February 10, 2025 • 38 mins
You’re Being Hacked Right Now—And You Don’t Even Know It
Ever wonder how cybercriminals manipulate human behavior to breach even the most secure organizations?
In this episode of The Audit, Eric Brown and Nick Mellum sit down with renowned social engineer and penetration tester Alethe Denis to break down real-world hacking techniques, red team strategies, and the shocking ways attackers exploit trust. From winning DEF CON’s Black Badge Social Engineering competition to executing high-stakes red team engagements, Alith shares jaw-dropping stories and expert insights on modern security threats.
Key topics we cover:
- The art of social engineering and why it still works
- Wildly effective pretexts hackers use to gain access
- How AI and deepfakes are shaping the future of cybercrime
- Physical penetration testing stories that will make you rethink office security
- Simple but powerful strategies to protect yourself and your organization
Don't wait until your organization is the next headline. Whether you're a cybersecurity pro or just getting started, this episode is packed with eye-opening insights you can’t afford to miss. Like, share, and subscribe for more in-depth security discussions!
#Cybersecurity #SocialEngineering #PenTesting #EthicalHacking #RedTeam
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
Welcome to the Audit presented by IT Audit Labs
.
I'm Joshua Schmidt, yourco-host and producer.
We have Eric Brown and NickMellon from IT Audit Labs, and
we're joined today by AlithDennis from Bishop Fox.
Alith is quite prolific withher social engineering skills
and pen testing, so that's whatwe're going to focus on today
with her.
Welcome to the show, alith.
Thanks for joining us.
Alethe Denis (00:22):
Yeah, thanks so much for having me.
It's a pleasure.
Joshua Schmidt (00:25):
Yeah, let's jump right into it here with an
icebreaker question.
I'll have Eric start, so youcan think about it for a second.
But who is your favorite actioncharacter or spy movie hero?
Eric Brown (00:37):
I got to go with James Bond yeah, and the
original James Bond, seanConnery.
Nick Mellem (00:42):
Like Thunderball and those from the 70s, I had a
tough choice a little bit forthis one, and I like how Eric
brought up James Bond with SeanConnery because he's just
classic in Indiana Jones, sothat was a close one, but I have
to go with John Wick, john Wick.
Joshua Schmidt (01:00):
Yeah, I still haven't seen John Wick 4, but
one of my favorite spy movies isBurn After Reading, which is a
comedy by the Coen brothers whoare out of Minnesota here, the
Minnesota guys, but Brad Pitt,George Clooney pretty funny
movie.
How about you, alith?
Do you have a favorite spy?
Alethe Denis (01:17):
Man, that is a tough one.
You guys came way more preparedthan I did for this question.
Nick Mellem (01:22):
He's feverishly Googling for this question.
Alethe Denis (01:27):
It's feverishly googling.
I am feverishly looking upoptions because I've drawn the
biggest blank and I'm trying tofigure out like, where, where do
I go with this?
I I love james bond, so I lovethat.
But I always go back to likeroger moore as the original
James Bond.
He is by far my favorite.
But if I had to say like spymovies and going back to like
(01:51):
spies that have influenced me, Iwould say like Mr and Mrs Smith
.
And Angelina Jolie in that rolewas just phenomenal and so very
entertaining, just soenthusiastic in her portrayal of
that character.
It was just a lot of fun towatch.
Joshua Schmidt (02:09):
I saw that at a drive-in movie theater fun fact.
So we still have one of thosehere in Minnesota.
Yeah Well, we'll jump rightinto talking about.
You won the DEF CON Black BadgeSocial Engineering Capture the
Flag competition in 2019.
Can you share how thatexperience shaped your career or
inspired you to pursue pentesting?
And maybe you were doing itbefore then, but maybe you could
(02:29):
give us a little overview ofhow you became a social engineer
?
Alethe Denis (02:33):
Yeah, absolutely.
So.
I was doing social engineeringwithout knowing what it was or
using those skills outside ofthe information security
universe.
And I found DEF CON, kind oflater on in life, and I
discovered the socialengineering village and the
(02:55):
competition, the socialengineering capture the flag
where, to put it briefly, theythrow you into a soundproof
booth and you are tasked withfinding information ahead of the
competition on a target companythat you're assigned, and you
have to find the phone numbersand come up with a compelling
pretext in order to elicitspecific items of information
(03:18):
from the people that you arecalling.
And you have 20 minutes andit's timed and you're in front
of an audience on a stage.
It's like the most insanescenario, but that looked to me
like the most terrifying thing.
But I also felt like it wouldbe a really great challenge for
me to overcome a lot of socialanxiety, and so I thought, why
(03:39):
not?
I'll apply, they'll never pickme.
They picked me.
And then I was like, oh no.
So I went to compete in thatcompetition twice.
The first year I ended up insixth place out of 14
contestants and I thought, oh, Imight actually be okay at this.
And so the second year, when Icame back to compete, I won the
(04:01):
contest and DEF CON bestowedupon me a seat in their Black
Badge Hall of Fame.
After that, I gained a littlenotoriety for my efforts in
social engineering and I decidedthat I may have a career in
information security, doingsocial engineering, and at the
(04:22):
time I thought socialengineering was a job.
It's not really's not really ajob Like.
You can't find a job titlecalled social engineering
anywhere.
It's actually a reallyincredible skill that you can
use in a variety of differentindustries doing a ton of
different jobs, and prior tothat I'd been using it in
competitive intelligence anddoing research and other
(04:47):
non-information security typeroles.
So I was able to transition alot of those skills and my
experience in consulting intoinformation security and I made
that leap in 2020.
And I've been operating in theconsulting side of information
security since then, doingassessments focusing on social
(05:08):
engineering, but now in theassistance of the red team and
furthering their activitiesduring red team engagements.
Eric Brown (05:18):
What is competitive intelligence?
Alethe Denis (05:37):
Essentially, gaining information on competing
companies in your industry, orlearn from them and do something
different so that we cancompete and have something more
appealing to our targetdemographic, or go after a
different target demographic,different sector of the market,
so to speak, when we'repositioning our products.
Eric Brown (05:58):
And when you started to go down the DEF CON path,
even before you competed onstage at DEF CON did you have to
enter regional competitions tokind of be able to even compete
at DEF CON?
So funny story.
Alethe Denis (06:15):
There aren't really any qualifiers when it
comes to the social engineeringcapture the flag.
It was something that I hadwatched at DEF CON a few years
in a row and just beenfascinated, thought there was no
way that that was something Icould ever do myself.
And then one year I justfigured, hey, why not?
I'll apply.
And I honestly did not thinkthat they would select me.
(06:38):
There were a lot of reallywonderful talented competitors,
contestants that I'd seen inprevious years, and I thought,
with only 14 seats it was highlyunlikely that I would be
selected.
But I submitted an application.
They asked me to submit a videoessentially selling my
(07:00):
personality, and, if we're beinghonest, this competition is
sort of like the circus act thatgets folks into that village at
DEF CON so that we can all talkabout social engineering and
raise awareness for that attackvector in general.
So I was able to compete at DEFCON doing social engineering
(07:21):
and I made my very first socialengineering voice phishing call
live in front of hundreds ofhackers on a stage in a
soundproof booth in that village.
Wow.
Nick Mellem (07:33):
Talk about throwing yourself into the deep end.
Alethe Denis (07:35):
Yeah, it was a little intimidating.
Nick Mellem (07:37):
So you're OG.
Alethe Denis (07:38):
I'm OG yeah, I'm also very old and crusty.
