 Thank you guys very much and thank you for coming. So with that said, I'm going to just jump into the top So the talk we're going to do today is yellow means proceed with caution, right? This is about practical de-escalation. So And that's what we call foreshadowing So practically escalation, this is really just going to cover When you're in an interpersonal Communication situation when you're interacting with someone else, there's phases, right? There's different phases of communication and not talking to them You are talking to them those kind of things things can go from good to bad very quickly and this talk is going to be about managing and moving through that scale and Preferably a big focus on de-escalating from when that it gets too far to the right on that scale and starts to become Ineffective communication situation, right? So my name is Noah Badome. Like I said, I'm a penetration tester at NCC I'm a former Marine and I love really terrible coffee. So I actually like Starbucks. That's a problem Before you get going, I want to talk about this. I use the slide in every single presentation I do because this describes me very closely in this talk specifically This means something better because this doesn't apply, right? So in life. I'm a big fan of the direct approach but in communication the direct approach will often alienate you so you're your Person you're talking to you in an offensive or defensive manner can really like be counterproductive to effective communication, right? Talking and actually like taking the time to understand what someone else is saying to communicate as questions Really part of the process of getting to know them rather than just pushing that end goal will cause much more effective Communication a long term. So even though this is really really cool. This is not for the content We're gonna be talking about so that's just my little Disclamer there and my other disclaimer basically like This stuff that these techniques I'm talking about are really effective and I use them a lot and they do really well But you have to practice them. You have to be conscious about when you use them, right? And don't do anything illegal or stupid. That's gonna get you hurt because you can't blame me All right, so so about this talk we're gonna talk about moving through a scale of Social interaction, right? So whenever I interact with anybody basically at all Any social interaction I go through a scale right and scale sorts of green goes to black so green yellow red black And as I'm talking I'm trying to evaluate where along that scale I'm at and where along the scale I want to be right so we're gonna talk about use that scales kind of our object of how we move through those Communication phases and then how we de-escalate the situation to stay in the optimal phases without spending too much of time in the Suboptimal phases and so that we can keep this whole Conversation thing that we're going to be interacting with comfortable for both people right and I'll talk about that more down the road So this applies to social engineering as opposed to just interpersonal communication in general and I pull a lot from principles used for Crisis negotiation those kind of things right so even if you're not an SE This can be applicable in almost any social situations you could be in where you're communicating with another individual, right? We're gonna talk about a lot about active listening of those kind of things. So let's get right in This is just caveat. So it's gonna sound kind of Cooper's colors, but it's not about Situational awareness which Cooper's colors is situational awareness color scale. This is about The the status of a social interaction. So even though it's a similar color scale. It's not the same thing Just didn't want to offend Mr. Cooper So I'll be right we're gonna talk about The scale we're gonna talk about the principles that I use we're gonna talk about maintaining yellow Which is basically at most times the most optimal phase to be in We're gonna talk about the red line Which is that definition between moving from yellow to red and then we're gonna talk about doing damage controller De-escalation when things get a little too hot, right? So the scale right so the scale goes from green This is at the point where you're not interacting with your target in like a meaningful way yet This could be this is like what you're doing when you're trying to tailgate This is when you're just walking down a hallway you glance at someone away high or those things right? This is not actively engaged yellow is actively engaged So at this point we're communicating and processing data or having a conversation red as when a person now is trying to actively Disengage or trying to aggress into a point where the conversation and communication is no longer effective on both sides And then black is when we've entered that escalation force person has hung up the phone the person has left the interaction Run away screaming with their hands in the air. Whatever they happen to do, right? So principles the most important principle All right, so the green phase right screen phases not actively engaged right this is your abating detection That's what it's most optimal for we're just moving along this one We're tailgating when we're trying to just do some recon and observe and be unnoticed So at this point, we're basically just part of the background noise, right? We're non-threatening This is the this is the recon and tailgating and intrusion phase most of the time or just when we're walking down the hall So transitioning from green to yellow, right? So when we're transitioning from green to yellow, this is probably one of the most pivotal points, right? This is when you walk up and introduce yourself when you start your phone call When you initiate an interaction, right? And how you initiate that interaction is key to where on that scale you start, right? So if I walk up, and I'm suddenly just a jerk We're probably starting pretty close to red But if I walk up hi, I know the dome and I don't give you any reason to be offended or defensive or afraid or anything like that We're probably gonna slide right very easily into yellow now. We're having a interpersonal communication We're having an interaction transferring data. We're talking right at that point I can do active listening. We actually have communication, right? And this is also optimal for if you're a social engineer now We're talking to someone who's not already defensive of you We can start moving towards a relationship where we can request data or you get passwords where you can get information and recon We can open the door for us those guys, right? So we won't be very careful when we initiate transfer from green from green to yellow, right? So ways we're going to do that. We're going to speak at a natural Non-aggressive pace right or introduce ourselves. We're going to pause naturally And we're going to make sure that we're maintaining some good eye contact open body posture Level tone matching their mood a little bit those kind of Talk about that a little more to you So yellow phase right this is just actively interacting I put up more than 51% of their attention because you're just the main focus, right? This is we're saying having a drink and talking where I'm calling you