 Our next speakers are Chris Silvers and Taylor Banks. Taylor spent 15 years in the information security area and has provided training for organizations such as the FBI, NSA, USA, US Navy, and Marine Corps. Chris Silvers, you might see him around as a volunteer here in the NC Village. And he's also a DEVCON Black Badge winner. He has 20 years of experience in information security. Let's give him our attention. Their theme is on the hunt, hacking the hunt group. Alright, thanks everybody. You know it's really difficult to, to follow that last talk. It hints the reason there's actually empty seats in the audience, which is really heartwarming and I love to see it. There's a lot of people out there who are interested in ILF and it's great to see. So cheers to you guys. Awesome. Definitely. And so, so real quick, yes, I am Chris Silvers, also known and, and usually normally known as Hannah's dad. If y'all know Hannah, she's back in the room and kind of running the room. And just a quick show of hands. Who was actually here yesterday afternoon and heard Hannah's talk? Okay, by half and half. Okay, awesome. Do me a favor and find Hannah and give her some feedback. All right. She's a young presenter and she's always getting better and the way she gets better is feedback. So we appreciate that. And obviously joining me, Dr. Chaos himself, Taylor Ranks. Party on, Taylor. Party on. Chris. Alright. So, okay. So let's, let's mic the speaker here. Just a quick word. What you're about to hear was an actual telephone call on an actual penetration testing social engineering engagement. And I'm not going to say anything more. We'll explain a little bit later. All right. So to kind of explain what just happened and the context around it, Taylor's going to tell us about a hunt group. All right. So in telephony terminology, a hunt group, also called line hunting, is essentially a technology that is used when you call a call center. You call a single phone number. That phone number is distributed to a whole group of incoming lines. And I'll add a little bit to this for the purpose of our later discussion, but there's normally a couple of different distribution methods used by hunt groups. Most frequently you'll call centers use methods that are either round robin or circular distribution or occasionally they will use most idle. The objective is to try to ensure that each new call that comes into the hunt group is distributed to someone else. Right. So we've got a call center full of people. We want to make sure that when we call in, a new rep gets each call. This is why when you call your Comcast or Fox or AT&T customer service line, if you hung up and called right back, you would speak to a different representative than you spoke to when you first placed the call. Thank you. All right. So how are we here? My name is Taylor Banks and I'm a free call. So as a nine-year-old kid, thank you, as a nine-year-old kid in the 80s, I aspired to be the world's greatest computer hacker. I've never been arrested for a computer crime, so I'll leave it up to you to determine whether or not I achieved or didn't achieve my goal. Nonetheless, while also wanting to be the world's greatest computer hacker, I was rather fascinated with social engineering, really often in form of basic phone pranking. Right. I'm nine, it's the 80s, got me some slack. So shortly after the advent of three-way calling, I discovered that I could connect multiple representatives at a call center together with a very brief delay by simply dialing a number, clicking over my receiver and dialing the same number and I would listen to the chaos that would often ensue. This was quite fun. And I started doing this with the home shopping network. Why? I don't know. I guess it was the easiest target at the time. And what would happen is a rep would call in or I would dial the number and you'd hear ringing at both lines at the same time and somebody would answer and say, hello, this is Joe. Would you like to buy the diamond? Now simultaneously, the second line connects. So while Joe is answering this call, you also simultaneously hear, hi, this is Mary. Would you like to buy the diamond? Now a couple of interesting things happened and that's what paved the way for what you're going to see here today. Number one, as I continued to do this, the representatives at the home shopping network became more and more convinced that their phone systems were acting up. So they began to expect phone flaws within their phone systems. I would continue to do this often times for an irritatingly long period of time and at one point in time I actually heard two representatives set up a date. I'm not kidding. Like the guy says, seriously, what call center are you in? He says, I'm in Dallas. He says, stand up. He says, oh my God, I see you waving. So they go through this process. They're on the phone for like 10 or 12 minutes and ultimately by the end of the call they set up a meeting that they're going to get together after work. So this was quite fantastic. Fast forward to 2011. I was listening to a presentation that Chris was giving in a local DC 404 meeting in Atlanta. Go with the flow. All right. I believe there are recordings of that online from subsequent conferences and during that particular talk Chris was playing back recordings from his social engineering engagements. As he's playing back these recordings I'm sitting listening to the talk and all of a sudden my nine year old brain, the only one I've got pops up and says, oh my God, what would happen if we took this technique if we took three way calling and we connected multiple representatives within a target company together? What might happen? What would ensue? So in order to delve deeper into the topic, we also have to consider what how would we use this method? How would we leverage this method to actually conduct a social engineering call? How would we use this to gather information that we could use during an engagement? There