I'm also very old and crusty.
I'm very thrilled to see newenergy injected into that space,
and I've also met in attacksthat are being perpetrated not
(08:15):
just by the most basic spray andpray type scammy campaigns, but
in the more advanced ones thatare going after things like the
large casinos and giantcorporations.
Nick Mellem (08:29):
I'm always curious when I talk to other people that
are deep into socialengineering.
Like how do you prepare, youknow, for an engagement?
Is there a list of things thatyou're checking off before you
get to that engagement?
Is there a backpack of itemsyou bring, maybe something that
helps you with your socialanxiety?
Like, is there a coupledifferent tools?
It's like I can't, I can't goto this engagement without that.
Alethe Denis (08:51):
So it is true I have like a ton of social
anxiety just in general.
I have ADHD and just am a.
My baseline is filled with alot of anxiety.
My baseline is filled with a lotof anxiety, so I tend to
(09:13):
over-prepare and I tend to spenda lot of time coming up with
pretexts.
I typically base those pretextson the research that I do when
I do open source intelligencegathering against the target
company and their employeestarget company and their
employees.
I try to find information aboutthe specific job functions that
I'm going to be targeting, whattheir processes are like, who
their people are.
I agonize over the smallestdetails and just try to have a
(09:35):
lot of backstory.
In the event that I amchallenged or the people that
I'm speaking to have objections,I want to be as casual and make
my answers seem as organic aspossible.
So just being overprepared isthe first and most important
thing Having answers for thosechallenges that seem like me
(09:58):
recalling things from memoryversus making things up on the
spot.
I want to look like a good liar, but as far as physical
engagements, which are by far myfavorite, I do not like to have
like fidgety items or like pensclick pens in my hand or
anything like that, because it'sgoing to make me look
(10:20):
suspicious.
So I try not to do that.
But I will do things like holdclipboards or something to keep
my hands busy, so I can add anextra layer of authenticity to
the pretext in the prop, butalso so I can add some stability
to my presentation of myself tothe person.
Nick Mellem (10:44):
You wouldn't believe how far you could get
with just a clipboard.
We did an engagement this is alittle while back but we our
whole thing was at thisorganization big building.
But we went in with firedepartment, uh polos on and, uh,
a clipboard and we just actedlike we were checking the fire
extinguishers and not a singleperson questioned us.
(11:07):
No, no problems, got everythingwe needed, got a shark jack in
and we did all our fun stuff andwe got out.
So yeah, just your nod to aclipboard, it's.
Alethe Denis (11:16):
It's amazing how easy it can be with that I have
a van van yeah, I have a white,uh white, nondescript, like it,
technician type, looking van uh,it's full of ladders and dewalt
tools and all kinds of thingsthat I can use for props yeah,
it's a little ridiculous, but aladder just in general.
(11:40):
Nobody just carries a ladderinto a building.
Eric Brown (11:43):
Have you ever gotten ?
Just totally busted.
Oh yeah, then what did you do?
Alethe Denis (11:50):
Oh man.
So there is a very fine line towalk with clients, and
sometimes you know you have tobe collaborative, you have to be
communicative.
They need to know when you'regoing to be on site, they need
to issue you letters toauthorize the test, and
(12:10):
sometimes information is leakedin organizations and you can't
control that.
Very unfortunately, sometimesthis information that is leaked
can invalidate the test, andwhat does that mean?
That means the clients cancheat, and so this information
can be disseminated to the verypeople that you are attempting
to test, and usually I can tellif they're expecting me in big
(12:33):
quotes, and in some situationsit's a little harder to tell, so
I never know if, when I amquote busted, if they knew I was
coming or not.
And there was one situationwhere I had attempted to get a
an individual who worked for mytarget company, my client, to
(12:55):
scan their badge in order to letme go through a revolving badge
door, because we were notallowed to use any badge cloning
or any you know hacker stuff.
I'm redacting bad words in orderto get into the building, and
(13:16):
so we had to rely solely onsocial engineering in order to
convince the employees to takepity on us and help us and get
into the building.
And so I was trying to convincethe employees to take pity on
us and help us and get into thebuilding.
And so I was trying to convincean employee to scan their badge
let me go through and then theywould be able to scan their
badge for themselves to get intothe building.
And this employee was so closeinches from you know their
(13:38):
empathy, enabling them to beinfluenced to help me.
They looked through thebuilding glass of the doors and
saw a security guard, thoughtbetter of it, backed out and
kind of told me you know, Ithink you should go talk to
security.
And I was like, ah, and so Iwas like, yeah, no problem, I'll
just walk around the front ofthe building and go talk to
(14:00):
reception.
I had no intention of doingthat.
I was going to run away.
So I casually started to walk.
Doing that, I was going to runaway.
So I casually started to walkaway.
I was going to go walk thequarter of a mile around this
giant building to the front andthe security guard comes out of
the building and motions for meto come back to where they're
standing.
And I was like this person isliterally open, carrying a
firearm.
You don't say no.
Joshua Schmidt (14:22):
Maybe we could take a little round robin and
talk about some socialengineering and pen testing
experience stories.
But just to back it up for ourlisteners that are a little more
average like myself, what issocial engineering or pen
testing and how is it relevantto security in an organization?
Kind of just the big picture.
How does that fit into the theinfosec world?
Eric Brown (14:43):
well, I do have a good story and does it involve
umbral?
Shorts uh this one does not,but it involves you, nick, and I
hope you don't mind.
Oh, not at all.
Not at all, please.
It also involves wild west hackand fest.
Nick Mellem (15:01):
Oh yes, I know exactly where this is going.
Eric Brown (15:05):
I know you were there last summer.
Were you there for a couple ofdays, Alif.
Alethe Denis (15:09):
Yeah, I was just there for the conference itself.
I arrived after the training.
Eric Brown (15:14):
Okay, so you're familiar with the steak dinner
night here we go here we go yes.
Nick Mellem (15:22):
It's just a setup.
This isn't even.
Eric Brown (15:25):
For those who haven't been there, the steak
dinner night.
It comes as part of your ticket.
You get access to have a steakdinner and essentially you're
standing in a really long line,defcon-esque line, to get your
steak dinner, which some of uson the team Alethe are
vegetarian, myself, nick is notand so Nick and a couple other
(15:50):
folks from the team are in lineand apparently maybe not real
happy with the size of the pieceof meat that was offered to
them.
So, what Wild West, hackenfestand Black Hills was doing was if
you're a vegetarian, then theygive you vouchers to go to the
(16:11):
restaurant downstairs.
So you know, I've got myvoucher, I'm going down to the
restaurant there.
Um and so then Nick was likewell, you know, maybe I'll
pretend I'm vegetarian too andget the voucher.
Nick Mellem (16:28):
I'm going to have to redact this story.
Joshua Schmidt (16:29):
I'm cutting this story out of post-production.
Eric Brown (16:33):
After this we had to promote Nick to management
because he had failed thisM-Test.
He couldn't even get a voucherfor the restaurant downstairs.
Nick Mellem (16:47):
They didn't believe he was a vegetarian I think
I'll have to leave this onealone but it was a total setup,
total sabotage.
We'll leave it alone clientcheated thank you for having my
back, elise, but actuallystaying on the note of Wild West
is where I first saw you.
We were all gathered aroundlistening to your stories and
(17:08):
the good ones and the ones thatyou failed being very
transparent, and I think that'ssomething I really appreciated
hearing that sometimes itdoesn't go the way you planned,
even though you could have spentweeks or however much time
planning it out, because I feellike I would do do the same
thing.
