 Thank you. That was the nicest intro I've ever had I think, so thank you very much. Who here is from Montreal? Yeah, you guys have an awesome city. This is day two for me in Montreal and Man, I think I got to move here. Just amazing. So this talk is really weird Last year I competed in the SECTF came in third. That was kind of my goal top three this year They've accepted me back again. My goal is number one So I'm gonna be shooting for that and since that time period over the last year I've had exposure to Different people that are in the business both good people and bad people That have kind of coached me and given me insights and and companies have asked me to present and talk to them As well. So this talk has evolved over the last year. And so what you're gonna get is the product of that And has anybody seen this talk before? Awesome, that's great. Perfect because just in case I've added some some more additional content and I've tried to I've tried to incorporate some of the information that really bad people have given me So hopefully that'll make a little more interesting for you. So a Little bit about myself just so you know like why I should be up here talking about it So I worked in IT forever. I've got a bunch of certs and stuff I work in the aerospace industry. So a big because of the industry a big part of my time is security Pretty much all of my time. I volunteer for a local search and rescue team And I folk my focus in that team is as a tracker So why is that relevant here because it's for Ocent open-source intelligence. It's very similar to tracking. I found and And I've also created a nonprofit called trace labs So if you want to check that out, please do so if you have any interest in Ocent and you want to do good for your community Let me know looking for people that can help out there Trying to bridge that gap between the traditional search and rescue that are out in the bushes typically That's what I do I'm looking for footprints and sign and then bringing that to the moderate age where I'm actually looking at your Your online presence and then locating you that way. So it's really interesting for me This whole thing has evolved and taken off over the last year for me Which is pretty exciting as we go through the presentation if there's stuff you like or stuff You don't like let me know Twitter's probably the best way just say hey Rob this slide as a typo or yeah I really like this slide. You should put more content in that area in your presentation. So that would be really appreciated. Thank you All right, so what are we going to cover today? This is basically the high level what we're going to go through today Some definitions some introductions then I'm going to show you some of the techniques that I used at Defcon And then I'm going to talk about what bad guys do as well And then everybody wants tools. So I'm gonna go through tools a little bit But I'm just gonna tell you that tools are very tools are less important than technique. I find there's a new tool every day So I'll show you some tools, but Yeah, I think it's really just learning how to do OSINT and then there's there's tons of tools out there All right, I have to show you this One of my employers has asked me to do this So I say a lot of things and a lot of those things I disagree with even the next day So nothing I say here today is is related to any employer. I've ever had or ever will have so Just have to get that out of the way All right, so let's get into it this social engineering stuff. What is this this thing right? So it's basically a manipulation. How does that differ than from say influence influence would be where? It's in your best interest. I might be working with you and saying hey, you know What if you took this course? Maybe you could get a better, you know a career advancement or something like that I'm kind of looking out for your best interest whereas manipulation. It's usually I'm gonna Coerce you to do something or say something that that's gonna get you in trouble. So that that's what it's all about There's a fine line there. I Find that when I talk to people after they learn that I'm into social engineering Immediately they don't want to talk to me because they think I'm gonna manipulate them But that's not always true. It's sometimes I'm influencing so So so when we go to the party tonight, don't I'll take off. I'm not trying to trick you. Okay? All right Okay, so so what are some examples of social engineering? We have what I call the golden oldies They're still around today impersonation. We have both the physical and the virtual impersonation so, you know, you put on your overalls and you and you have like the the Recycling or garbage or whatever the vendor is and you just stick your on your overalls and you walk into the building like you're supposed to be there And then also more popular now is the virtual impersonation where you're pretending to be somebody else Tailgating still a problem, right? We still have people that just kind of walk in behind someone else The trick now is you if you're a lady you can put something in your in your belly some padding pretend You're pregnant, right or you can carry the big stack of pizzas or donuts, right? Nobody wants to stop you if you're carrying donuts So that's still a problem shoulder surfing less of a problem now But you know, you still see it on the bus at the airport. It's great I always look because I want to kind of see how much I can see screen protectors are great But not all of us use those Dumpster diving is a little better now. We shred most of our