on the phone and asking you to do something We're discussing something right. This is just full-on normal interaction, right? This is where that active listening and all those things should take place So yellow to red this is What we're going to start looking at those signs for things are going south Right, so Essentially the things are going to be looking at and when what it's going to be is when people start to become defensive When people start to become unresponsive Overly directed in the conversation people start to be afraid of a situation or uncomfortable So they try to take control right when someone's uncomfortable They try to control over a situation start seeing those things You can know that you're starting to move in a direction that is going to be Ineffective communication right the more uncomfortable your target is more uncomfortable Anyone in conversation is going to be the less effective your ability to communicate get them to hear you and your ability to hear really What they're trying to say Is going to be right when people are uncomfortable we start to say stupid things and we start to not be as good at communicating So it's negative both for the person who's trying to communicate to you and also for the person who's trying to get that information those kind of things, right? so a really good Sign of this is waning interest right when it sounds like they're not very responsive or when they don't seem totally engaged what you're doing On the phone it could even be that they're doing something because they want to find out if you're legit So they can hang up on you whatever happens be those are those signs and so say okay We need to think about this transition, right? We'll talk about how to counteract that literally All right, so the red phase this is not an optimal phase right she yelling green can be optimal for many different reasons Red and black are not optimal, right? I will always argue that it's easier to do things when things are peaceful and relaxed when things are crazy, right? So red phase is not optimal, but it looks like it's people are actively trying to disengage Someone is actively aggressive angry frustrated Once get off the phone threatening to call the police those kind of things, right? All right, and so going into black So black is also not optimal because you're probably getting punched in the face Right, so lucky is active Active engagement in escalation of force, right which could include use a lethal force, which is never good This is someone has already hung up the phone like I said earlier that run away screaming. Whatever they're doing, right? So this is the this is game over. We never want to get here All right, so these are this is just a cheat sheet for the outcomes of these phases right the ideal outcomes green Is your own notice yellows are actively engaging right red is a potential escalation to black right and then black is game over It's over No more chance for positive interaction So now we're moving to maintaining yellow yellow is probably the most effective phase for getting information doing all the things You want to do it's also the reason it's yellow and not green is because it's also one of the most dangerous phases Because it can lead to escalation to yellow or to block red and black So the reason yellow has a very high gain Well, it has a very high risk because you could say something stupid and then they get mad at you All right, they don't want to talk to you anymore. It could be the password or whatever So that being said we just want to make sure that when we're going to yellow We are proceeding with caution being aware of the people that we're interacting with what they're saying what we're saying to them Right and that we're being very conscious of how we're interacting with them How we are being the caretaker of their comfort, which I'll I'll talk more about that later But that's something I want you to keep in the back of your head And that's a picture of a guy shaving with mustard He is staying in the yellow All right, so the goal right this is the the inevitable goal of any Conversation when we're trying to get information have effective communication any of those things is to keep both people calm So we can effectively communicate Right, so we want to make sure everyone feels respected and valid comfortable understood Emphasized with those kind of things right if you make someone feel valid in a conversation They're gonna be more willing to talk right so sometimes this takes longer right because you have to think about what you say You have to be cautious with how you progress through the conversation So sometimes I'm doing phone when I'm doing like I see on the phone It could take me 30 minutes to get someone's password because on some cases one time I spent an hour and a half troubleshooting someone's iPhone for them to make sure until they finally gave me their password to make it Easier, but I already fixed their iPhone right so like you have to invest time in good Effective communication you can't rush those things right you have to be aware that one thing you're doing is also taking care of the other person Even if it's somebody who you're gonna take data from Sometimes it's not that far sometimes. It's your wife and you're having an argument Sometimes it's just someone at work what whatever happens to be you are the caretaker of that person's company so So techniques for being that caretaker right for me painting that yellow Okay, we're gonna do things like we're gonna do language mirroring. So that's a technique where a Vocabulary word or something that someone else is using that you slip that into your own conversation as you're speaking back to them Or also reiterating the things they've said to you by using language that they're familiar with right by doing that They become more comfortable in that conversational tone So the next is mood-pacing right this is like if someone else is calm you stay calm If someone gets a little excited about something because something really cool happened You should also get excited with them. So they feel validated emphasized with and there's a report, right? So people in general are vain, right? We love mirrors, right? We like oh, I want to look at today Even if like we look terrible We will like figure out the best way to look the best terrible we can today right so like people love mirrors and Using that mirror is gonna make people more comfortable right reflecting the positive things of somebody back at them in conversation Is it make them more comfortable and more willing to talk while we're discussing it's gonna make them more willing to listen to you And that's the big thing is that the more comfortable they are and the more they feel listened to more They're gonna be willing to listen to you So empowering right this is like you don't want them to feel like they're just being pushed around in a conversation Most of the time sure their side cases But most time you want to make them feel like they're an active person active participant in the conversation And they have some same direction even if that same direction is a lie Right one thing I do a lot is I get people to give me their password by having them change their password because at least they got to Tell me they weren't gonna give me their password