are a number of different things that we can use or get by leveraging this technique. Number one, it's great for reconnaissance. One of the interesting things that happened and you'll see this live here momentarily, as I was going through this process even so many years ago, as the representatives would get connected to each other and expect these connections because again they're convinced their phone system is acting up, they would talk very candidly. So they were speaking in language, they were using terms, they were talking very casually as if they were sitting next to one another and in some cases they might actually have been, but unbeknownst to them there was a third party on the line. So they're using terms, they're talking about things that they wouldn't talk about if they knew that somebody who didn't want to buy the diamond was also listening in on their conversation. So in addition to basic reconnaissance, we can potentially use this technique for credential harvesting. You'll hear some of this live. And further ponage. Chris? Yeah, so the concept here and when I speak to people outside of the security realm and they're like, you know, are you just nuts? I mean because these are weird thoughts, right? These are not normal thoughts, right? But my term for it is called weaponization, right? That's everybody in this room probably has a pretty good concept of weaponization. You take a process and you understand how it normally is supposed to work and then you think how could this process maybe abnormally work and then how could that be weaponized, right? That's what gets us going, right? That's what makes us work on weekends. So that's kind of the concept there. But what we have to understand is we have to transition that from an evil genius type mindset. We have to have the evil genius mindset because that's where we get the weaponization concept. But then we have to transition it into okay, but now how can we help our clients to protect themselves from the people who have that evil genius mindset but not the integrity we do, right? That's what we're all about. So fast forward to 2017, last fall, I got this opportunity, had a client that I had been working with for several years, and they had a really advanced security awareness program, very mature, and they also had a global call center organization. So a huge call center. They probably had 400 employees total in their call center, and their call centers were even segmented into different specialties, right? So it was just a kind of a perfect storm type situation. But to actually convince the client to go for this, because they've never heard of this technique and they didn't know what was going to happen and what information might end up being spilled, so to speak. I had to sort of develop a more strategic and kind of business oriented methodology or strategy around this process, right? So essentially I laid out to them, okay, here's how it's going to work. We're going to start with Taylor's process of doing the three-way calling just for some initial reconnaissance, and then very quickly go to an initial injection where I'm going to pretend to be one of those agents, right? Maybe a new agent. Maybe I don't know a lot of the lingo, but I'm just going to fumble through, and I'm not going to really press a lot and just kind of try to get a little bit more intelligence around their process, right? And then beyond that, then I'm going to actually kind of start asking some more innocent questions, but with a little bit more intelligence, finally starting to guide the actual conversation based on some additional information that I'm getting and start saying, well, gosh, should we do this? Or should we do that? Should we open a ticket? Should we call our boss? Should we, you know, and actually starting to make some suggestions and leading the other agent on the phone. Again, I'm still pretending to be an agent, and then of course at some point flipping it and going for exploitation, right? Because that's really what it comes down to. Any kind of penetration testing. You've got to get to an exploitation phase because that illustrates the impact of the risk that you're trying to explain to the organization so that they will then be able to justify mitigating that risk, right? All contaminated, right? So with all that context, let's listen to some calls, right? This first call is kind of the initial injection and they're trying to pick up on some lingo, right? So let's listen in here. So everybody picked up on all those flags, right? This is like live doing an SECTF. It's just you don't have a bunch of people staring at you. Which, by the way, is a lot easier. So yeah, you pick up on exchange support, Vizapp support, Polycom desk phone, you know, the term team captain instead of supervisor, PBX team, all that good stuff. Now, did anybody happen to, and by the way, I forgot to mention, what you just heard was kind of a snippet of a call, right? I didn't play the very first part and all that stuff, right? And a few of you were going to do that way. But did anybody pick up on a red flag right away? Did you notice he said, I don't see you logged in? Yeah, poops. Because I claimed to be from the same actual segment of their call center as he was. And so we should have been logged into the same area, right? Also bear in mind that, you know, looking at the strategy we laid out on a previous slide, at this point in time, Chris has already injected himself into the call. So you're not listening to two reps banter, you're listening to one rep, who Chris is now impersonating another rep in order to gain the trust and confidence of this person he's speaking to. So as we pointed out, again, you know, doing this live, it's very likely, probably even, that you will have conducted several additional calls, where you will have reps talking amongst themselves, providing some of this very same information. Yeah, absolutely. And if you notice in the early stages of that