stuff. So that's that's a little better So I stay out of the four that's probably the one that's improved the most, but they're still relevant, right? Some more current attacks. So these are the ones we see more today The email attack the fishing right one of my personal favorites Vishing, right? That's where they're phoning you and then the smishing that's the SMS attack the all direct I'll try to misguide you and give you put you into a Cread harvesting area, right? So and and what's really effective now is attackers will use these in in combination Especially if they're gonna be targeting a whale or your executive, right? So very effective if you can do them within a short period of time altogether and then we get into more current stuff, right? what's happening next and So this list keeps growing and it's really a busy slide Every day there's something new so social media impersonation fake accounts So you're in the lineup to rent your car. It's taken forever. You're getting pissed off It's like, you know, so you send a tweet to the company. It's like, you know This is terrible and you get a tweet back and it says hey, I'm sorry about your experience Click this link and we'll give you a free credit, right? And it's not actually them It's just somebody who's created an account that looks like them. So that works really well Social engineering as a service, right? We all want scalability. So, you know, the bad guys do too So this everybody's everybody's doing this now. You can get now of service attacks Whatever you want as a service now. It's super easy. It takes you five minutes virtual kidnapping another one which has multiple Benefits, right? So if I can get your account, I can ransom it back to you I can do bad things with your account to make you want to pay I can engage your friends, right and you do a lot of wonderful things there Wailing your executives. So the staff run rose. We saw that a little bit in the news Executives hold the keys to the castle, right? So they're really gonna be my target a lot of times They have control over the money. They have control over they have authority so they can get other people to do stuff So if you're not training your executive, that's probably something you want to look at Pseudo ransomware hybrid attack. So this is a one we see more and more from sophisticated threat actors Especially in nation states and stuff. So they know you have limited resources Especially in your infosec groups and they know that you're probably understaffed even right So if they can distract you get you working on this stuff over here They know they can then come over here and do stuff and you may not notice or you're definitely gonna have less left Staff to deal with it. Anyway Professional network solicitation Again, this is growing becoming more popular if you get a Solicitation from a very attractive young lady saying that she thinks you're amazing and you have great knowledge And you should come to this conference. It might be fake just saying Is it they could go the other way too so sorry That's the example that I've seen so SME conference invite espionage baiting So we see this a little bit come to our conference my fake head of hunters those thousands talent program That's very popular. You can Google that guy Sock puppets. So we're seeing that more and more right so anytime you want to influence a lot of fake news out there So this we see more and more as and this is really where we see it going a lot of you know This and it's not new a lot of companies and governments do this more now and now Large employment in this area as well. I think in Canada. We don't really see much of it But there is a huge effort in this area All right, so the origin story of social engineering It's been around forever. It's not a new thing the people who built the pyramids I'm pretty sure they were really good at social engineering if you want to get a crash course in social engineering you can just walk on to a used car lot and And engage with the people there. It's wonderful. I love doing that Get a big coffee and just go on there and let them go to work and it's a wonderful experience All right, so the trend. Why do we care? Right? We know where it came from. It's been around for a while But why do we care about this sort of stuff? So it's it's growing. It's it's growing. So and if it was a stock I always like to like to relate stuff to stock, right? So if it was a stock, it would be a super hot stock from the growth rate of that, right? This is from the 2017 Verizon report and And So yeah, you can compare it to the some other things, right? The what they call hacking I forget the definition that they put into that But that's the stock recommended by your friend that is never a good idea So that's why we care just because and it's it's used as a precursor to almost all the attacks, right? Either OSINT or social engineering of some type Historically, we've never really cared about it very much for those of you that have you're done your CISSP You're very familiar with this model, right? Very focused on the technical levels, right? And I think it's time we started to look at the as the people as an additional level of this thing Why would I spend time trying to hack a firewall or do anything technical when I can call one of your employees? Ask for the password and then they will give it to me, right? Five minutes. So it's super easy low cost So it's the first thing we go to Alright, so this is the Kevin Mitnick quote. I've had great debates with people about this and I'm not saying It's people are very easy