Right. It's the same thing, but they feel like they're in control of that situation right so Empowering them making someone feel valid in a conversation is gonna be again another technique to get them to listen to you It's gonna keep them calm and also let you get information data action interactions from them, right So giving verse taking this is like a big thing I harp on a lot is giving verse taking is anytime where you can volunteer information anytime You can ask questions and give them a chance to be like active in the conversation where you can concede some ground is gonna Make them feel more comfortable to make them more willing to trust you right So the golden rule this is not that golden rule This is the it's the long con is usually better, right? So it's usually better to disengage from a conversation without ever getting information without stressing Other rather than stress somebody out because if I can disengage from you on a good note I can probably come back later to gather some other side information And then use that initial rapport of conversation to build at it Maybe another target or a side goal or something else. I'm doing right rather than burn a conversation or burn a relationship It's better. Just exit gracefully Okay, so now we talked about the phases we talked about head of that meaningful communication We talked about keeping those communication channels open so you can request data and so that we can keep them comfortable Right, so now we're gonna talk about when when things are to go bad when things go sideways We're started to try to back things off to a usable situation right now. I'm calling that a red line So first red interactions So red interactions your target becomes first become on cooperative, right? It might be a responsive they might get aggressive upset a comfortable frustrated whatever it happens to be It's not conducive to effective communication, right? Any couple can tell you that when you start talking and one of you starts getting pissed off the conversation probably doesn't go very well Right, so it's good to take a step back at that point and then let things calm down and then rediscuss Right, so these are all signs that we're getting into a non effective communication state And now we want to back ourselves off into an effective communication state. We want to do it preferably without disengaging So how we're gonna do that right responding to red So we're gonna identify sources of aggravation. We're gonna not verbally, but we're gonna mental identify the situations and think okay What did I do what situation caused this escalation into this negative non effective communication space? Right, then we want to start validating their frustration of being upset their Concern with those issues we identified right want to express to them. Oh, I understand you're upset. Here's this thing right start Making them feel valid and start opening that channel discussion for what upset them in the first place So men fences, that's that we want to back slowly away apologize offer concession Right, we want to start making them feel like we obviously heard them and we're willing to start mending that issue that we caused Right, so we want to start constructing a solution, but we want to do it with them So at this point if we get to the point where they're now listening to us again Which we'll talk about how we're gonna get them to that point We want to start working with them to figure out what the best solution is right So this is a really good Opportunity for se because then you can start getting them to volunteer information to make the situation better Right. Well, what would you have me do? Oh, well, let's use this web portal that you didn't know existed or let's do this thing that we you know We're aware that we could do right so at this point This is a chance where we're gonna start involving them actively in the fixing of the situation Which makes them feel more validated and then it's gonna give us an opportunity. Can you de-escalating that situation, right? So again, like I keep hoping on we are the caretaker of their comfort, right? We're responsible for keeping them comfortable in conversation So more techniques right so being negotiator So longer you can keep a conversation going redirect their aggression towards something else Keep them, you know at a calm tone like you can change their the the discussion subject slightly So we're talking about something they're not as mad about the longer they maintain that calm tone the conversation goes More likely they are to naturally settle Right as long as we can keep them away from those things that were aggravating them or we can counteract those things with solutions and concessions So we're gonna emphasize our relationship, right? Like we want to make sure we draw them back to the positive aspects of the relationship we're interacting with them One example is when we're doing we're posing is let's say a help desk person Well, I really want to just help you get the best out of your connectivity as possible I really want to just help you fix this issue with your computer I'm sorry I frustrated you can we work towards that together, right? These kind of things reminding them of the positive gains of a relationship because people are also greedy, right? It's gonna be something that's gonna give us a lot of tools to work with with de-escalating Right and so all those things going to fostering a rapport right building this connection back with the individual So Empowering is kind of advanced at this point because when we empower somebody we can also give them the option to just say no And hang up the phone which is good because sometimes we can give them that option knowing they're not going to take it But it makes them feel empowered But you have to be aware that if you give someone an option where one of those options is less Beneficial there's always a chance they're gonna take it All right, so this is the This slide is a little misnamed But this is kind of the way to get back to those interactions right to go from that when we're near that dark red black back to that yellow Right, and so this is based on the behavioral change stairway, which is a model used by crisis negotiators Psychologists and lots of other people doing, you know very intense Connectivity interpersonal communication work, right? So what this essentially is is that active listening right lots of studies have showed so far that active listening is One of the strongest tools you have in communicating with another person right people when people feel like they're listened to They're more willing to communicate right and so by doing that by being an active listener You validate that person and get them to be more willing to discuss things with you give you data To progress in a positive way through that relationship, right? They recently did a study I can't put exact where it's from but recently did a study where they had two groups of people One group of people just asked questions and the other group of people converse normally when they were asked who were the better listeners It was the people who only asked questions Right, so that's that active listening right like really engaging and committing to making sure someone else feels hurt So the next is empathy, right? So