recording, you didn't hear me talking like, all I did was just kind of say hello. Thank you for calling someone so support. May I help you? And then he's the one that really kind of prompted the conversation, right? So the next stage there is to actually kind of go a little further and use what we've learned so far to then just prompt more intelligence, right? And I haven't heard this term before, but we kind of came up with a vocent, right? It's kind of an vocent, but it's just voice, instead of using online sources. All right, so let's hear the next one. Are you using the browser plug-in? Because I'm using the soft phone. It's happened before in the past. It's happened before as something with a hundred words, where they sometimes are about calls weird. Right. But I used three different browsers. They had nothing to do with the browser. I got Chrome, IEMS, etc. Are we supposed to report this or something to somebody? Nah. I love that. I love that. Nah, it just happens. It just happens. You know how it is? Every now and then, right? Yeah, this guy was actually hilarious. I would love to just play the whole recall, because he was so funny. But yeah, so here we go. We pick up PC Laptop, Hunt Group, the whole term, which kind of prompted the name for the talk. And they're using all kind of browsers, and obviously some old ones. That's okay. So then we get to the next phase. And this is where, thanks for the Peter Virgin fans there. This is where it actually gets fun. We really start kind of, I won't say like controlling the conversation, because I seldom do that, but a little gentlemen does a little guidance on this conversation. So let's see what happens when I actually start kind of asserting myself using all this information that I've gathered, right? Anyone else? Probably not. No, I guess not. Great, that's weird. Are you using a PC or are you on a Polycom? I'm on both, actually. They called in through my Polycom, like a regular Hunt Group call, so I just picked up. And I mean, when I count info a year, the number's calling from our regular support phone number down. Something's going on. You're not on a Mac, are you? No, no, I'm on a regular Google 7 machine. Do you have any customer info on your screen? No, no I don't. It came up and it was saying, you know, ask for customer ID, or account ID, so, okay, this is Supervisor over there, because I'll get my team captain to get in touch with them, yes. Yeah, yeah. Y'all heard me slip up. I use the word Supervisor, and then kind of, you know, kind of gathered myself and said, oh yeah, who's the team captain? I'll get my team captain, right? So of course, gathering a little more information, account info, I was on screen, the Windows 7, and his actual Supervisor's name, so, you know, so now I'm really getting there to where I can say, oh, well, so-and-so, it's team captain, you know, Go Bob said to do this. Now, this, yeah, so now, this next one's really fun. What's going on here? You wanna talk to tech support? Well, I guess so, I mean, I'm with the exchange group, the BizApps, but I don't know, I mean, would it be services maybe, or aren't they in charge of the next game? Or I am. The next picture of your incoming call that says B-800 and it says call from Voice On, Voice On boarding hunt group. Are you, are you a home, home support, or are you there in the office? Huh, that's weird. It happened at the beginning of my shift. Did you just come on or? No, I've been here since 7. Yeah, because like I said, Tory, I think he said that he had just, he had just logged on and that was, I mean, you hadn't logged off and logged back on or something, had you? Yeah, I just came back from log. I just logged back in to the queue. Ah, okay. Well, that might explain it. It might be like when you first log in. Yeah, so are you also recognizing some of the flags from the SCCTF, right? The employee schedule and lunchtime and those kind of things. It really kind of ties it in, doesn't it? Those things are important, right? They definitely established the rapport and the trust that social engineers use on subsequent calls to kind of validate to the person and make them feel comfortable that you are an internal employee, but yeah. So tech support is not necessarily called tech support, it's called ISA, which I don't remember what ISA stands for, but I was able to find that out later and made a call into ISA just to report this problem. Right? And of course it was just totally bogus, right? But I got the guy's name in ISA, right? So you're going to hear in a minute I'm going to mention his name, right? But, you know, her office location and when she started, lunch break and all that kind of stuff, right? So at this point this woman gave me so much information, I'm just like okay, if I don't go forward and poem something I mean, come on how much information do you really need, right? So this next call is actually going to play pretty much from the beginning of the call, right? So the other ones were sort of snippet. So now you're going to sort of hear the whole process up until the point where she confirms that she's actually run the executable that I'm asking her to run and then I'm going to cut the call because the rest of the call I was just kind of show boating but anyway ooh, yeah. Well, it was just fine, you know? So anyway, let's hear it. Thank you for calling onboarding. This is Tyson, may I have your name please? Hi. Can you hear me? Yeah, I think we must have gotten crossed because I'm with the advisor team that's why the call came through to both of us. That's weird. This is Tyson, I'm with onboarding. Yeah. Okay, I'm sorry, what was your name? Renee. Renee? And who are you with? Renee? I would. Oh, okay. That's weird. Are you a voice or is that? Okay. Yeah, that's strange. This actually happened yesterday but it was another onboarding call. So it was another onboarding tag. Okay. I actually have a ticket open with ISA on it. Oh, okay. Yeah, I spoke with Howard. He wanted