to trick generally, right? It's not because they're not smart or anything bad like that It's just that you know, you're super busy We had a couple presenters up here earlier that we're talking about that you get hundreds if not thousands of emails So that's part of the problem. So it's this is not necessarily negative But it does seem to be reality. Does anybody disagree that social engineering is really a really big concern That anybody could could be tricked Somebody has to disagree. Otherwise, I can't do the demo All right. Thank you. Thank you. Thank you, sir. Thank you, sir. That's exactly what I was looking for Yeah, thank you. All right. So this is the interactive part of the presentation and I hate this part So I hate it because it's a lose-lose situation for me If I trick you you're gonna hate me if I don't trick you I'm a fraud So I lose both ways, but it is kind of fun Okay, so let's do this really quick social engineering demo and let's for the sake of the demo Let's pretend we're one big company. Okay, everybody in this in this room right now We've all just signed up for this startup. We're really excited about it I'm the one info set guy right because that ratio is about right, right and Yeah, so So I got to write some policies about stuff that you shouldn't do right So I'm gonna say no to everything that you want to do The first thing we're gonna do something that's busy visible. I'm gonna do let's do hand flipping Okay, that's something I was gonna do dancing But I don't think we want to go there yet because we haven't enough beers. So let's say hand flipping I'm gonna write a policy because everybody reads my policies, right? No hand flipping allowed. Okay So this is where you look at your neighbor and you place bets if you want So don't flip your hands everybody clear so Put your hands out like a zombie so everybody can see your hands, please All right, let's all right everybody. Let's start with our palms up. All right. That's the demo. So I'm sorry. I'm sorry Typically I get half the room I noticed some of you didn't put your hands up, but I get half the room So it's a stupid trick right ridiculous, but it kind of gives you an idea of that's the misdirection Just a quick example if I if we try hard enough we can get most people with with these sort of tricks, right? If you're if you want to do a fishing program at work and you need more ammunition to justify the cost Just Google it. There's tons of stuff out there You know executives giving away $50 million with a bank transfer super embarrassing day, right? Yeah, so All right, so Defcon se ctf. What was that all about really interesting if anybody wants to do that Let me know I'd be happy to to go through it with you I'm gonna be there again this year in general. I think the ctfs no matter what it's se or whatever it is Super valuable. I would recommend that to anybody over a course You're gonna learn a ton. So I can't say too many good things about that. So the the sec tf It's basically two stages The first stage is your ocent So you're given a target and I'll be receiving mine for this year shortly and there's 16 competitors And we all look at a certain industry Last year it was the gaming industry so I got a company from from the gaming industry and You've got about three weeks to do your ocent your open source intelligence and At the time I was terrible at it. I didn't know what I was doing So it took me about a hundred hours. So that's evenings and weekends and Any moment I could spare I was doing ocent and you have 29 flags that you try to collect There are fairly benign things like what kind of VPN do you use how long of your work for the company? What kind of browser do you have stuff like that not not too bad, right? And then you collect that you do your report you hand it in and you get points And then you go to Vegas and you go into a glass booth And you have a couple hundred people watching you and you've got 20 minutes to perform and you're going for the same flags But you can go through multiple people on the phone and The winner is the person with the most flags the most points So you basically have that kind of recon and then the attack phase much like what an attacker would do And these are real companies which makes it a lot of fun So these are the flags you probably can't read that but it's you know pretty straightforward stuff Oh, do you have a cafeteria? What's your VPN janitorial janitorials great if you want to do physical pen testing later What's your OS? How long you work there? So pretty normal stuff, right? Like if you if this got in the wild you wouldn't worry about it too much But these are the ones that you probably would worry about so You know and I see this all the time with companies You know I look at you know for for job postings. I love look at job postings all the technologies are listed there Even they may even talk about if it's a infosec job their response capabilities what kind of assets they have it's fantastic, right? I want to Take all your assets and resources in an area over here distract you and then attack over here That's great to know that information What's your patch level? So that actually is pretty good. So if I'm going to give you an exploit I kind of want to know what your patch level is and what kind of protection you're going to have there Delivery methods. So I'm again. Am I going to fish you what's that going to look like? Am I going to drop some USB keys in your elevator, right? That's that's nice to be announced. So some companies they'll lock the USB. So that's not a viable attack method