now once we're engaging in active Inactive listening we want to make sure that our target understands that we know how they feel that we are Processing the data that they're giving to us and that we feel something towards that, right? so That's when someone tells you something say okay What I'm hearing from you is that this is a situation, right? We want to kind of avoid emotional labeling same thing what it sounds like you're mad Unless they specifically use that label to describe their emotions and then you're free to use it, right? So this point with empathy we're going to express to them We understand how they're feeling and here are some things that we think about that give them some active feedback on that Information ask more questions really get at the root of the issues and we can start constructing those Solutions we talked about right so once we have empathy we have rapport So empathy is that you're feeling what they're feeling and rapport is that they understand and feel that you're feeling what they're feeling, right? So you can think of it as a two-way street, right empathy is your lane and rapport is their lane once they feel like you're emphasizing with them So you're more likely to open up a level for rapport at that point You can start exerting influence once you start exerting influence you can start requesting actions, right? So they're upset we start talking we're actively listening we're discussing how they're feeling about the situation We're redirecting them towards less frustrating things and as that happens We start to express our empathy that builds our rapport say well Let's go ahead and do this thing now that will fix this issue They're more willing to do that because they feel validated and connected to you and and feel like we actually give a Crap about what is going on in this interpersonal communication, right? So two things to be aware of while we're doing that is the oodaloop and then awareness of physical cues, right? So Oodaloop is observe orient Decide and act. Okay, so the oodaloop is a technique that fighter pilots use to control their response times to Dogfights and those kind of things and also that martial artists and stuff you use to control their response times in a combat situation Right, but we're gonna play it here So the oodaloop is observed. So see the information the situation around you orient Which is figure out how you fit into that situation. Are you the aggressor? Are you the good guy? Where are you in relation to that emotional conversation to side on the course of action? even if that perfection is to not act at all and then Deliberately take that action observe the new situation that you've caused orient yourself to the new situation Side on another course, etc And the faster and more and smoother you can get at doing those that oodaloop cycle as you're going through the emotional interaction You will be better at navigating their own emotional responses Directing them towards something that is effective communication. They start to calm down and we move back to you And now we can have our conversation again The physical cues is just be aware of how you're presenting yourself and how they're presenting themselves if they're crossing their Arms they're doing close body language open body language aggressive Submissive just be aware of those things and also how you're communicating because you know a lot of communication is non verbal So examples right I'll have a lot of concrete examples I can actually share But I like to talk a little bit about like interpersonal communication with social engineering specifically like phone calling, right? So when you're doing a social engineering phone call I'll just go through like a typical phone call I've had so I call the person they answer the phone and I introduced myself so maybe I'm going to much caffeine in my system Maybe I'm a little stressed out with work whatever and I introduce myself and roll right into my pretext without giving a natural pause Of them a chance to talk They immediately almost nine times out of ten become defensive and that call usually doesn't go very well Right because they feel dressed on initially and I set that initial placement in the scale Much closer to red right now when I start that call and I give a nice pause I introduce myself asked other days going say okay, and then roll naturally into like when they ask the Well, how can I help you we roll naturally into our pretext when we start to progress to that interaction, right? Taking time to discuss things that come up in a natural Calm way, right? We're not really like harping on this one specific goal We're trying to get to we're eventually gonna get those credentials eventually gonna get that information Eventually get them to get the interaction, but they eventually use the key We have to be willing to go on that that interaction with them in a way that they feel like they are equally part of the communication, right? so I'm not gonna go through every one of these things, but I just want to like focus on the negotiator stance, right? so When the situation starts to go bad and you take a step back and think okay So this person is upset why are they upset and how am I going to address the issues that they're upset about and move them back To yellow so then I can then start requesting information those things are doing right and so we're gonna go to that behavioral change stairway We're gonna actively listen. We're gonna establish that empathy We're gonna get that rapport going and then we're going to start backing them down towards positive interactions Even if they're little things, right? It's important to remember that little wins lead to big wings, right? So we get them to do one little concession that opens the door for potentially more trust on their side And also more rapport and then the ability to exert more influence All right, and so these are just some references for stuff that I've talked about and they'll be available with the slides So a big part of this is questions, so I wanted to leave a lot of time So that was the 30 minute version of talk I want to leave a lot of time for questions because a lot of these things are things that apply specifically to Specific situations and all people are gonna have some side questions and stuff about those things So I wanted to make sure I opened a lot of time for that So any questions happy dancer Sure, so actually the same techniques right personally and actively so his question was how do we address suspicion? I use the word aggression and aggressive a lot But I was using that kind of the catch-all so his question was how do we address? Escalations into red via suspicion right they openly are accusing us of being a liar those kinds of things, right? So we're gonna use that same behavioral staircase Approach right we're gonna actively listen and we're gonna acknowledge the fact that they think we're full of crap Which we probably are right so we're gonna say yeah I understand this sounds fishy and here here are some reasons why and here's why I'm sure that you're good I'm glad that you Identified these things, but this is what's going on right so we're going to actively listen We're gonna emphasize with how they're feeling about being suspicious Then from there we're gonna try to build that