You know, you make that laundrylist of what could go right,
(17:28):
what could go wrong, what ifhe's sitting at the desk, what
if he's not sitting at the desk?
Or what you know, so you thinkabout these scenarios.
Uh, sometimes maybe being overprepared is bad, because then
you're not on your feet.
Alethe Denis (17:40):
If you over script it or you're over dependent on
your script of the situation, itwill always lead to a tough,
tough, tough situation for you,because then you can't really
pivot.
You can't predict who you'regoing to run into or how they're
going to react, what escalationpathway they're going to take
if they challenge you right, um,it can lead to freezing up just
(18:03):
the deer and headlights, whichis just the worst.
Nick Mellem (18:06):
Absolutely.
And I guess, do you ever workwith multiple people?
Do you go or do you like to dothese by yourself?
Well, there you go.
Alethe Denis (18:15):
Usually it's me and one other person on these
engagements to make sure thatthe pretexts fit and suit our
own natural personalities andparticular set of skills, so to
speak.
Because if you are comfortableand confident in the pretext
(18:40):
then you'll be a lot morecapable when it comes to
pivoting in the moment.
So, for example, if you have avery robust IT background, then
going in as a IT person that'spotentially part of their vendor
IT, it, msp may make sense.
(19:01):
It, uh, itmsp, um may makesense.
Um, if you used to work for acompany that did HVAC, then hey,
maybe you can draw on thatskill from back when you were in
your you know earlier parts ofyour career to position yourself
as maybe somebody that's outthere to work on the HVAC system
(19:23):
or something like that.
And so we try to take that stuffinto consideration also when
we're developing pretexts andit's sort of like acting, you
know you want somebody who's gotexperience in that type of role
and that's why you see the sameactors over and over and over
as FBI agents in like everymovie show, tv show or other
type of thing, and it's becausethey've got that experience and
(19:44):
they carry that type of personareally well.
For me, I usually have to takeinto consideration unconscious
bias, which I think is also areally fun angle when we're
talking about social engineering, and it's also something that
was brought up quite a bit inthe comments section of a recent
(20:05):
article that was written aboutsome of the stories that I
shared at Wild West Hackenfest,and it's like well, she's only
successful because she doesn'tlook like a pen tester, and I'm
like what?
Joshua Schmidt (20:18):
What does a pen tester look like?
Alethe Denis (20:19):
Can you paint me a picture?
Go for it.
I'd love to see you walk intothis one, but it's tough for me
to try to create pretexts foreveryone on the team that makes
sense for them.
So I tried to focus onenhancing pretexts for myself
(20:42):
and using that unconscious biasto my advantage.
Nick Mellem (20:48):
I learned that same thing very early on in my
social engineering career ofplay to your strengths right,
the easy ones that you're saying.
right, you might not look like afire marshal, Well we had an
engagement at a hospital and wewere cloning badges and first
off we went to the cafeteria but, and after we completed that,
we did clone roughly 12 badges,so fast forwarding past that.
(21:10):
The next day we went back totry to do more infiltration, see
where we could get with thebadges.
And my female co-part shedressed up as a nurse, whereas I
probably wouldn't have lookedlike a nurse.
So you know she did that and wewere able to get so much
further because nobodyquestioned her.
So we played off each other'sstrengths and I did other things
(21:33):
like a delivery guy right, getthat UPS outfit or a maintenance
guy or something like thatwhere she would not have.
You know, you see a smallerwoman come in.
Not that they can't do this,but they're probably not going
to be doing heavy mechanicmaintenance on an AC unit up on
top of the roof or something.
So absolutely, totally agree,that's something I learned early
(21:54):
on.
Again, I want to go back to WildWest real quick and the only
reason is because you know youmentioned before that you do a
lot of training.
Also, I think you worked withthe Department of Defense a lot.
Obviously, we heard you speakat Wild West and then also this
(22:14):
breaches into after theseengagements are done.
Do you, you know, are you doinga lot of follow up, training,
follow on for organizations?
If you, if you are successful,you know what does that look
like.
Alethe Denis (22:22):
We are very specialized in the types of
social engineering that we'redoing.
You know what does that looklike of attacks using social
engineering in the context ofthat red team style attack
(22:47):
rather than in the support of asocial engineering security
awareness type exercise.
Nick Mellem (22:55):
Well, especially with social engineering, it's
widely overlooked, right.
A lot of organizations.
They don't even know they needto do it until a breach happens,
right?
We don't want to get to thatpoint.
So the outreach, teachingpeople beforehand right, is how
we would love to see it happen.
It doesn't always work that way.
So, and funny enough, thishappened to me at an
organization yesterday where wehad a real world phishing
(23:16):
attempt where they they got anemail and all of us on the call.
You look at this email and want, don't even read a single
letter or anything on this pageand you know it's fake.
Yeah, exactly, this person didclick.
They called the number from thePayPal receipt.
After clicking, got connectedto the machine.
(23:38):
Luckily, crowdstrike knocked itout right away and we were able
to isolate the machine.
But I just bring it up becauseyou know we're we love social
engineering and it's not talkingabout enough.
So, again, kudos to you forspeaking at like Wild West and
things like that, because allthese people know about it, but
we want to continue.
Alethe Denis (23:59):
I find that, like in our industry, we're all sick
of hearing about it.
We're like, oh please, socialengineering, please stop, I
don't want to hear about itanymore.
Like there's so many talksabout social engineering,
there's so many social engineers, like it's enough, like let's
hear about, like the realhacking.
And so I hear that a lot.
But I still walk into rooms andyou know I'm a member of the
(24:21):
InfraGard and I will walk intotheir symposium every year and I
go who's heard the term socialengineering?
And still not many hands go upin the room and we're talking
about people who are in chargeof critical infrastructure in
our local, of criticalinfrastructure in our local.
(24:43):
You know cities, counties andgovernment, as well as private
companies that do agriculture.
They're in charge of our food,they're in charge of things like
you know, our water and everyother thing that's very
important to keeping our societygoing.
So I think that it is importantthat we continue to talk about
it to keeping our society going.
So I think that it is importantthat we continue to talk about
(25:04):
it and that others continue totalk about it in places within
our community and outside ofinformation security, at other
conferences and in the media.
Eric Brown (25:15):
You know what you say there about just the general
awareness is interesting and Iequate it to still being able to
walk into a room and talk aboutthe pineapple and even though
pineapple has been around Idon't know 15 plus years, but
show people how it works andit's still like mind blown of
(25:38):
something that's been around forso long and probably isn't even
a viable attack path anymore.
It's still interesting, whereyou kind of just step outside of
security a little bit andyou're not involved in it from
the day-to-day perspective, thatthere's all this stuff going on
in the real world that peoplereally aren't aware of all of
(26:00):
the things that could happen tothem.
Alethe Denis (26:03):
Right, I mean well , and you mentioned the
pineapple.
But this last week I had aclient employee tell me that
they had just recently gotten introuble for plugging USBs into
computers.
But of course I could plug myUSB into their printer and print
(26:26):
something, no problem.
And you know what this is.
Nick Mellem (26:30):
Funny, how that works.
Alethe Denis (26:32):
This is very much a rubber ducky.
Nick Mellem (26:36):
I'm glad you brought up the rubber ducky,
just because one of thequestions I did want to ask is
there tools that you prefer overothers, or do you do you bring
many tools so you know differentevents, um, or if you're able
to speak to one tool that's kindof your favorite, that'd be
fine.