Exploitation what kind of antivirus do you have right? Is it behavior-based or signature-based? That's really nice to know on your perimeter. What does that look like? All these things are usually advertised and not hard to find Alerting what's your sim does anybody look at your logs, right? So that's a really nice thing to know What are your hours of operation? So this is great for? Doing your recon stage because I'll dial into your PBX and I'll Hopefully nobody will answer your phone and then I'll get a bunch of information from your phone From your recordings and stuff like that Machine naming. So that's quite often advertised and very easy to get as well and that'll help me locate key resources hours of operate I did that Location of your assets. Oh your your your DR as well, right? So quite often the DRP plan is public or readily available So that's really nice to know how you will respond to these things. So if I shut off your HVAC If I shut off your generator or something like that and a lot of people's generators out in the parking lot actually pretty easily To access easy to access that I can just plug into it turn that off and people freak out That's a good distraction. So all those things are very nice to find and it's usually Out there easy to easy to see All right, so on the OSINT side. Let's talk about that for a minute The first thing I want to do is you know I'm gonna acquire my target and start going through that methodically step-by-step. I'll look at the physical first So where are you located? You know the country is important. You're building locations Google Street view is awesome. It's a slice in time, but quite often I can learn so much from that, right? Egress points, you know, what does your roof look like? Do you have a lot of HVAC on the roof? Do you have entry points loading docks? What's all that look like points of entry who does your parking, right? So I can call your employees and see I'm from that particular parking company that works really well Then I'm moving into the technical and quite often. This is really nice And there's a lot of great information there who's registered your website. I'll get contact information there almost always IP addresses, so I want your block of IP what that looks like and then corporate You know who's a lot of registration information will have a lot of People that are less technical that I can reach out to that your lawyers your HR finance people Property management is really good and often overlooked so I can call your property management company and pretend I'm you or a representative from your company and they will typically give me a ton of stuff and Then we get into your staff and this is where it just explodes as far as information and you just go to LinkedIn that's your first kind of go-to stop and It's wonderful because it's all it's all packaged up really nicely, right and You can get 90% of your stuff on the on the staff right there It will try to make you pay as you go through and start using it and that's their their model But you can use certain tools to get around that recruitment X linked LinkedIn x-ray was one of the tools I used but there's a whole bunch of tools out there that will help you Do that now some of them are automated so you can just scrape it and pull it all down I tend not to automate too much Just because I find it's more effective for me to just do a little bit more manually So then once you're going through the people you've got a collection of people you'll find that about you know It's the 80-20 rule There's gonna be some social butterflies out there that post a ton of stuff and those are the really the targets you want to go for You don't want to see you can spend huge amounts of time chasing down everybody But you really want to refine your search and get those people that are just gonna give you You know a lot of information and even sometimes they're friends even if they're not working for the company They will be taking pictures and talking about they they're their friend who works for the company so focus on that And then for detection so when I did this I was so bad I went on LinkedIn and I was looking at all these people and you know when you look at someone's LinkedIn They then will sometimes look at yours because they wonder like who is this person? Why is the person looking at my stuff? So they look at your stuff When you do that to about a thousand people that all work for the same company And then you realize they're all turning around looking at you. It becomes a little little nervous a little nerve racking So that's what I did and it was like that's a big mistake So you want to be careful with that set up your platform appropriately So that they're not going to be taking a bunch of information from you as well, right? There's a bunch of options out there Buscador by Michael Bazelle. I've tried that. I'm actually not a big fan of that I think you might want to just try it out. It's specifically it's a it's a Linux distro that's specifically designed for Ocint I'm a big Michael Bazelle fan great podcast great books great website great tools on his website I highly recommend that. It's a great starting point. I Kind of lean more towards like a Cali Linux platform Running on virtual box or VM where so you can then archive that for evidence Set up a VPN as well. Do all those things. I mean you probably already doing this as well But when I did it, I didn't do any of that. It was a bit embarrassing All right, so some preparations I'm developing a course for first responders and part of it is for search and