rapport by giving those reasons and then from there We're gonna try to influence them back in a positive way right if we can't if they feel super uncomfortable about it We're gonna say you know if you feel really uncomfortable the situation I understand I'm pressed for time to you Why don't we go hold disconnect and I'll have my supervisor send you an email, right? Because at least then you're maintaining a positive tone and giving them at least a time window where they're not going to escalate, right? That answer your question Hey Further stuff got into the red so Me personally Are you talking about so okay? The further the guy into the red was not definitely not normal social engineering But I mean I've been in situations like you know at a bar And then someone pulls a knife and wants to do something crazy and is threatening to you know Once go outside and all these things right and I've been able to talk those situations down before usually by offering alcohol Right, that's a good way. I understand your man. I didn't mean like that man. Can we have a beer, right? This works often Because they're like uh stab you go to prison drink free alcohol. I'll go with option number two, right? So that's that whole hey, I hear what you're saying because here's a better situation built some rapport The alcohol offer kind of builds the rapport and empathy all the way the influence, right? But in social engineering I've been in the situations where I've been tailgating in and then like a security guard an armed security guard Just caught me and you know in their defensive position has put their hand on their weapon while they're talking, right? And that's obviously a little aggravating, right? Because you see that and then think all they have to do is being having a bad day and I'm having a worse day, right? so Those kind of situations it's very comfortable It's very important to think about that scale and say okay I have to keep this person as calm as possible for as long as possible The longer someone is calm and non-aggressive a lot of studies have shown that it's more likely They're not going to be aggressive or do something in the curtain at the end result, right? So the longer keep them calm keep them talking, you know concede to their especially someone has a weapon And they actually do something you probably just do it, right? And those are also the cases where you might start to look at pulling you get out jail Freelutter if you don't think you've come back from it or if you have any fear for yourself always, you know Go to that position of safety, right? Because no pen test is worth getting shot over, right? But I've been able to talk those down and it's all using that behavioral staircase model Right active listening is the greatest key and comfort is the most integral component to getting someone to listen to you So So It's important to understand the like the cultural paradigm around that right so like in America Our cultural podium is like a lot of people want like to oh, sorry, sorry He was talking about physical proximity, right? His question was about physical proximity and touching during these communications to keep them effective So am I my response here is that we have to be aware of the cultural paradigm, right? Some people are going to be more comfortable closer depending on culture depending on You know that individuals bringing all those kind of things and if you're okay with that comfort you can be standing closer to those kind of things But in my personal experience is better to keep about two body lengths or more or two body widths or more from that person And give them their space and if they start to you know retract do not advance right if they start to move towards you Though that's usually a good sign, right? Because usually proximity is directly related to comfort It's your question Yes, sir Where they want something from you you don't want to give Sure so the question is when a hard stalemate and the person we're talking to you wants us to make a concession that we feel would be detrimental to our end goal Right. How do we respond to that situation? So there's kind of two things here So the first is when the actual value of that concession as opposed to potential side avenues It would still lead to your goal anyway And if that in that way and you see that you can still kind of get to where you go where need to go in a roundabout manner It's better to just make that concession and put in the extra work to go around that side channel If it's something that would be you know physically detrimental to you if it's something that would be that you're just very Comfortable with doing especially because I'm not see straight. It's in a communication situation It's usually better to temporarily disengage and say okay. Well, let's not aggress on this anymore Let's let's take a step back think about things and reconvene right especially in normal like interpersonal communication But in the end it's usually better to exit gracefully Then to try to push a situation sometimes you're just not going to win But there's usually somebody else who's going to give you that information and in situations of life where it's somebody you're interacting with Who you have to share space with over a long time. It's better to work together to find a compromise on both sides Even if that takes a lot of extra time to do so Well, I mean it really depends on exactly the same way we're talking about right like if we're talking about where they want us to like Let's say we have our wallet and they're like we want you to give us You know all your bank money, but sometimes we're just not going to make the concession But we want to exit gracefully and say things like okay. Well, I can't concede that right now Let me take a step back, you know, and then if it's like a C situation say I'm gonna step back and have my manager Give you an email you know address a different way to do this But it's better to gracefully exit if that concession is just something you can't make cool Also stalling to go you didn't mention that stalling is something sometimes you stall long enough Sometimes they just didn't want it that enough right and they'll give in Yes, sir So so the question was how does peer pressure play into the behavioral change stairway, right? so peer pressure especially when like when I'm when you're actively like Referencing peer pressure to influence an action I find that to be really ineffective. So People value their individuality right like psychology shows a lot of people value their individuality But don't want to be called out right so by calling someone out and also get it trying to force them to follow Someone else even though they would normally do that in that case kind of puts them on that back foot Defensive now if you if you're communicating with someone who you know is directly susceptible to that and you can do it In a way that is subtle not just like hey everyone else is doing you should do it But like well, you know, I've already gotten other people hooked up on this very positive thing Would you like to be involved in this thing that kind of thing can be really effective But for the most part just straight-up calling peer pressure tends to be counterproductive Sure, yeah, absolutely. So so giving right like volunteering information