But I'm just curious what youuse.
Alethe Denis (26:53):
I typically love the rubber ducky because they're
very small and I can carry abunch of them and then just
opportunistically put thoseplaces if I'm especially in a
big office.
I also love the OMG cablesbecause they look so close to
the real thing that we can swapout the actual charging cables
(27:19):
for employees, especially inoffice buildings where there's
like bazillions of cubicles andthings.
We can like take their cablesand leave ours, um, and see if
they'll, uh, allow us tocompromise their things.
Anyway, I know we're horriblepeople, so, uh.
And then, on and above that,there's like some other devices
that we can use in more, uh,niche types of situations, and
(27:42):
sometimes we create thesesituations just so that we can
use the fun stuff.
But there was an engagementwhere we were, I'm able to
propose the use of the screencrab recently, and I just love
the screen crab because it'sjust like such a silly device,
but it can be used in verycompelling ways.
(28:02):
And so the hack five screencrab.
What it does is it sits in linebetween a device and a monitor
and it has the ability tocapture images that are being
sent from that device throughthe HDMI cable to the monitor.
So it'll take screenshots, andso we set a goal of placing this
(28:27):
device between the client'sconferencing software and the
monitor that was displayingtheir video conferences in their
conference room, and we were100% able to infiltrate the
office, gain access to theconference room, implant that
(28:47):
screen crab, get power off theTV and then have it come up.
It connected to their corporateWi-Fi network using credentials
that we found in the trash, andthen we were able to exfiltrate
the screenshots of theirmeetings out over their wireless
network for the rest of theweek sensitive data from their
(29:11):
meetings.
Eric Brown (29:12):
That's awesome.
Alethe Denis (29:13):
They were thrilled that we were able to, because
it gave them the ammunition, soto speak, to convince the
executives to allow them toadvance the security around
these networks at that clientand make the networks and the
policies and procedures moresecure at the client, the
(29:34):
policies and procedures moresecure at the client.
Eric Brown (29:35):
And you know, as I think about these tools and the
innovations that we're seeing inthe general marketplace, it's
always fascinating to me tothink about like well, you know,
these things were probably usedin the 80s by the CIA and other
governmentored spyorganizations, right?
So 40 years from now, it's goingto be really exciting to see
(29:58):
some of the tools, like wherethey're listening to the
vibrations on glass, with lasersto be able to hear
conversations, and you know allsorts of stuff.
That's really hard tocomprehend, but it does get down
to the basics of helpingorganizations understand where
their security posture is, andcertainly if you're involved
(30:21):
with critical infrastructure.
However, if it's anything fromtrash handling to water, sewer,
transportation, any of thesectors involved in critical
infrastructure and I thinkthere's like 16, rest assured,
nation state is interested inwhat it is that you're doing.
(30:43):
And if nation state took enoughof an interest in your
environment, they're going tobring to bear things that you
haven't even seen yet zero daysand whatnot.
So having the discipline toprepare, test and continually
(31:06):
improve the security in yourenvironment is really important.
So that's a great story toshare.
Just that.
You know, the customer was thatengaged and they wanted to
bring that forward becausethat's absolutely relevant for
certain industries.
Alethe Denis (31:23):
Yeah, I like to jump in here Go ahead.
I often compare myself to likethe anger translator for the
security team, and I don't knowwhy, but typically executives
will believe consultants, butthey won't believe their own
employees, and so I findtremendous joy in being able to
(31:45):
deliver them what they need.
Joshua Schmidt (31:48):
Employees are often the target of malicious
actors inside organizations.
What strategies or methods doyou use to kind of prepare or
train people to combat thatthreat?
Eric Brown (32:00):
I like to just start with the basics of lock your
credit.
If you don't remember anythingelse that I said, lock your
credit and do that for yourchildren, your loved ones, help
your family members, yourfriends, whatever, because that
malicious actress can't opencredit in your name.
That's going to save you a lotof headache down the road and
(32:21):
just make you a little bit moresecure.
And then you know, from therewe can go into password managers
and other things.
But I think it's just continualbasic information that you can
build upon and help people justbe better stewards of their own
information.
Nick Mellem (32:37):
Yeah, I mean if we're working with specific
organizations.
You know, I think a lot oftimes we start or want to start
by we pull back the hood alittle bit, we want to see what
they're already doing right, andthen we can approve on that
right, provide education andtraining on what they're already
doing, right.
You, you know, and a lot oftimes that will help an
organization because you havewide knowledge gaps between, uh,
(33:00):
different people, right, you'regonna have some that know, you
know, don't click on that emaillike we had yesterday and some
that don't, right?
So I think we can lean intothat, you know, figure out a
good starting point, a goodbaseline, and then provide
education on what they're doingwell and then move to what we're
maybe not doing so well, thethree strikes you're out for a
phishing email, it's goodbecause it can educate us on a
(33:23):
specific user, but it doesn'tnecessarily help users that are
maybe.
So, a lot of times inorganizations that I work with
closely almost daily, we like topush for more in-person
training, a little bit moretalking head to show what we're
seeing.
So we're being transparent.
There's a lot of things wecould touch on, but those are a
(33:44):
few.
Joshua Schmidt (33:45):
So, alif, it's your job to kind of know that
about organizations and thenkind of work around it and poke
holes in that.
Are there tactics that you'veseen that have been effective
when you reach an organizationto do a pen test and you go, oh,
they really have their stufftogether?
Or you shared a story with me acouple of days ago about people
that, other than whispersaround the water cooler about
(34:06):
hey, there's a pen tester comingin on Friday, what have you
seen that's effective in kind ofstopping those threat actors?
Alethe Denis (34:14):
Same company.
I was tasked with sending thema phishing email the week prior
to try to elicit that Wi-Figuest network password, and I
spent a lot of time learningabout their you know building
landlord property managementcompany and creating a
(34:36):
fabricated multi-level thread ofemails between this fictitious
person at the propertymanagement company and a
technician that was coming onsite.
It was a very compelling email,in my opinion.
They received the email andthey immediately routed it to
the correct person who handledthese types of requests.
(34:57):
That person immediatelyresponded and said you're not
the person that I deal with atthis property management company
, Can you elaborate?
And then they routed it to theIT and security person at the
company, and that was exactlythe right thing to do.
I was horrified.
(35:17):
I was terrified that I wasgoing to get you know filleted
when I went to do the onsitephysical the following week, and
so what I learned from that iswhen the employees of our client
organizations follow the properprocedure, nine times out of 10
(35:41):
, they will block me from beingsuccessful, and the only chance
that I have as an attackeragainst that as if I can somehow
distract them or compel them toignore that procedure and so,
where companies can ensure thatthey don't fall victim to social
(36:06):
engineering is trainingemployees to stick to that
process and procedure and tofollow the company policies
around authentication andverification, specifically
Because the second that anemployee starts asking questions
, I know I am toast.
(36:28):
That's great.
Joshua Schmidt (36:29):
So we have talked quite thoroughly at this
point about, you know, actualphysical penetration tests and
things like that.
Um, now it's kind of movingover to some deep fakes.
We know phishing's been aroundfor as long as email's been
around, but, um, what do you seethe new threat landscape and
how that's emerging?
Um, and are you using any ofthose tools, uh, to do virtual
(36:51):
pen testing and things like that?