rescue and part of it It's going to be for them Retaining evidence and if you're working for a company, you probably want to retain evidence as well Hunchley is a great product There's other products out there as well though, but you want to think when you start doing this How are you collecting data if it's even for a CTF you're gonna have the same problem, right? You're going after certain flags You don't want to spend time learning all about the company all aspects of it You really want to refine your search because you can go down a bunch of different rabbit holes And that's that's kind of what I did. What's important What if you're running a report for your executive, you know, what are they going to care about so summarizing all that data? And then how are you staying undetected like I did not? All right, so as I was developing Preparation for DEF CON part of that was my pretext development and pretext is basically your lie So you have a mark and you're going to tell them a lie and you have to develop that so that it's believable and Your receptionist I find are some of the best people to talk to about this Because they're they're generally very good at quickly analyzing somebody and figuring out if they're legit or not and so I spent a lot of time with our receptionist and And they were they're awesome. You should invest in your receptionist as well, right? So not only are they kind of the the physical firewall to your building quite often but they're getting all those calls from people like me as well and So typically they don't get a lot of user awareness training, but I think we definitely have an opportunity there to invest So they've been super helpful Then once I've got a list of people for your company. I'm going to take a look at okay So who are going to be my actual marks? So whether it be at DEF CON or a real attacker I need to have a shorter list of people and typically that's going to be on LinkedIn I'm going to look at their Connection scores and I'm going to look at the ones that have say less than a hundred because they're not well connected not only with your Organization, but in general in the industry So those are going to usually be people that are fairly new to the industry Which is good because they're not going to know a lot of people. They're not going to know what's inappropriate necessarily And I'm also going to look for people that take a lot of selfies that share a lot of information Hopefully that information is inappropriate. So if they have a picture of their VPN configuration Perfect, that's who I'm looking for So that's that's actually a true story. I found that that person and they gave me tons of stuff So basically I'm looking for a high charisma low wisdom scores and Strangely enough that turns in that translates into interns and contractors And I think that mostly that's because they're fairly new to the organization typically and new to the industry Just out of school sometimes and they're not as invested so from a contractual if they're contractors They're coming you typically for a six-month job and then they're going to another company and another company So they're doing some self-promotion. They're not as invested. So that's typically how it works for me So I'll automatically now look at the interns and the contractors right away. So All right, some of the techniques and this is mostly psychology I want to develop rapport with you I want to get you talking to me and I want you to feel comfortable. So I will do some things like the confirmation So how do you like your new Dell laptops and in your mind? You're thinking well, we do use Dell laptops and you may not even consciously think about this But you know your response if you're having problems, you're gonna be ah, yeah, they're terrible the USB Ports don't work or something like that But it's it's kind of like we've skipped the whole stage in the conversation Which is exactly what I want right all of a sudden now we're talking we're going back and forth Or I might you know if I if I can stand it for my ego I might do the reverse confirmation where I'll let you correct me and people typically like to correct others So I'll say oh, how do you like your Toshiba's? You're like no, we don't use Toshiba's we use Dell's. Oh, sorry. Sorry. Yeah, I got that mixed up So that's often quite nice to do as well Name-dropping so this is pretty typical. Oh, yeah, your VP mr. Or mrs. So-and-so said I should talk to you That works quite well. I've used that Blowing smoke you were recommended to us right so to make you feel good real attackers don't do this very much Unless it's a very targeted attack, but at DEF CON this works great anytime you make somebody feel good That's usually gonna be quite effective sales people use this right so typically I talk about a Attackers sales people and then DEF CON CTF people so those are kind of the three main groups Impending doom I've used this one this works actually quite well So something big is about to happen and there's no choice there It's going to happen that event is it going to occur, but I'm here to help you get through it So hey Larry's gonna be on site tomorrow We won the RFP for your HVAC and I'm just calling to get that set up And is there anything that he needs to know before he gets on site Can he just is there a card he needs or doing some ID or can use your Wi-Fi when he's there? How about the bathroom? Do you have a cafeteria where he could eat lunch there? So I'm just gonna start going through that and that's very effective allowed to vent Real attackers don't use this too much