to find out are you next-gen upgraded system? No, I'm using the old system that I got like three years ago. Wow. Okay. So you're just using the Polycom instead of the browser plug-in? Yeah. Okay. You have a few seconds he wanted me to gather some information because this seems to be happening a good bit lately. Sure. Okay, cool. So what kind of system are you on a wide system or laptop? I'm on a wide. Okay, you're on a wide. And that's running Windows 7, right? Yes. Okay. Renee, are you I guess you're in the office, right? No, I'm a home worker. Oh, okay. Home worker. Okay, home worker. And do you know Service Pack 1 on the wide system? I was just upgraded to the new Service Pack. Okay. Is that showing Service Pack 1? It should be old 7601. Um, I think for me to see that is if I actually log out, I believe I have to... Well, actually he said the easiest way to to get this information is just to go out to and that'll do a quick inventory and show operating system and software stuff. Software stuff. Yes. Dot com. This is a gaming Yeah, it's just yeah, it's just real easy. Your information, there's a there's a download called Detection that you can run it. Your details. Right. Service Pack 1, bill 7601. So are you on the advance tab? That was on basic. I put the advance. Right. Yeah, click on advance and then scroll down. And then that'll show operating system and you said 7601, right? Pack 1 bill 7601. Alright, so yeah. I think we double confirmed it. She ran the EXE. We're good. Alright. Now keep in mind, I know I did not have a reverse shell on her on her PC or anything. It was kind of not in the scope, but obviously certainly could have. Very easily. Very easily just own that box right away. Alright. So the Alright, so this next call didn't quite go exactly as planned. Alright. And I just want to give the client some props here because believe it or not, they had some protections in place that sort of stopped me. Now the call proceeded very much like that last call up into the point where I had the employee going to the website choose just about to download and run the executable and this happened. And I want to my computer details. Yeah, my computer details. Alright, I can't breath it. So it's asking me to run an executable but it's not something I can't breath. Right. That detection.exe Yeah, I can. Yeah, he said. Oh, it won't let you run the executable? No, I'm not the admin here so. Ah, okay. That's strange. Let me. Okay. Yeah, he said if you get permission issues on the exe. Okay. And Kathleen, what was your last thing? You're in cloud onboarding. This is onboarding. Alright, so I just had to collect a few other flags just to kind of salvage the call. But the key there was that she wasn't actually able to run the executable because she didn't have administrative rights on her computer. Go figure. How about that? Alright, so let's talk a little bit about how this is how we can level up even from this basic test. Because this was kind of a first run of a pen test using this methodology. Right. And as Taylor said in the first place was he made 85 calls. So prior to the calls that you heard I did a bit of research. I will point out both from and to states that only require single party consent. But I did some calls to some well-known companies. I can pretty much guarantee that you are either a customer of theirs or they're a customer of yours if you're in this room. I'm not going to mention them by name. But I did approximately 82 calls across just a couple of companies trying to test this technique. For calls connecting call center reps to each other. And this is where things really do start to get interesting. You know again you saw Chris leveraging a lot of the information that he gathered during his own process. But a lot of that terminology you won't even have to pry from your client because they're going to provide it to you the more times they connect to one another. A couple of things to bear in mind here. Repetition is an important component because it is the simple act of repetition that in essence creates the problem. We want to simulate a phone system that's glitching. So the more that phone system glitches over and over and over and over again the more the company is going to expect it. In this case familiarity actually also tends to breed complacence. So after you've gotten three or four crossed calls throughout the course of your work day by the time that fifth call comes in you think oh god not another one cares whatever and you let your guard down. And that's a lot of what we saw in these research calls. We saw people getting very casual with each other using language that again they wouldn't use on a call with a customer. So this is the first thing, number one repetition is important to help create the problem. Another thing that I found to be useful in doing some of my own basic injection and something that I would suggest as a method to use is also really to rely on deference. So say if you've connected a call and you've now got a call rep on the phone and all of a sudden you've got some pushback and they don't want to provide you with information or again there may be questioning whether or not you are who you say you are oftentimes one of the things that you will find is that you can get more information by pretending not to be the person who is ultimately responsible for this like oh you know I'm going to have to ask Bob my manager says there's probably another website we can send you to to get the information we need rely on someone else or really use someone else to throw them under the bus for the information that you need to gather. Another thing that's very effective here is to use sympathy a lot of the folks that you're talking to on the phone again they're call center reps so the more you can empathize with them and the more they can empathize with you the more likely they're going to be to give you trusted information after information you get shut down or you get stopped