Alethe Denis (36:53):
um, instead of actually showing up and trying
to get past my I have the catthat ate the bird grin on my
face, because I've always saidthat the it guy is like the
nigerian prince of voicephishing pretexts and you know,
(37:14):
it's just like the tried andtrue voice phishing pretext.
When it comes to red teaming inparticular, I find most red
teamers will fall back on that.
Well, I'm just the IT guy andI'll just call them and tell
them to give me their passwordor some such you know
reformation of that pretext.
And so, with the ability for usto create these very compelling
(37:41):
audio and now video and audiodeep fakes at Bishop Fox, we've
been able to create real timedeep fakes that we can use in
the context of socialengineering in our red team
engagements, and it has takenthings to a completely new and
(38:01):
amazing place when it comes toour red team assessments and the
engagements that we'reperforming right now.
This is something that I don'tknow where it's going, but it's
going there really fast.
There are a lot oforganizations that are
(38:22):
attempting to make thissomething you know, ready to go
out of the box, tool wise, andthat's really exciting to see
things recently that are makingthis much more accessible to
just the general public, as wellas other teams that want to
utilize this in the context oftesting.
But what we're doing right nowactually enables us to make a
(38:48):
phone call and use essentiallywhat amounts to a voice changer
to transform our voice into ourclient employee's voice in real
time and have a conversationwith another employee at the
organization as if we are thatperson.
(39:08):
And it is compelling,believable and very realistic
and terrifying how realistic.
Nick Mellem (39:18):
We're getting pulled into the future real fast
and furious and there's notmuch we can do about that, but
it's really cool to hear youguys are using that technology
so, as we look towards thefuture 2025, it's a new year.
Joshua Schmidt (39:29):
Are there any plans to be at wild west
hackenfest this year or anyconferences coming up?
Alethe Denis (39:33):
Yeah, so I have some fun conferences happening.
I will be presenting a keynoteat CactusCon in February.
I'll also be presenting akeynote at the Layer 8
conference, which is aconference focused on open
source intelligence gatheringand social engineering, in
(39:54):
Boston in June.
And then I still have somespots open on my dance card but
I'm looking to fill those outfor the remainder of the year.
I will absolutely be at DEF CONsupporting the DEF CON group's
board and in the community thereat DEF CON as well.
(40:15):
But, yeah, still trying tofigure out some other conference
appearances, so we'll see howthings work out.
Joshua Schmidt (40:23):
Thanks so much, alith, for your time today.
It's been really interestinghearing about your experience
and some of your fun stories,and thanks for taking the time
to chat with IT Audit Labs today.
Anyone have any final questionsor thoughts before we sign off
for the day?
Eric Brown (40:37):
Yeah, I would just say, Leith, if you're ever in
the Minneapolis area, hit us upand maybe we can figure out how
to socially engineer Nick avegetarian meal.
Alethe Denis (40:51):
Thank you so much for having me.
It was wonderful to chat.
I really enjoyed theconversation.
Joshua Schmidt (40:56):
Absolutely.
You've been listening to theaudit presented by IT Audit Labs
.
My name is Joshua Schmidt, yourco-host and producer.
Today we've had Eric Brown,managing Director, and Nick
Mellum, and we've been joined byAlith Dennis from Bishop Fox.
Thanks so much, alith.
Please like, share andsubscribe.
We have episodes coming onevery other week so you can find
us wherever you source yourcybersecurity infotainment.
(41:17):
Check us out.
Talk to you soon.
Eric Brown (41:20):
You have been listening to the audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact.
Or all our security controlassessments rank the level of
(41:43):
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onApple, spotify or wherever you
(42:05):
source your security content.
Welcome to the Audit presented by IT Audit Labs
.
I'm Joshua Schmidt, yourco-host and producer.
We have Eric Brown and NickMellon from IT Audit Labs, and
we're joined today by AlithDennis from Bishop Fox.
Alith is quite prolific withher social engineering skills
and pen testing, so that's whatwe're going to focus on today
with her.
Welcome to the show, alith.
Thanks for joining us.
Alethe Denis (00:22):
Yeah, thanks so much for having me.
It's a pleasure.
Joshua Schmidt (00:25):
Yeah, let's jump right into it here with an
icebreaker question.
I'll have Eric start, so youcan think about it for a second.
But who is your favorite actioncharacter or spy movie hero?
Eric Brown (00:37):
I got to go with James Bond yeah, and the
original James Bond, seanConnery.
Nick Mellem (00:42):
Like Thunderball and those from the 70s, I had a
tough choice a little bit forthis one, and I like how Eric
brought up James Bond with SeanConnery because he's just
classic in Indiana Jones, sothat was a close one, but I have
to go with John Wick, john Wick.
Joshua Schmidt (01:00):
Yeah, I still haven't seen John Wick 4, but
one of my favorite spy movies isBurn After Reading, which is a
comedy by the Coen brothers whoare out of Minnesota here, the
Minnesota guys, but Brad Pitt,George Clooney pretty funny
movie.
How about you, alith?
Do you have a favorite spy?
Alethe Denis (01:17):
Man, that is a tough one.
You guys came way more preparedthan I did for this question.
Nick Mellem (01:22):
He's feverishly Googling for this question.
Alethe Denis (01:27):
It's feverishly googling.
I am feverishly looking upoptions because I've drawn the
biggest blank and I'm trying tofigure out like, where, where do
I go with this?
I I love james bond, so I lovethat.
But I always go back to likeroger moore as the original
James Bond.
He is by far my favorite.
But if I had to say like spymovies and going back to like
(01:51):
spies that have influenced me, Iwould say like Mr and Mrs Smith
.
And Angelina Jolie in that rolewas just phenomenal and so very
entertaining, just soenthusiastic in her portrayal of
that character.
It was just a lot of fun towatch.
Joshua Schmidt (02:09):
I saw that at a drive-in movie theater fun fact.
So we still have one of thosehere in Minnesota.
Yeah Well, we'll jump rightinto talking about.
You won the DEF CON Black BadgeSocial Engineering Capture the
Flag competition in 2019.
Can you share how thatexperience shaped your career or
inspired you to pursue pentesting?
And maybe you were doing itbefore then, but maybe you could
(02:29):
give us a little overview ofhow you became a social engineer
?
Alethe Denis (02:33):
Yeah, absolutely.
So.
I was doing social engineeringwithout knowing what it was or
using those skills outside ofthe information security
universe.
And I found DEF CON, kind oflater on in life, and I
discovered the socialengineering village and the
(02:55):
competition, the socialengineering capture the flag
where, to put it briefly, theythrow you into a soundproof
booth and you are tasked withfinding information ahead of the
competition on a target companythat you're assigned, and you
have to find the phone numbersand come up with a compelling
pretext in order to elicitspecific items of information
(03:18):
from the people that you arecalling.
And you have 20 minutes andit's timed and you're in front
of an audience on a stage.
It's like the most insanescenario, but that looked to me
like the most terrifying thing.
But I also felt like it wouldbe a really great challenge for
me to overcome a lot of socialanxiety, and so I thought, why
(03:39):
not?
I'll apply, they'll never pickme.
They picked me.
And then I was like, oh no.
So I went to compete in thatcompetition twice.
The first year I ended up insixth place out of 14
contestants and I thought, oh, Imight actually be okay at this.
And so the second year, when Icame back to compete, I won the
(04:01):
contest and DEF CON bestowedupon me a seat in their Black
Badge Hall of Fame.
After that, I gained a littlenotoriety for my efforts in
social engineering and I decidedthat I may have a career in
information security, doingsocial engineering, and at the
(04:22):
time I thought socialengineering was a job.