You know if you can relate to them and they can start to unload on you You know you can be their therapist a little bit that can be effective Smarty pants Very effective, you know if you can say, you know, how did you ever figure this out? You know, this is my first day my boss is yelling at me, you know, can you help me? That's sympathy Greed so greed is something that real attackers use a lot and you've seen this in the fishing attempts that you've gotten You know, it's often time sensitive It's zero some so the first three people to reply win a trip to wherever right or a cruise the cruise It's a popular one right on your phone So that's that's very popular We did a fishing program where I work and the time sensitive one was the most effective and So I like that sympathy We're designed to care about people which is a good thing, right? But it's for attackers. They utilize that as well. So You know, I'm brand new to the organization. My boss is yelling at me I think I'm gonna get fired if I don't get this done Can you please help me like who wouldn't right if you were pretty cold to ignore that? So then my pretext for fishing I basically got three different styles of pretext personally There's a ton of them out there The entry method one is the first one so a company that's kind of set up to defend against this will have their Their ingress points kind of designed to filter some of that. So I want to get past reception And these are designed to do that. So if I once I've done my OSINT I know you have interns you have certain people that work there from different schools I can call from the school spoof the school number and say hey, I'm calling to talk to so-and-so I just want to talk to them about their their intern experience and see if they can give us feedback on how We can improve that going forward to get past reception nine out of ten receptionists. They buy into that So that was pretty good industry knowledge if you have any industry knowledge, whatever that is right for me It's data centers and stuff like that That's what I'll focus on so I'll talk about things like HVAC because I sound you know like I'm knowledgeable in that area So that tends to work Targeted methods and Mitt Nick was great at this right if you listen to some of his or read some of his books He's he likes to layer things and this is very effective where you're calling one person and you're getting a bit information Then you're calling somebody else getting a little bit more and then finally calling somebody else and getting that final piece But you're building that house of knowledge right from those little bits information each one seems relevant relatively unimportant right but allows you get to the next step so The enemy of my enemy so calling the property management as if you're a potential tenant Or another one of the tenants as if you're a potential tenant just asking them about you know So what's what's it like there? What's the building like are you having any problems? What's building management like are they good? Are they responsive? Yeah, I've even had any problems with the sprinkler systems or the building alarm who do you use for security? Are they any good so people typically responsive to that special delivery any time you can Copy a scripted response, which is typically quite easy to do right So the FedEx one that I used in DEF CON was that they had a parcel that had some border taxes And I asked them would you like to you know pay for that on delivery or just pay for that right now? I can put it on your FedEx account right now if you'd like to do that and she gave me the FedEx account right away and They beeped that out because I didn't actually want that but just to confirm that they use FedEx But anytime you can copy a script because that's all people are listening to is the script which is very familiar to most of us Can I tell you a secret everybody likes secrets, right? I got a group of people that we're gonna lay off and they've asked me to call you and find out about your company and your benefits and Because and I can send you their resumes So I'd call a recruiter and do that and the recruiter is usually has a Fiscal benefit in helping me because they're gonna get a if they bring somebody on they get a bonus for that So they're very motivated to talk to me to see these high potential resumes So if you can locate somebody who's gonna get you know a bonus to talk to you That's that's even better. So because that's what they're thinking about And these are the full dump methods and typically you wouldn't think these would work very well But if you get people on a roll they actually do and in Defcon This is great because you only have 20 minutes to deliver a whole bunch of stuff So you can if you can do this and just blow through a bunch of questions. It works great You're a lucky winner. I didn't do that. This is used all the time very real attackers. We're all very used to it You're never the lucky winner the upgrade opportunity I like this one because you know some of us we have different equipment different vendors and Nobody tells you when the vendor changes quite often, right? You just get some out of the blue call It's like, yeah, hi, I'm your new new supplier your new account rep. It's like, oh, okay So I was gonna do that. I never did it, but I like that one. I might do it this year The employee engagement survey we all like to give feedback and I find the engagement survey is great I use this one. It worked really well Hey, so and so it's all a comp combining a few different techniques so and so your VP of