Flanders but flathers. I'm sorry for but doing that name The his serverless toolkit, but I could set it to my own domain Kelly Villanueva com and and being able to do that I also can set up very easily Google infrastructure or like a Google IP address and when you check Aaron and who is you see that it's coming from Google. None of that is a red flag Yet, there are other things that that you have to take into consideration But overall you want all these things to align you want to be able to tell a story with it So this is a quote I took from some or many 14 and 15 year old girls realize realize realize and and mostly that's Getting into how to be legit like how how can you make yourself out to be exactly who you want to be And the thing is is real websites are categorized So I took cloud Microsoft one that I bought a few months ago And then I went to domain categorization websites and I got it categorized as business and economy awesome That will then not get blocked as easily from different solutions Here are some of the vendors and And a dog that is pretending to be 21 But there are a lot more vendors they're included in the red team wiki and also blog posts that I've put out about Infrastructure another part of being real is that real websites have existed for more than a week That's like a big thing is if you If you buy domain and then three days later you use it That's not good. It's like the one week minimum one time I Was at a client and they did not allow any Trap any any emails to come in unless they'd been sent an email from that domain within the that prior year That's on the more extreme example, but the length of time matters. So during a red team We could blow through 15 or 10 to 15 domains But you like so you have to buy things early and prepare. It's all about the preparation, right? This one I bought in November. I still probably wouldn't use it for a few months and just let it sit there for a while The next one real websites have certificates There was a talk given yesterday about how easy it is to set up certificates as an attacker if I see it like Not my own website, but if I see a website that is using HTTP I'm like, oh man Whoa, what is going on here and because of my background in privacy if I don't see a privacy policy at the bottom Another red flag, right? You want to you want to do what other websites do and you do that by Being like other websites. So I go to this is be Hans or be Hans I don't know how to pronounce it But it's an Adobe website and you can download templates of websites and from there You can just add that and blend in with your traffic You make a few modifications to the HTML and then from there it looks like a very legitimate website, especially for log-on pages And then the last one emails. So emails there are so many different email Avenues to get in right it's like an infinite amount the stuff gets blocked all the time one of my favorite stories was I was working for Fortune 100 and we're doing a phishing campaign and I sent an email and I I Gave it a really good narrative, right? I'm an attorney because I know attorneys well, and I know how they speak and it's there is this really sensitive documentation coming out and Here's a key and then use this key to decrypt the macro Great and actually what happened is they whitelisted all domains, which is pretty mature for a client and Their head of IT gave me a call and goes is this for real? Yes Um But if you have a strong enough narrative you can still bypass even the strongest of restrictions So all of these mentioned earlier The reasons why phishing wouldn't work is mostly you didn't put enough time and energy phishing is annoying because it takes Obscurity it takes a lot of takes a lot of time to develop good things Domain categorization takes a while you have to go through for very obvious purposes You can't really automate it you have to go to each site and submit it and you have to have a real site with HTTPS Already on it or else they're gonna say this is malicious and you get flagged in then you can't send any traffic through there Also, if you don't create a very realistic Phishing template people are not going to click on it Now there's user awareness campaigns if you send something like hey I have this awesome trip to Nigeria all you have to do is click this link And then you're going to Nigeria to meet the prince no one's gonna click that so you need to you need to start Obscuring them and making them very believable What I do is I fish myself right like I think about what are normal emails? What what are things that I would click on I have a horrible habit of phishing my mom because I think that that is Usually like my target audience is well if my mom will click on it I bet other people will too if she's in the same demographic, but it's all it's it's all in good fun She she she's fine with it user what user awareness But think about what why would you download a file? So expanding on who I am I used to be a privacy consultant That's what I started in was GDPR and that is usually my main thing is is I love to really attack the attorneys and the lawyers and When GDPR was popular I had a good phishing campaign pretending to be like a Danish Woman who is trying to exercise her right to be forgotten with this document about all this stuff and turnies are like whoa whoa, oh my gosh GDPR is happening because there was a lot of buzz about it and it was a hot topic at the time and Then they weren't suspicious at all. I just gave them a good reason about I want to be forgotten for whatever stuff And it's very specific also a fun fact about lawyers is with GDPR They have access to all of the data maps so for me extra valuable I also was an accounting intern and I worked in the Treasury operations department So I have a good understanding of what they'll click on such as macro enabled Excel files Excel files. I'm a big believer Excel is a second best Programming language application whatever for any task and the best the best What the best application is the one that the task was actually built for but Excel can do everything So if I make a really good Excel file that does something very helpful people will not question that people will think oh Awesome, I can I'm so glad I have this And then also I leveraged the fact that I grew up in California. I went to school in Florida Lived in Chicago and now I live in Seattle And in doing that so attorneys I mentioned a few different ways that I target them With accountants. I also like sending ledger overviews because what fishing email is a ledger overview. That's that's out of Usually that's just not in people's knowledge background and for the location. It's meeting invites I encourage all of you that are fishing to take yourself think about it. What are what makes you unique? What makes you special and target that because you speak their language better than anyone else no one out like people? My my co-workers that have tried to copy my legal emails and maybe just change a few words to me are I'm like Oh, that's that's not how attorneys talk blah blah blah. You just want to be real and the best way to be real is just being real um I'll skip. I'll skip over that just for the sake of time. I think that this is the most important slide in in the In the talk is how happy do you want to be and who do you want to be? I stole this from from from the maybe cats creators But for me I wanted to be a technical resource and there was a lot of barriers getting in the way of that, right? I was a business major. There's all these different things and the narrative that I was telling myself was I am a business major I am this I am that and That's all stuff in my head. Those are those groups that I assigned to myself and people told me We tell ourselves stuff every day without realizing and we we ingest a hundred thousand words a day Which is equivalent to a a three three-hour book like reading a three-hour book and A lot of that information we choose to receive so if you look at your Twitter feed if you use Twitter The people that you follow the information that you receive make it positive and make it so a way that empowers you If you want to if you're not happy in your current role Maybe you're your dream role isn't attainable at this time But start telling yourself a narrative that you are good enough for something else for me a big change was the the the first time that I called myself a red teamer because I was I Like it took a lot of effort. It took a lot of repetition of Having notes on my wall saying I do red team blah blah blah, but the the narrative I'd always give myself was I am not technical I don't have a computer science background Despite being good at it and and thinking that You can change the way when once you start thinking about yourself differently Your entire persona changes and then what you say you're straight