It's not really's not really ajob Like.
You can't find a job titlecalled social engineering
anywhere.
It's actually a reallyincredible skill that you can
use in a variety of differentindustries doing a ton of
different jobs, and prior tothat I'd been using it in
competitive intelligence anddoing research and other
(04:47):
non-information security typeroles.
So I was able to transition alot of those skills and my
experience in consulting intoinformation security and I made
that leap in 2020.
And I've been operating in theconsulting side of information
security since then, doingassessments focusing on social
(05:08):
engineering, but now in theassistance of the red team and
furthering their activitiesduring red team engagements.
Eric Brown (05:18):
What is competitive intelligence?
Alethe Denis (05:37):
Essentially, gaining information on competing
companies in your industry, orlearn from them and do something
different so that we cancompete and have something more
appealing to our targetdemographic, or go after a
different target demographic,different sector of the market,
so to speak, when we'repositioning our products.
Eric Brown (05:58):
And when you started to go down the DEF CON path,
even before you competed onstage at DEF CON did you have to
enter regional competitions tokind of be able to even compete
at DEF CON?
So funny story.
Alethe Denis (06:15):
There aren't really any qualifiers when it
comes to the social engineeringcapture the flag.
It was something that I hadwatched at DEF CON a few years
in a row and just beenfascinated, thought there was no
way that that was something Icould ever do myself.
And then one year I justfigured, hey, why not?
I'll apply.
And I honestly did not thinkthat they would select me.
(06:38):
There were a lot of reallywonderful talented competitors,
contestants that I'd seen inprevious years, and I thought,
with only 14 seats it was highlyunlikely that I would be
selected.
But I submitted an application.
They asked me to submit a videoessentially selling my
(07:00):
personality, and, if we're beinghonest, this competition is
sort of like the circus act thatgets folks into that village at
DEF CON so that we can all talkabout social engineering and
raise awareness for that attackvector in general.
So I was able to compete at DEFCON doing social engineering
(07:21):
and I made my very first socialengineering voice phishing call
live in front of hundreds ofhackers on a stage in a
soundproof booth in that village.
Wow.
Nick Mellem (07:33):
Talk about throwing yourself into the deep end.
Alethe Denis (07:35):
Yeah, it was a little intimidating.
Nick Mellem (07:37):
So you're OG.
Alethe Denis (07:38):
I'm OG yeah, I'm also very old and crusty.
I'm also very old and crusty.
I'm very thrilled to see newenergy injected into that space,
and I've also met in attacksthat are being perpetrated not
(08:15):
just by the most basic spray andpray type scammy campaigns, but
in the more advanced ones thatare going after things like the
large casinos and giantcorporations.
Nick Mellem (08:29):
I'm always curious when I talk to other people that
are deep into socialengineering.
Like how do you prepare, youknow, for an engagement?
Is there a list of things thatyou're checking off before you
get to that engagement?
Is there a backpack of itemsyou bring, maybe something that
helps you with your socialanxiety?
Like, is there a coupledifferent tools?
It's like I can't, I can't goto this engagement without that.
Alethe Denis (08:51):
So it is true I have like a ton of social
anxiety just in general.
I have ADHD and just am a.
My baseline is filled with alot of anxiety.
My baseline is filled with a lotof anxiety, so I tend to
(09:13):
over-prepare and I tend to spenda lot of time coming up with
pretexts.
I typically base those pretextson the research that I do when
I do open source intelligencegathering against the target
company and their employeestarget company and their
employees.
I try to find information aboutthe specific job functions that
I'm going to be targeting, whattheir processes are like, who
their people are.
I agonize over the smallestdetails and just try to have a
(09:35):
lot of backstory.
In the event that I amchallenged or the people that
I'm speaking to have objections,I want to be as casual and make
my answers seem as organic aspossible.
So just being overprepared isthe first and most important
thing Having answers for thosechallenges that seem like me
(09:58):
recalling things from memoryversus making things up on the
spot.
I want to look like a good liar, but as far as physical
engagements, which are by far myfavorite, I do not like to have
like fidgety items or like pensclick pens in my hand or
anything like that, because it'sgoing to make me look
(10:20):
suspicious.
So I try not to do that.
But I will do things like holdclipboards or something to keep
my hands busy, so I can add anextra layer of authenticity to
the pretext in the prop, butalso so I can add some stability
to my presentation of myself tothe person.
Nick Mellem (10:44):
You wouldn't believe how far you could get
with just a clipboard.
We did an engagement this is alittle while back but we our
whole thing was at thisorganization big building.
But we went in with firedepartment, uh polos on and, uh,
a clipboard and we just actedlike we were checking the fire
extinguishers and not a singleperson questioned us.
(11:07):
No, no problems, got everythingwe needed, got a shark jack in
and we did all our fun stuff andwe got out.
So yeah, just your nod to aclipboard, it's.
Alethe Denis (11:16):
It's amazing how easy it can be with that I have
a van van yeah, I have a white,uh white, nondescript, like it,
technician type, looking van uh,it's full of ladders and dewalt
tools and all kinds of thingsthat I can use for props yeah,
it's a little ridiculous, but aladder just in general.
(11:40):
Nobody just carries a ladderinto a building.
Eric Brown (11:43):
Have you ever gotten ?
Just totally busted.
Oh yeah, then what did you do?
Alethe Denis (11:50):
Oh man.
So there is a very fine line towalk with clients, and
sometimes you know you have tobe collaborative, you have to be
communicative.
They need to know when you'regoing to be on site, they need
to issue you letters toauthorize the test, and
(12:10):
sometimes information is leakedin organizations and you can't
control that.
Very unfortunately, sometimesthis information that is leaked
can invalidate the test, andwhat does that mean?
That means the clients cancheat, and so this information
can be disseminated to the verypeople that you are attempting
to test, and usually I can tellif they're expecting me in big
(12:33):
quotes, and in some situationsit's a little harder to tell, so
I never know if, when I amquote busted, if they knew I was
coming or not.
And there was one situationwhere I had attempted to get a
an individual who worked for mytarget company, my client, to
(12:55):
scan their badge in order to letme go through a revolving badge
door, because we were notallowed to use any badge cloning
or any you know hacker stuff.
I'm redacting bad words in orderto get into the building, and
(13:16):
so we had to rely solely onsocial engineering in order to
convince the employees to takepity on us and help us and get
into the building.
And so I was trying to convincethe employees to take pity on
us and help us and get into thebuilding.
And so I was trying to convincean employee to scan their badge
let me go through and then theywould be able to scan their
badge for themselves to get intothe building.
And this employee was so closeinches from you know their
(13:38):
empathy, enabling them to beinfluenced to help me.
They looked through thebuilding glass of the doors and
saw a security guard, thoughtbetter of it, backed out and
kind of told me you know, Ithink you should go talk to
security.
And I was like, ah, and so Iwas like, yeah, no problem, I'll
just walk around the front ofthe building and go talk to
(14:00):
reception.
I had no intention of doingthat.
I was going to run away.
So I casually started to walk.
Doing that, I was going to runaway.
So I casually started to walkaway.
I was going to go walk thequarter of a mile around this
giant building to the front andthe security guard comes out of
the building and motions for meto come back to where they're
standing.
And I was like this person isliterally open, carrying a
firearm.
You don't say no.
Joshua Schmidt (14:22):
Maybe we could take a little round robin and
talk about some socialengineering and pen testing
experience stories.