of yourself Making concessions right when they're asking you to do things that might take extra time might take ex mate a little extra stress on you being willing and open and volunteering that information that you're willing to do those things even a lot of time We they won't even have you actually do them They will just feel more comfortable the fact that you were willing to put yourself out there and be Exposed in a way that makes them feel like they're an equal partner and not just doing things that you're asking them to do in that conversation That's your question Sure, I'm just trying to avoid like the time me my wife been a bite So I guess a really good one is like I Get on the phone with an individual and I'm trying to request information and they say well You know, I don't even know who you are any of those kind of things and instead of like say getting off the phone It's sending an email which is a good way to validate you can start really valid validating yourself By demonstrating like your willingness to discuss these things about yourself like this is who I am This is where I work. This is what I do those things and being open and providing a communication We'll give them usually prompt them to provide information back to you, right? Or you can say something like hey, I need this information if you need to example this information Here's mine. This is what I would look like it'll be on this like on my piece of paper It reads this right at that point. They're like, okay Someone is willing to share and expose themselves even if that information is total BS. It still means something to them, right? as a question The last Sure Yeah Absolutely, so his point was that apparently in an earlier talk an individual use that That principle and saying hey a corporate we do this. What do you guys do there corporate? We do this. What do you guys do there? That was effective to gather the information. So thank you for sharing that Yes, sir So the question is if you want to do a physical physically approach somebody and they're alone in a room, right? Or they're in a room period, right? So first thing is to remember that people you know in general, right? We're all very predictive of our space for most part like oh Group I thought you said a room. Sorry In a group, right? So Usually, yeah, it's better in my opinion to wait until they're in a I guess a comfortable Way of being alone, right? Not that they're let's say at the urinal or something, right? Like if they're getting if they're sitting in the lunchroom talking and they're drinking a cup of coffee and everyone leaves You now have your cup of coffee. That's a good time to say hey Can I sit here sit down and then start discussing, right? One of my favorite things to do on physicals is take a lunch when I or breakfast when I go in the morning Like a banana and something go grab one of their coffee mugs in the lunchroom Pull myself a cup of coffee and sit down and eat banana talk to the people at the lunch table Because later on when I asked someone for network access or something. Oh, yeah, that's guy at lunch with right? but I try to Start my interactions with people while they're separated because I can build an interpersonal communication and relationship with them And then when other people start adding to the mix that personal act is my gateway to that interaction They're like, oh, have you met Noah? He's the new this guy. He's really great Let's all have a conversation and then at that point then we can start talking, right? It's easier to integrate yourself into a group by starting usually with one individual Except in my opinion like large situations like this where we have like a large conference or concert or a social gathering of some sort It's good to like slip up into the group and then be able to volunteer information And also call yourself out for being the guy who just just jumped into the group like oh Hey, I'm sorry to interrupt but I just heard this and this and this Oh, yeah, and then you get pulled into that conversational flow and eventually when they start asking you questions You know, you're at that point where you can start really asking them questions and building that active listening and that report and your question Yeah Sure, yeah, so You get into this a lot with like while you're like doing physicals and there's like you're moving through the building and you need Additional access let's say to a secured area something like that or you you don't know where something is and sometimes the best The easiest way to just ask So when you see someone in a room The first thing is you don't remember they're very predictive of their space and people are very like this is my space Especially let's say their offense, right? So the first thing is if the door shut you should probably just not you should probably leave it alone Wait till the door is open or till that person comes out of that space The second thing is that once the door is open you want to make sure you request permission before you ask Hey, I'm sorry to bother you but you do have you have a minute and usually the response will be something like Oh, yeah, come right in and then once they've invited you to your space There's already a level of rapport that has been built because there's a level of comfort They have by being in their own personal space and that office is there, right? Or that that room is theirs or that that space that currently in control of is theirs, right? And at that point then you can start addressing now There's people in that room you probably want to avoid that too because they're probably locked into a specific social interaction And that's not really going to be a good channel for injecting yourself or building that rapport and those kind of things And it can go really fast to red because you go in there and then suddenly like someone else who is very suspicious There's asking questions, and then it just all goes crap Questions Yes, sir Sure, how do I get them? How do I get that the text so the question was if I'm trying to get a tech inside tech support number from somebody who doesn't Actually have the number that the question Okay, so I get so I'm having a little trouble hearing you but it sounds like the the question is how do we get inside Numbers when we only have the tech support number right without getting too red because tech support tends to be you know One they're very dedicated to process because process is how they deal with less BS through their day And as tech support they are going to deal with a whole metric load BS, right? Second is that they're one of their jobs is to be suspicious of situations, and that's why they enforce process Right, so when we initiate the communication the first thing we have to be aware of are the things that are gonna be valuable to them Right in any communication if you already know the values that some of my whole dear need to be aware of those things going in and Making sure that we don't just step on them from the get-go, right? So once being aware that they're probably Suspicious security oriented process oriented. We're gonna get on that phone, and then we're gonna say we're gonna start trying to Inject ourselves into hate a Non-threatening situation that could redirect us to someone else who would probably be more