CGSC On the Road: Top Ten Takeaways from DerbyCon 9 Vishing Panel
Last month, I had the privilege of sitting on a panel discussion at DerbyCon 9 and discussing the differences between vishing in a competitive environment and vishing professionally. The all-star line-up featured Chris Hadnagy, President and CEO of Social-Engineer, Inc., as the moderator and panelists Alethe Denis, winner of this year’s DEFCON SE CTF; Whitney Maxwell, a professional cyber security consultant and DEFCON 26 winner; and Shelby Dacko and Colin Hadnagy, professional vishers with Social-Engineer, Inc., who literally make hundreds of vishing calls a week. These down to earth and savvy experts would have made the panel interesting on their own, but honestly, what made this discussion compelling were the insightful questions asked by this DerbyCon audience.
A lot of ground was covered during the hour and a half panel, but here are my favorite takeaways from the discussion.
1. Recognize the first key difference between vishing professionally and vishing in a CTF competition: Time.
Competitive vishers have three weeks to do Open Source Intelligence (OSINT) research on their target company, but very little time to actually spend on the calls with humans. That’s because during a contest, there is literally 20 minutes to make as many calls as you can to get as many flags as you can. On the other hand, professional vishers have much less time to do the OSINT research, perhaps only days, but are able to take more time during the call to establish a rapport with the target.
Thus, whatever your vishing environment, take advantage of the time you DO have. Alethe mentioned prepping for this year’s contest by calling her target company every week and to establish who was most likely to pick up the phone at the time of the contest. On the other hand, if you’re vishing professionally, use that time on the phone to make a connection with the person on the other line. Questions will then feel more natural. It could be my southern “y’all come back now, here” roots, but forming these connections is something I enjoy, and therefore one of my strengths.
2. Recognize the second key difference between vishing professionally and vishing competitively: The Audience
Competing in front of an audience is nerve-wracking, to be sure. But it’s also exhilarating. The audience is there supporting you the whole time. If you forget your pretext in the middle of a call, they cringe with you. If you win dozens of flags in a single call, they are cheering you on. If you’re thinking about competing in an SE CTF but are nervous, embrace the discomfort and go for it!
3. Recognize the third key difference between vishing professionally and vishing competitively: The Timer
Yeah, yeah, yeah. I know my first point was TIME, but I feel like THE TIMER deserves its own point. If you are competing in an SE CTF, watching the clock count down while attempting to win flags is a rush in itself…and can have surprising effects on contestants. It’s the wild card. If you’ve ever watched The Great British Baking Show, you understand this phenomenon: when time is limited, all of the sudden excellent bakers can’t get their egg whites to form hard peaks and their pie bottoms are soggy. It’s the same in a CTF competition: that ticking clock can bring out the best in some social engineers, while others can fall apart under the pressure.
4. Whether you are vishing competitively or professionally, keep your goal at the forefront.
Colin mentioned that when he first started vishing, it was easy to get lost in the conversation with the target. He’s not alone; having a good rapport with the target is a way to establish trust, and successful vishers often sincerely enjoy listening and speaking to others. However, remember that this isn’t just a conversation. Keep your goals in front of you, even if that means literally writing them down where you can see them.
5. Be mindful of burnout in professional vishing.
Unlike those who only vish competitively, professional vishers, who might make hundreds of calls a week, risk burning out. If you’re considering vishing professionally, acknowledge that these types of calls have both a mental and a physical impact. Personally, I’m always wired after my calls and have to schedule time between calls to shake off that anxious energy. Like Shelby, listen to your body and learn when you need a break. Like Whitney, create ways to separate yourself from your pretext.
6. Both preparation and talent are important.
Some people are simply born with a talent for social engineering. Maybe they are naturally intuitive, or perhaps they are able to slip into roles with ease. While natural talent is helpful, keep in mind that preparation is equally important, and that many of the skills for which some people have a natural aptitude, others can develop with time and practice. Sign up for an improv class or take a social-engineering workshop. Hey, I sometimes even give fake names at Starbucks, just to practice being on the spot. What I’m saying is, get out of your comfort zone!
7. What we do as social engineers is a service to our community.
I don’t mean to suggest that we’re the Avengers or anything, but we’re the good guys. Whether we are making vishing calls in a competition or professionally, ultimately we are helping organizations become more secure and educating both people and businesses on how to protect their data. By being a part of this community, we help advance strategies to defend against criminal hackers with selfish and malicious intent.
You know what? Maybe we are the Avengers afterall…
8. We’re at a distinct disadvantage compared to criminal vishers.
Whether competitively or professionally vishing, we follow a code of ethics when making these calls. We don’t use fear-inducing pretexts, like suggesting the target’s social security number has been suspended, in order to manipulate the target into giving us information. We pull our punches and strive to leave the target happy to have had the experience of speaking with us. And yet, even with these limitations, we are often able to infiltrate companies’ systems. Criminal hackers have no such limitations or scruples. Thus, what all of us do as part of the cyber security community is essential.
9. People are learning.
The process might be slow, but people are learning to be more wary about giving out personal data. I can no longer use the pretext of being a dude from the IT department and simply demand the target’s password. Pretexts need to be more subtle today. Still…as we change our behaviors to protect ourselves, criminal hackers learn new strategies of attack. We have to stay vigilant and adapt.
10. Be who you are.
One of the best pieces of advice that came out of the panel--and there were many--is that whether you are vishing in a competition or vishing for a client, find a way to use your particular strengths. As Whitney said, if you are empathetic, be empathetic. If you are a lovable, geeky person, be your lovable, geeky self. While there might be a place for accents and personas, often the most successful vishing calls are the ones where we retain a certain amount of authenticity. And “Be yourself” is pretty good advice no matter what the situation!