But just to back it up for ourlisteners that are a little more
average like myself, what issocial engineering or pen
testing and how is it relevantto security in an organization?
Kind of just the big picture.
How does that fit into the theinfosec world?
Eric Brown (14:43):
well, I do have a good story and does it involve
umbral?
Shorts uh this one does not,but it involves you, nick, and I
hope you don't mind.
Oh, not at all.
Not at all, please.
It also involves wild west hackand fest.
Nick Mellem (15:01):
Oh yes, I know exactly where this is going.
Eric Brown (15:05):
I know you were there last summer.
Were you there for a couple ofdays, Alif.
Alethe Denis (15:09):
Yeah, I was just there for the conference itself.
I arrived after the training.
Eric Brown (15:14):
Okay, so you're familiar with the steak dinner
night here we go here we go yes.
Nick Mellem (15:22):
It's just a setup.
This isn't even.
Eric Brown (15:25):
For those who haven't been there, the steak
dinner night.
It comes as part of your ticket.
You get access to have a steakdinner and essentially you're
standing in a really long line,defcon-esque line, to get your
steak dinner, which some of uson the team Alethe are
vegetarian, myself, nick is notand so Nick and a couple other
(15:50):
folks from the team are in lineand apparently maybe not real
happy with the size of the pieceof meat that was offered to
them.
So, what Wild West, hackenfestand Black Hills was doing was if
you're a vegetarian, then theygive you vouchers to go to the
(16:11):
restaurant downstairs.
So you know, I've got myvoucher, I'm going down to the
restaurant there.
Um and so then Nick was likewell, you know, maybe I'll
pretend I'm vegetarian too andget the voucher.
Nick Mellem (16:28):
I'm going to have to redact this story.
Joshua Schmidt (16:29):
I'm cutting this story out of post-production.
Eric Brown (16:33):
After this we had to promote Nick to management
because he had failed thisM-Test.
He couldn't even get a voucherfor the restaurant downstairs.
Nick Mellem (16:47):
They didn't believe he was a vegetarian I think
I'll have to leave this onealone but it was a total setup,
total sabotage.
We'll leave it alone clientcheated thank you for having my
back, elise, but actuallystaying on the note of Wild West
is where I first saw you.
We were all gathered aroundlistening to your stories and
(17:08):
the good ones and the ones thatyou failed being very
transparent, and I think that'ssomething I really appreciated
hearing that sometimes itdoesn't go the way you planned,
even though you could have spentweeks or however much time
planning it out, because I feellike I would do do the same
thing.
You know, you make that laundrylist of what could go right,
(17:28):
what could go wrong, what ifhe's sitting at the desk, what
if he's not sitting at the desk?
Or what you know, so you thinkabout these scenarios.
Uh, sometimes maybe being overprepared is bad, because then
you're not on your feet.
Alethe Denis (17:40):
If you over script it or you're over dependent on
your script of the situation, itwill always lead to a tough,
tough, tough situation for you,because then you can't really
pivot.
You can't predict who you'regoing to run into or how they're
going to react, what escalationpathway they're going to take
if they challenge you right, um,it can lead to freezing up just
(18:03):
the deer and headlights, whichis just the worst.
Nick Mellem (18:06):
Absolutely.
And I guess, do you ever workwith multiple people?
Do you go or do you like to dothese by yourself?
Well, there you go.
Alethe Denis (18:15):
Usually it's me and one other person on these
engagements to make sure thatthe pretexts fit and suit our
own natural personalities andparticular set of skills, so to
speak.
Because if you are comfortableand confident in the pretext
(18:40):
then you'll be a lot morecapable when it comes to
pivoting in the moment.
So, for example, if you have avery robust IT background, then
going in as a IT person that'spotentially part of their vendor
IT, it, msp may make sense.
(19:01):
It, uh, itmsp, um may makesense.
Um, if you used to work for acompany that did HVAC, then hey,
maybe you can draw on thatskill from back when you were in
your you know earlier parts ofyour career to position yourself
as maybe somebody that's outthere to work on the HVAC system
(19:23):
or something like that.
And so we try to take that stuffinto consideration also when
we're developing pretexts andit's sort of like acting, you
know you want somebody who's gotexperience in that type of role
and that's why you see the sameactors over and over and over
as FBI agents in like everymovie show, tv show or other
type of thing, and it's becausethey've got that experience and
(19:44):
they carry that type of personareally well.
For me, I usually have to takeinto consideration unconscious
bias, which I think is also areally fun angle when we're
talking about social engineering, and it's also something that
was brought up quite a bit inthe comments section of a recent
(20:05):
article that was written aboutsome of the stories that I
shared at Wild West Hackenfest,and it's like well, she's only
successful because she doesn'tlook like a pen tester, and I'm
like what?
Joshua Schmidt (20:18):
What does a pen tester look like?
Alethe Denis (20:19):
Can you paint me a picture?
Go for it.
I'd love to see you walk intothis one, but it's tough for me
to try to create pretexts foreveryone on the team that makes
sense for them.
So I tried to focus onenhancing pretexts for myself
(20:42):
and using that unconscious biasto my advantage.
Nick Mellem (20:48):
I learned that same thing very early on in my
social engineering career ofplay to your strengths right,
the easy ones that you're saying.
right, you might not look like afire marshal, Well we had an
engagement at a hospital and wewere cloning badges and first
off we went to the cafeteria but, and after we completed that,
we did clone roughly 12 badges,so fast forwarding past that.
(21:10):
The next day we went back totry to do more infiltration, see
where we could get with thebadges.
And my female co-part shedressed up as a nurse, whereas I
probably wouldn't have lookedlike a nurse.
So you know she did that and wewere able to get so much
further because nobodyquestioned her.
So we played off each other'sstrengths and I did other things
(21:33):
like a delivery guy right, getthat UPS outfit or a maintenance
guy or something like thatwhere she would not have.
You know, you see a smallerwoman come in.
Not that they can't do this,but they're probably not going
to be doing heavy mechanicmaintenance on an AC unit up on
top of the roof or something.
So absolutely, totally agree,that's something I learned early
(21:54):
on.
Again, I want to go back to WildWest real quick and the only
reason is because you know youmentioned before that you do a
lot of training.
Also, I think you worked withthe Department of Defense a lot.
Obviously, we heard you speakat Wild West and then also this
(22:14):
breaches into after theseengagements are done.
Do you, you know, are you doinga lot of follow up, training,
follow on for organizations?
If you, if you are successful,you know what does that look
like.
Alethe Denis (22:22):
We are very specialized in the types of
social engineering that we'redoing.
You know what does that looklike of attacks using social
engineering in the context ofthat red team style attack
(22:47):
rather than in the support of asocial engineering security
awareness type exercise.
Nick Mellem (22:55):
Well, especially with social engineering, it's
widely overlooked, right.
A lot of organizations.
They don't even know they needto do it until a breach happens,
right?
We don't want to get to thatpoint.
So the outreach, teachingpeople beforehand right, is how
we would love to see it happen.
It doesn't always work that way.
So, and funny enough, thishappened to me at an
organization yesterday where wehad a real world phishing
(23:16):
attempt where they they got anemail and all of us on the call.
You look at this email and want, don't even read a single
letter or anything on this pageand you know it's fake.
Yeah, exactly, this person didclick.
They called the number from thePayPal receipt.
After clicking, got connectedto the machine.
(23:38):
Luckily, crowdstrike knocked itout right away and we were able
to isolate the machine.