if you hold the phone away from your face and you go oh my god fifth time this has happened to me oh no I really don't want to get in trouble I actually use this technique on a very recent test where I just kind of like you say just kind of go a little bit off the phone so that it sounds like you're talking to someone else and you sort of say I run the executable what's she supposed to so you want her to do what dude I can't ask her to do that really okay so he said go to a command prompt and type this I don't even know what that means but you know he's saying type sys info how do you spell that man oh it's sy and it works it's amazing that if you just kind of say I don't know it's something crazy somebody else wants me to ask you to do I don't really understand these systems very well to be honest with you I'm kind of new to all this stuff right yeah yeah I mean I don't know that's kind of just like you right so I'll add here also this last bullet point is another important one and this is something that I used in doing one of the earlier research calls as well so after about the third or fourth call connecting two representatives at this particular organization together mentioned the name of their internal ticketing system now admittedly most of these people would know how and where to go about using this ticketing system to submit a ticket but what I did is I immediately went out and registered that ticketing system name support.com so now when I ask them to go to a URL I'm not asking them to go to some gaming site where they're going to download detection.exe I'm asking them to go to a site that for all intents and purposes looks like it should be the system that they would expect to see alright so maybe it's a new domain but it's got all the indicators that it's trusted right you use it the right Taylor, Taylor reasonable domains like that would all would be taken up of course you know support type domains would be taken up if they weren't if they were available there'd be thousands of dollars oh yeah of course you know things like phonesupport.tel for $7.99 I know it's a really high bar but it lends a lot more credibility to the engagement so again you know there are subtle things you can do that also create context and that really reinforce the fact that you're a trusted individual you know the trusted system you understand the internal processes tell you understand the SOPs you know the standard operating procedures for submitting this information where to go what the type what information is going to be needed so when they go there well you've just done the same process it's really easy for you to at least point them through the same thing so bring this to the point so what do we do with this what can we take away here as an educational benefit from the SOP so first and foremost to me and I'm sure many of you in the room have been preaching this least privilege quit giving your users admin access they don't need it especially their local machine even a help desk person likely does not need administrative privileges to their own machine they administer they may administer other systems they may administer you know user permissions and active drug tree but that doesn't mean that they need to have admin on their own machine right and then of course awareness now Kathy you still here okay so if anybody was here earlier for Kate's talk the social engineering perspective from the CISO perspective which by the way I love that talk one of her key points was awareness is not a check box thing it's not just laying a piece of paper in front of the employee and saying you know do you promise to be security aware it's actually a program and it has to be test out of awareness test out right yeah and it has to be customized to not only the organization but the employees role right provide customized awareness to call center employees that's different than the C-suite right the C-suite doesn't need to know so much about this attack because it's not likely going to happen to them versus a call center employee where it is quite likely to happen to them so making it role based making it customized and you know and also encouraging that kind of evil mindset thought process that we sort of naturally have now so that employees can go out of the box and not you know not having to be trained specifically on every specific attack and I think this is there's something important to consider here as well because you know admittedly this is tough awareness is a challenge here because you know what we demonstrated today this is a relatively novel technique at this point in time right so most of the places that you're going to deal with aren't going to have had this done to them before it's not like getting a spam email or a phishing email so it's not something that you can easily just create an awareness program around as Chris said the key here isn't just helping people be aware that you know two call center reps might get connected together it's really awareness of you know the need to not divulge information to people that you haven't vetted yourself that haven't been verified and so the awareness process here again it's not awareness of this particular individual three-way calling technique sure that might make its way into a slide or a presentation but it's really again about awareness about the challenge what is it that we're trying to stop what are we trying to prevent and it's that dissemination of information that shouldn't get into somebody else's hands even the name of the ticketing system even the name that we use to refer to supervisors within an organization right exactly and and also the reporting another subsequent exercise where I kept repeatedly calling and setting up the three-way calling and there's must have been a hundred hundred and fifty calls now it just happens yeah that was that was the reaction from almost everybody was now this just happens we don't need to do a ticket on this we don't need to