HR told me to phone you and said that You know, you would be really helpful for this exercise I'd like to get your feedback on the employment engagement and how we can make a survey to help promote that I've just got a few questions for you. If you have two minutes, it's always two minutes, right? Actually, I want 20 but it's always two minutes and then I just go back through all the questions There's some discussion around if you get caught as a social engineer What you should do and they say that, you know, you never get out of character Even when they're putting the cuffs on you, you just staying character. I don't want to go to jail So I'm not gonna follow that advice. So what I was prepared to do was if they catch me and And say well, I'm not really believing what you're what you're selling here I would immediately because that I want people to feel good. I don't want to be victimizing people I would say hey, congratulations. That's awesome. You caught me So, you know because I was hired by your company to do this this test and see you know if you would fall for these tricks and Congratulations, can I get your name because I want to tell your VP of whatever that you did a great job Yeah, so thank you very much and just to baseline these questions Can I just go through these questions with you real quick just to make sure I got the right answers and I was just dying to do that So maybe this year So the spirit of DEF CON is to not victimize I mean you're targeting a real company, but you don't want to hang up on somebody and make them feel like trap, right? Or make them feel as though they just gave away the everything so That's what I'm trying to do there was that all right. So that's a lot of information just a real quick reflective moment Some questions for you you don't have to answer these out loud, but just something to think about Would you know if somebody in your company had been socially engineered especially your executive would they come to you and say you know what? I just I just wire transferred 50 million dollars So That would be bad Does your insurance cover that That would be something interesting to take a look at I haven't not seen in the news any any It's probably not advertised very much, but I'd love to see insurance companies respond to that, right? That would be interesting if any of you have information on that. I'd love to talk to you about it Dear internal resources have the capabilities to respond to this sort of an attack, right? That's another thing. We do a lot of technical training But how much SC training have you had right sands is a new OSINT course that just came out So if anybody's taken that I'd love to talk to you about that and then who's ultimately gonna get fired, right? Unfortunately that has been the response by a lot of big companies is you know, they let somebody go like okay We fixed the problem so-and-so is gone. They did a crappy job Well, you know, I'm not that it's not a good response to this, right? I don't think that's a good way to go about things But ultimately that's sometimes what happens and it's if we've covered ourselves as infosec professionals, right? And shown that look we did the user awareness training We did these different things the chance of us getting fired is less likely So I think preparing for this sort of attack as far as you know Ensuring you have a good career that's not prematurely ended. I think it's a good idea. It's unfortunate, but that's the risk some of us face All right, some recommendations OSINT yourself. This is a lot of fun. I have a Google Alert for my name. So now I've discovered there's a lot of other people with my name out there And all not all of them are wonderful people OSINT your company find the butterflies those are the people you want to go talk to and say hey You know you probably don't want to put the VPN information out there, you know nothing wrong with some self-promotion That's not gonna stop. They're gonna keep doing that But I want to look at that and what's at risk, right? Is it proprietary data? Is it money? Some phishing recommendations Do a phishing program so a lot of people tell me no I'm not gonna do that. I'm not gonna trick my users You don't have to Trick your users, right? It's more of an educational thing You can make it fun reward the people that do good work, right that that that figured out make them into champions Don't punish people because then they will be upset You can put ext on your incoming email So when your CEO gets an email from the CFO is not really from him or her It's gonna say ext and that's gonna be a tip that oh I see that's not sexually not from that person So you can stop allowing active links, although nobody's gonna do that And provide other channels emails terrible, right? So we all get so much email use different tools slack Twitter blogs Bish your executive be very careful with that. They don't have the sense of humor that we do so Be very careful there Invest in your receptionists You know, I find that these people are wonderful people very patient Their their job is actually usually quite challenging PBX I love your PBX's because I can dial into your PBX's and die by name and get all your information I can get your DIDs. I can get you know, your voicemail You know, you may want to remove die by name most of us still have that I find I give DIDs only to Externally facing people a lot of companies DIDs for everybody direct inward dial You don't all need that some of that can go through reception You can have an extension stop answering your phone I got in trouble for saying