willing to provide us that information Right, so in many cases. I'll be like hi This is so-and-so from this which with information that we've enumerated from say LinkedIn, you know Facebook open source information gathering, right? I'm on site somewhere. I have a couple questions. I haven't been able to connect to my phone's dad or whatever I haven't been able to connect to some stuff, and I need to get some information Can you tell me who I need to call to get that information, right? And they'd be like oh, yeah Sure, you need to call this person. Well, can you give me their direct line? Oh, well this okay And then a lot of time you can just call the operator honestly like if you really need a phone number and then also there's a really terrible trend in Curious stuff where like you can just hit a button and get the list of everyone in that name And then you know so you can just go through those as far as the directories, right? But I would say just avoid directly saying hey give me this phone number I'll give a good pretext a good reasoning why right and be willing to be like or could you direct me to someone who Could help me better Right, and if they ask for information that you don't have other than being really prepared to say well I'm not comfortable providing that information on the phone right now because I'm not in a secure place But I'll call you back later, and then gracefully disengage Any question More questions Part of as part of social engineering or okay, so So As far as social engineering goes I think the most So it didn't really go to black, but the potential to go to life is very high right so I was in a situation where they They staffed their night security guards, and I did not know this going in entirely with off-duty police officers There's another one to where I was doing a one in a very crime and burialed city where this place also had Their own police department like they have a contingent of police that just hung out in the building right so in both of these situations I'm interacting with a police officer now police officers just like military or anyone else They have a specific sense of training and escalation force and those kind of things or something to be aware of and this varies depending on The branch or the or the police department, etc. Is the amount of training they actually participate in right? Because the more you train the more comfortable you are in that situation you train for the less you train the more Information you have about how to interact But less comfortable you are which will lead to negative decisions right so a lot of time You have junior police officers who use escalation of force unnecessarily or whatever Because they were just scared and nervous and hadn't had enough training yet right a lot of time a veteran police officer We need a situation where it gets really really crazy And they don't go to escalation of force because they know how to handle that situation and step it down And it's end of being better for everybody in the long run right so in this situation I go into the building and I immediately identified that he's got you know a police issue Firearm on his hip and his like badge and lunch is pig to peg to his lunch bag and is sitting on the counter and he's eating a Sandwich I like 10 o'clock at night, and I'm trying to pose as somebody going in to get something right So this point it's all bad right because he's looking at me. He doesn't know me Usually no one shows up right. I was eventually able based on Information gathering stuff to avoid escalating at all. I done all my research. I approached him very cautiously I would make sure to keep my hands visible to be calm to not be threatening in any way and be very respectful, right? Especially like older males Like older male military-oriented people or love sir. Yes. No respectful interactions And those tend to put them in a very positive place So knowing you know the social some of those stereotypes right can be very Effective to use so you go use those to initiate that initial conversation Keep it calm and I was able to talk him into opening the door and gave me upstairs to forgot my badge or whatever right but It was potentially really bad right because if I came in and then upset him I could be on the ground, you know, it probably isn't gonna let me pull my jail get out of jail free letter, right? so And the I think I think that was probably the worst as far as like Like Actively risked now there was an unarmed security guard in front of me I had created some documentation And he wanted to take it from me But I knew if he took it from me to validate who I was it was gonna blow my cover because on it looked good superficially But on inspection it was not gonna hold up on deep analysis And so I needed to avoid him being wanting to take that that credential right and so doing so I needed to keep him talking for long enough to build enough rapport and trust with him That he you know said okay Well, I think you're good doesn't matter right and redirect enough from that initial target of Matt credential to something else that I could give him Always willing to go back Like my driver's license because I really don't care if he has my driver's license because this is a part of a project I'm going to get it back right Any other questions Sure Sure So our question was how important is the validity of the reasoning that I give you know for whatever reason in a social interaction and The answer to that is it varies a lot right a lot of the time Getting to the front of the line is as easy as giving some BS excuse of all I really have to pee or you know, whatever it happens to be right one that like one of the reasons that is like completely un Verifiable but like really not that important to other people, but they build that sympathy and empathy is like You know my pregnant wife is waiting out in the car And I need to get her to her doctor appointment, but I have to get this done right They'll be like oh, you know prevention of life and land Uncomfortable person who would naturally I'm gonna have sympathy for sure you're a nice caring person I'm gonna let you do the front of the line or or whatever, right? But it's really important to know your audience right we can when we sort of have a conversation There's a lot of questions you can ask a lot of interactions You can do really get a feel of who they are right there a sympathetic person, you know, or if they're just a really like a Logical procedural person and that helps you craft those of the depth of excuse, right? And then just have a lot of them prepared Coffee shops and bars So the answer was practice a lot. Well, how do you practice near free time? Obviously in like a you know situation You're not gonna get shot right And so coffee shops and bars so what I tell beginning social engineers Or people who just don't aren't very good at social interaction period is go to a coffee shop With a notepad and go sit down and just watch the interactions and write down your thoughts about those interactions The next time you come make a goal like I'm going to you have a conversation about One topic with one person right and then write out how you're gonna do it and then go and make that approach You're probably gonna fail the first couple times once you get that Maintain