report this right so I ended up actually having to call the supervisor of the call center to press the issue to make it a problem and it was over like a hundred calls right and she and she started spilling the beans about yeah we've been getting a lot of robo calls too like oh well damn there's an attack how can I do a robo call thanks thanks for the tip right so there has to be that culture right that just you know that just red flag goes off and somebody says well okay this is weird somebody needs to really actually look into this and make it happen and then and then also you know making sure that your staff you know has awareness of each other and you know has some familiarity familiarity because the toughest companies to test are the small ones where everybody knows everybody right everybody recognizes everybody's voice and all that kind of stuff again this can be tough also when you're talking about large organizations a couple of the organizations that I was doing testing with they have very large call centers it's likely that somebody in one call center in one state is going to know another person in another call center in another state probably not very likely but this is also this kind of begets the next point this is why it's important to have verification processes in place right so if I say oh yes well that's funny it's been happening to me all day too I'm Bob I'm over in biz app support you want the person on the other end of the line say oh is that right Bob what's your user what's your account idea again hold on let me look you up in the system so that I can make sure you know we have an appropriate conversation about this topic now that we've received a particular call yes right so you see the hole in absolute right which which means you then have to level up right this is a cat and mouse game right we're just kind of losing it right and once again that leads to the next bullet point is test test test right because it's not a specific attack when it comes right down to it it is a category of attacks it is just the concept of you could be attacked you could be a target right and the whole concept of dispelling that false sense of security that that people walk through life with right we've got to we've got to ingrain that that that through multiple examples that people just had start having that kind of feeling of I'm this is kind of sounding a little weird this is a little sketchy to me right and they start getting that feeling and then they report it and and they're rewarded for that and let's be honest this is exactly why we do this type of thing in a contest right because what would somebody in your organization give away what would somebody tell somebody on the other end of the phone the person on the other end of the phone sounded exactly like them was having the same problem they could empathize with they knew the verbiage they knew the lingo they knew the process I mean for all intensive purposes you know again they already have all of the information so this is exactly why we do this in a contest this is exactly why we do these things in social engineering engagement because again what would really be exposed if you don't know what your employees or if your clients don't know and understand what their employees are willing to give away the moment they believe somebody on the other end of the line that's it yeah so um so that's what we got I appreciate your attention thank you John questions I believe just a few minutes yeah yes right over here yeah that's a great question so when you were doing this three-way calling right were you actually spoofing on both are you talking about when Taylor was doing it or with me yes yeah yeah I was I was using a service that spoofed the number so that when I was calling the number was identical to the number that I was calling so it looked like the number was being placed to and from the same telephone number yeah that's a great question any other questions what did the client say um yeah they were a little the question was what was my client's reaction to this um well yeah he um like so what do we really do about this and I mean it was a long conversation about how to mitigate this risk because it was almost like every suggestion that just kind of popped in my head he was like yeah I don't think that's going to work because of this oh my gosh yeah it's a big challenge for sure um other questions anybody oh yes sir if that's the way you can do it customize training or the best way you can okay organization right so yeah what are the best ways you cut okay so this kind of um refers back to Kate's talk as well uh which I'm sure was recorded so you can watch it later yeah yeah um to be honest uh I think that you start with a good platform right like um some some of those that she mentioned the the know before is an official or whatever but you've got to realize that um that those platforms are good and they will help you uh to increase efficiency of the program but not necessarily effectiveness so that um you can leverage that automation to then take all that time you saved because you automated the basic awareness you take that time that you saved and that money you saved and you pour it into customize whether it be face-to-face or online interactive um training that is truly customized not only to the organization but the role that people are playing and test I'm not a similar answer to that as well and that's also that you need to train people to be suspicious right so ultimately that's a big part of this is anytime somebody's asking for information that they should already have again this is almost kind of the oxymoron in the scenario is when somebody calls and they appear to be from the same company are they asking of what operating system I'm using and what service pack in a sense ironically I kind of trust them more because again they've identified themselves as being another employee they've used the lingo why wouldn't they be telling the truth