I have always been interested in the offensive security field and its benefits to businesses and people. I believe that sometimes, people don’t understand a threat unless it has directly affected them or someone they know. I was recently promoted to the position of Cyber Security Specialist at Twinstate Technologies®, but more notably, am known as the Social Engineering Technician and Wireless Penetration Tester. As a key member of the Red Team here at Twinstate, I couldn’t have been more excited to travel to Las Vegas and attend my very first Def Con.
My Def Con experience this year began with attendance to the Social Engineering Village. Because we support many small businesses, I felt that it was important to focus on social engineering for it may become the area that affects small businesses most frequently. My favorite portions of the Village were the contests, both Capture the Flag (CTF) events, and the speeches I was able to attend.
The CTF this year was a live phishing call by contestants against gaming industry companies (Rockstar, Nintendo, EA Games, etc.). The contestants had to call these companies and try to get specific information from whichever person or department they decided to target with a call. Ahead of the call, the contestants were asked to perform Open Source Intelligence Gathering (OSINT) on the companies to develop a plan for their calls. It was fascinating to see what an attacker would go through to try to obtain information about an organization or company.
For example, one contestant successfully posed as an external company representative who was supposedly scheduled to perform awareness training. Through this contestants OSINT, they were able to identify the person in charge of coordination of trainings at the targeted company. By referencing a known person related to what the contestant was talking about, the contestant was able to gather almost all flags (contest oriented information) in the competition from the company’s IT department. This could be a huge risk for this company. However, it is important to note that the information gathered is not necessarily critical information, but still is information that should not have been released.
I had the opportunity to listen to Jayson Street, InfoSec Ranger at Pwnie Express and CEO of Stratagem1 Solutions; and Billy Boatright, a Flair Bartender’s Award winner. Jayson Street’s speech was directly related to OSINT and information gathering of small businesses. He also gave some tools he uses most frequently in his endeavors. Billy Boatright spoke about a way to make sports an avenue of approach for gaining rapport with any customer. He stated that social engineering uses similar tactics as those in the service industry might in order to get people to not only like you, but trust you. I liked his speech a lot because it had some key elements for connecting with every person, even those who aren’t sports fans.
Next was the Recon Village. The Recon Village was new this year, and I was able to listen to a speech about a new tool in development that could be used for open source intelligence gathering, a tool that allows for online investigations to find relationships between information on the internet.
Overall, the experience of being in a convention center with hackers from all over the world gave me that much more excitment and energy to bring back to my Twinstate team. Being present to see first-hand the new technology and techniques that are being developed today to make an impact on cybersecuirty tomorrow was truly an eye-opening experience.