that conversation and usually the goal is like a time amount like we're gonna have a conversation about the weather for two minutes or whatever, right? Then we step back and say okay, and my next goal is going to be how do I go up and get a piece of information something like their Shoe size or you know something slightly personal, but not something that anyone would be crazy Like should probably go up and ask people for their address, right? Because that's gonna be a little like No, so little things like that or their usual coffee order or those kind of things or what their favorite alcohol is and then As you get used to requesting those pieces of information you start to get used to conversation in general And that helps you build that comfort if you're comfortable you start being willing to take a little more risks And being less afraid of you know a negative or awkward outcome and that being unafraid of some of those risks and understanding the Impacts is something that makes it makes communication really easy because if I'm not scared of you getting mad at me or not scared of you Exiting the conversation. It's less likely for me to be you know Look stressed or uncomfortable while we're having a conversation, right? So just lots of lots of conversation and you know Defconn's great for it, right? Go find someone else sit down buy him a beer and talk and you will get lots of social engineering Experience Sure, yeah, that's another thing is defending right like don't give stuff up any other questions Absolutely, yeah, yeah, so the question was In reference to like psychological psychological principles. I've like press and release do I think of this scale in that terms and yes, right? That's why I focused on yellow I know yellow is perceived caution because yellow has the greatest risk to the most chance to get you in trouble caught or shot But it has the greatest potential for return and because of that You can really like work with how to push that red line And that's why I called it the red line get the right to that point where you're getting the most information You're generating the most risk We have the most control of that emotional interaction and as it starts to get bad having mastery of those principles You start to pack it off back it off You start requesting information and find out where that threshold is and find that sweet spot where you can just sit and Gather a specific type or levels of information for as long as possible for that graceful exit And make your question more I think we have like two more Sure, yeah, go ahead man, I'm an open book No, so I have the I live on the principle of you wake up dead every morning, so I Basically my my approach on life is that your identity is already stolen. You're gonna die at 12 this afternoon and Your house is burned down while you're gone, right? So accepting that already like you just you know, you can just kind of live without that much fear, right? So the simple fact is someone is gonna get information from you one or another way or another, right? There are databases that people can get licenses to get access to and they can just look up your social, right? So the fact is is like you can assume that lots of that data is already known now Am I like protective of specific data and choose not to volunteer? Absolutely, but am I afraid that they're gonna gather it for me Or I might slip everyone's gonna do something stupid sometime I I personally feel the best you can do is plan very well for contingencies and have lots of things backed up, right? Have you know, for instance, like with the house bring me have money and savings and have insurance You'll be okay, right? Bank with someone who has very good fraud prevention and fraud insurance, right these kind of things same with conversation, right? Don't go up and start a conversation with someone if you feel that you were grossly outmatched Or you feel that you aren't comfortable at that time or you're very stressed out or you're having a bad day Unless you just need to talk because you you probably are more prone to make mistakes Yes Sure, so that's actually very little so the answer to that the question was you know Most people aren't professional. Yes, there's what kind of amount of information you get give to someone to get them to be comfortable Talking to you, right? And so the question answer really is to ask questions You volunteer a little bit of data by yourself. I might know what whatever is in that initial Conversation that initial kind of honeymoon phase of interaction. You ask a lot of questions, right? You make them feel very much like the question the conversation is focused on them You don't push like into deep questions, but we're asking like oh, well, how did you feel about that? Oh, I thought that was this so what did you think about this thing? You know as we go back and forth and the more questions you ask the more comfortable They're gonna become that conversation see their body language relax is there their eye contact becomes a little softer And at that point you can start really asking the harder questions or can steering that conversation in the direction you want Was that answered question? I couldn't hear you very well when you asked Sure. Oh, no, I usually use so the question was like fake data that you provide I usually use real data for the most part because unless you're so one if you're a criminal You can get someone else's data and provide that and make sure you keep really good notes And the other thing is otherwise like in a social engineering situation where I've been hired by a company Unless I'm specifically afraid that they're gonna research me, right? I will use actual information because it's something I can validate and something I can prove Right like I have my name so overdome and like a lot of them sit I'll say I'm this is Noah from the help desk unless I've specifically identified or Felt like I need to specifically identify people at the help desk Do something like that and I'll use their information But I'll also do the research find their date of birth their home address and all those things as much as possible Make a very good dossier and then keep that and maintain that the whole time and make that my character For the entirety unless I have to switch for some reason like my cover got burned or something Yeah sure So so like anything there's always a way to do something really well and do something really bad and then after I answer This will be done. So I'm done now. So, okay. Let's finish the question So people who just bombard someone with questions and just do everything you do those people look like complete Charlotte Charlotte that's right but it's anything with a measure of Discretion can be effective, right? Don't ask a billion questions That's one or two questions that would elicit a lot of talking from the person you're talking to Then there is that person talks a lot that distance between questions becomes less suspicious, right? Pick one or two pieces of language that our natural could be you know Use you could be using any way and just fit them in later in the conversation Naturally, right? The goal is always being natural to be as come possible as close as you can say to the truth The more comfortable you'll be and thank you very much for everybody's time