but we have to kind of train people to be at least suspect this actually goes back to Hannah's talk yesterday she was talking about memes right and why is it that people they want to know you know what month they were born in and the street that they lived on in order to determine you should be suspect of that right when somebody asks for that type of information your client should say huh why why should I be providing this information to the caller on the other end of the line and that's something you can't train you know technically it's not the details it's the process the process right and I know the military has that term situational awareness right does does the question you're being asked really and truly fit the situation you're in right well maybe not right yeah how do you stop complacency you know okay get out of my brain you're you're like this is my next thought so um because the other the other side of that as well is something that Chris Chris had nagging preaches all the time is making sure that employees understand the value of the information that they have in their brains right because complacency is you know well is it really that important that you know that I know the name of our internal ticketing system you know because they deal with it every day and they just don't see the importance and part of that education and awareness is the fact that yes that is important information you are important as an employee you have sensitive information that is valuable to an attacker so we're relying on you to protect that it's dangerous you know we need your help your value I would also say early detection because part of what creates complacency was I did 82 calls right so the employees they weren't complacent on call 3 they were actually still suspect it was called 19 and called 23 and call 25 were finally the reps were like good god this can't be a scam I've talked to 7 people in my own team so who's this other guy Bob right so again complacency complacency comes because by not having early detection or by not having processes in place we're able to do this enough times to where it's just too believable yeah get off my call I'll give you my password keep calling alright question back here okay so the question is obviously we're making a lot of calls and we're tying up time of these customer service agents and so did that impact the productivity of the company and yeah you're right it does but that's that gets into the project management aspect of you know penetration testing that there's always and you want to make sure the client understands what's going to happen as much as you can I mean you can't predict everything but just like you know when we do you know technical penetration testing we make sure that the client understands that there's always a chance that we might down a box right and I usually use the example of you know if they've got an AIX box or an old Solaris box or 8 bucks you know if you if it's that important to you that that box not suffer any degradation then let's leave it out of scope right I'll also add that you know I made every effort to do this in a very ethical manner because my objective was not to compromise these companies it was really to vet this idea so I did this across the span of a relatively I don't want to say long period of time but this was across multiple days and I did make every effort not to keep reps on the phone and then the other thing is I didn't ask anybody to do anything I did on a couple of occasions just interject a little bit I did pop in to you know convince somebody again but for the most part my objective was how can I get these people talking and you know how many calls will it take before their guards are let down I will say one of the calls became a rather long call on one of the one of the pairs of people that I matched together they happen to be assistants to executives at this particular organization and they sat on the phone for almost 45 minutes discussing plans for the Christmas party and locations of travel for these particular executives so admittedly that was rather revealing information it's also why you don't get to hear the calls here today but then again that was probably pretty productive for them they were coordinating the Christmas party that's important stuff exactly I know exactly what Susan was going to be taking to that party so you know ultimately again my objective during the research phase was to try to do this as responsibly as I could considering that this wasn't an engagement you know research phase and I was trying to operate both of them legal limits but again my objective wasn't to hurt but to again demonstrate does this work and I think across the sequence of calls that I did before this became a strategic process conclusively yes absolutely absolutely so I think we have time for one last question right up here in front yeah yes that is a very good question in fact so the question was does a lot depend on the nature of their hunt group how their hunt group worked in fact a subsequent engagement they had this menu system and you had to navigate the menu system before it even got into the hunt group and then there would be hold music so you got to kind of picture this as you're making two phone calls simultaneously right it's also partly skill I just connected a couple of reps together manually and had success on a couple of occasions too so when the phone system didn't work for me I just dialed people direct right so but there were several situations where one rep would answer while the other call was still playing hold music and so I could hear them right and they would say hello thank you for calling blah blah blah on the other hand you know there's music playing so I would have to interject hello hello and just so that they would know someone else until the hold music stopped and the other agent answered right so there is a little finagling to do but anyway good question thank you again appreciate it