that a bunch of managers looked at me really Really bad when I said this the first time and it's like so of course if it's your boss answer your phone but typically someone's phoning you because they want something and So I love voicemail. My voicemail goes to my email. I listen to it and delete it Get on the offensive. So We always talk about how we can't scale and how the attackers only have to be lucky once so, you know by developing a culture of You know where we're looking at this and we're having fun with it and you know start giving out Starbucks cards, right? You did a great job. Here's a Starbucks card. Take a picture of them put it on your on your intranet and Start looking start, you know instead of just saying no all the time we can say yes, right? We can say yes, this person did a fantastic job and here's a Starbucks card develop that cultural change of proud protectionism and You know some companies do this better than others But when the people are proud to work for that organization, they're more likely to not let that person through the door with the pizzas That doesn't have the card to get through Make create champions as well, right? So when people are doing a good job, you know, make sure they're recognized This is a cheat sheet You know, I'm not gonna go through all of these things but from all the bad people I've talked to and the actual Instrusions that I've that I've seen these are the things that will help some of your problems go away We'll make you a tougher target. We talk about things like patching people like no, I can't patch. It's gonna break stuff Yes, it will you still need to patch, right develop a system where you know it If it's important system have to patch this one and then patch this one do things like that Um 2fa, there's lots of stuff activity this year on oa if you don't have 2fa on your webmail. That's a that's a fantastic opportunity for people. I've seen a lot of this year Assume I'm already on the inside as well because I probably am so if you're not actively threat hunting and you haven't found me yet I guarantee you there's bad stuff on your network. I Haven't seen one where there's not really so just it's just levels of bad, right? All right, so everybody likes tools these tools are not gonna, you know, make you an expert at all in this These are pretty just you know high-level tools. There's a new tool every day and But these are some of the ones you can start with it's really about technique and what your target is right? So if you only have an email address for your target your tool sets going to be different your techniques going to be different I Love looking at things like iot any sort of systems They're their fences electronic fences their ID cards their HVAC systems It's all usually plugged in the internet and usually they've forgotten how it how that's working Some technical tools Wiggle net is interesting. You can get their Wi-Fi ss ID usually from that Some of these are just better than others There's a bunch there you can collect pretty much everything they've got by these tools here as far as you know Who their technical people are their contact information? I had executive cell phones executive addresses home addresses They're pet names, you know where they went to the gym Everything it's all there Corporate indeed calm fantastic your job descriptions are amazing I know about all your technologies you're all your infrastructure from your job descriptions You probably don't need to do that Payspin is great to do a keyword search on the company do a keyword search on your company if you find stuff in Payspin That's probably probably not gonna be good Security guards those are those are really good opportunities and Yeah So on the staff we went through some of this already recruitment Or actually what's that tool recruitment geek that that URL that'll have the tool there that you can use Slide share is fantastic for some reason people like to put reference letters there So that's where you can get a lot of executive home addresses and weird stuff like that, which is fantastic In Canada, I'd never knew this a really bad person showed me this that you can get criminal records So a lot of people come to me now and they're like hey Rob I'm renting out my place to this person. Can you just check them out for me? So I'll tell them like if they have a criminal record what their assets are all that stuff is pretty easy to do and Then personal websites. We're all doing self-promotion and that's not gonna stop. So there's tons of information on there All right, some resources These are some the typical go-to ones that I recommend in the US Michael Buzelle Intel techniques is a website you can go there if you want to do some quick o-scent He's got a bunch of tools there. That's probably the first stop. He's got a great podcast He's more into the privacy side now great books A great resource on the West Coast where I am Tottington is kind of the go-to person for training. He trains all the agencies Social engineer, of course. He runs the SC village. He's got books podcasts. You name it. He's got it And then if you're into the kind of the psychology of the whole thing Robert Caldini is is a great resource too. So lots of stuff on YouTube You don't have to go out and spend money. Just just Google him and you'll find a great lot of great stuff Yeah, so there's a bunch of other stuff in there There's there's Twitter accounts where you can get tools and stuff like that So if you want more resources, just let me know and I'll send you what I got All right That's it. Thank you