But I just bring it up becauseyou know we're we love social
engineering and it's not talkingabout enough.
So, again, kudos to you forspeaking at like Wild West and
things like that, because allthese people know about it, but
we want to continue.
Alethe Denis (23:59):
I find that, like in our industry, we're all sick
of hearing about it.
We're like, oh please, socialengineering, please stop, I
don't want to hear about itanymore.
Like there's so many talksabout social engineering,
there's so many social engineers, like it's enough, like let's
hear about, like the realhacking.
And so I hear that a lot.
But I still walk into rooms andyou know I'm a member of the
(24:21):
InfraGard and I will walk intotheir symposium every year and I
go who's heard the term socialengineering?
And still not many hands go upin the room and we're talking
about people who are in chargeof critical infrastructure in
our local, of criticalinfrastructure in our local.
(24:43):
You know cities, counties andgovernment, as well as private
companies that do agriculture.
They're in charge of our food,they're in charge of things like
you know, our water and everyother thing that's very
important to keeping our societygoing.
So I think that it is importantthat we continue to talk about
it to keeping our society going.
So I think that it is importantthat we continue to talk about
(25:04):
it and that others continue totalk about it in places within
our community and outside ofinformation security, at other
conferences and in the media.
Eric Brown (25:15):
You know what you say there about just the general
awareness is interesting and Iequate it to still being able to
walk into a room and talk aboutthe pineapple and even though
pineapple has been around Idon't know 15 plus years, but
show people how it works andit's still like mind blown of
(25:38):
something that's been around forso long and probably isn't even
a viable attack path anymore.
It's still interesting, whereyou kind of just step outside of
security a little bit andyou're not involved in it from
the day-to-day perspective, thatthere's all this stuff going on
in the real world that peoplereally aren't aware of all of
(26:00):
the things that could happen tothem.
Alethe Denis (26:03):
Right, I mean well , and you mentioned the
pineapple.
But this last week I had aclient employee tell me that
they had just recently gotten introuble for plugging USBs into
computers.
But of course I could plug myUSB into their printer and print
(26:26):
something, no problem.
And you know what this is.
Nick Mellem (26:30):
Funny, how that works.
Alethe Denis (26:32):
This is very much a rubber ducky.
Nick Mellem (26:36):
I'm glad you brought up the rubber ducky,
just because one of thequestions I did want to ask is
there tools that you prefer overothers, or do you do you bring
many tools so you know differentevents, um, or if you're able
to speak to one tool that's kindof your favorite, that'd be
fine.
But I'm just curious what youuse.
Alethe Denis (26:53):
I typically love the rubber ducky because they're
very small and I can carry abunch of them and then just
opportunistically put thoseplaces if I'm especially in a
big office.
I also love the OMG cablesbecause they look so close to
the real thing that we can swapout the actual charging cables
(27:19):
for employees, especially inoffice buildings where there's
like bazillions of cubicles andthings.
We can like take their cablesand leave ours, um, and see if
they'll, uh, allow us tocompromise their things.
Anyway, I know we're horriblepeople, so, uh.
And then, on and above that,there's like some other devices
that we can use in more, uh,niche types of situations, and
(27:42):
sometimes we create thesesituations just so that we can
use the fun stuff.
But there was an engagementwhere we were, I'm able to
propose the use of the screencrab recently, and I just love
the screen crab because it'sjust like such a silly device,
but it can be used in verycompelling ways.
(28:02):
And so the hack five screencrab.
What it does is it sits in linebetween a device and a monitor
and it has the ability tocapture images that are being
sent from that device throughthe HDMI cable to the monitor.
So it'll take screenshots, andso we set a goal of placing this
(28:27):
device between the client'sconferencing software and the
monitor that was displayingtheir video conferences in their
conference room, and we were100% able to infiltrate the
office, gain access to theconference room, implant that
(28:47):
screen crab, get power off theTV and then have it come up.
It connected to their corporateWi-Fi network using credentials
that we found in the trash, andthen we were able to exfiltrate
the screenshots of theirmeetings out over their wireless
network for the rest of theweek sensitive data from their
(29:11):
meetings.
Eric Brown (29:12):
That's awesome.
Alethe Denis (29:13):
They were thrilled that we were able to, because
it gave them the ammunition, soto speak, to convince the
executives to allow them toadvance the security around
these networks at that clientand make the networks and the
policies and procedures moresecure at the client, the
(29:34):
policies and procedures moresecure at the client.
Eric Brown (29:35):
And you know, as I think about these tools and the
innovations that we're seeing inthe general marketplace, it's
always fascinating to me tothink about like well, you know,
these things were probably usedin the 80s by the CIA and other
governmentored spyorganizations, right?
So 40 years from now, it's goingto be really exciting to see
(29:58):
some of the tools, like wherethey're listening to the
vibrations on glass, with lasersto be able to hear
conversations, and you know allsorts of stuff.
That's really hard tocomprehend, but it does get down
to the basics of helpingorganizations understand where
their security posture is, andcertainly if you're involved
(30:21):
with critical infrastructure.
However, if it's anything fromtrash handling to water, sewer,
transportation, any of thesectors involved in critical
infrastructure and I thinkthere's like 16, rest assured,
nation state is interested inwhat it is that you're doing.
(30:43):
And if nation state took enoughof an interest in your
environment, they're going tobring to bear things that you
haven't even seen yet zero daysand whatnot.
So having the discipline toprepare, test and continually
(31:06):
improve the security in yourenvironment is really important.
So that's a great story toshare.
Just that.
You know, the customer was thatengaged and they wanted to
bring that forward becausethat's absolutely relevant for
certain industries.
Alethe Denis (31:23):
Yeah, I like to jump in here Go ahead.
I often compare myself to likethe anger translator for the
security team, and I don't knowwhy, but typically executives
will believe consultants, butthey won't believe their own
employees, and so I findtremendous joy in being able to
(31:45):
deliver them what they need.
Joshua Schmidt (31:48):
Employees are often the target of malicious
actors inside organizations.
What strategies or methods doyou use to kind of prepare or
train people to combat thatthreat?
Eric Brown (32:00):
I like to just start with the basics of lock your
credit.
If you don't remember anythingelse that I said, lock your
credit and do that for yourchildren, your loved ones, help
your family members, yourfriends, whatever, because that
malicious actress can't opencredit in your name.
That's going to save you a lotof headache down the road and
(32:21):
just make you a little bit moresecure.
And then you know, from therewe can go into password managers
and other things.
But I think it's just continualbasic information that you can
build upon and help people justbe better stewards of their own
information.
Nick Mellem (32:37):
Yeah, I mean if we're working with specific
organizations.
You know, I think a lot oftimes we start or want to start
by we pull back the hood alittle bit, we want to see what
they're already doing right, andthen we can approve on that
right, provide education andtraining on what they're already
doing, right.
You, you know, and a lot oftimes that will help an
organization because you havewide knowledge gaps between, uh,
(33:00):
different people, right, you'regonna have some that know, you
know, don't click on that emaillike we had yesterday and some
that don't, right?
So I think we can lean intothat, you know, figure out a
good starting point, a goodbaseline, and then provide
education on what they're doingwell and then move to what we're
maybe not doing so well, thethree strikes you're out for a
phishing email, it's goodbecause it can educate us on a
(33:23):
specific user, but it doesn'tnecessarily help users that are
maybe.
So, a lot of times inorganizations that I work with
closely almost daily, we like topush for more in-person
training, a little bit moretalking head to show what we're
seeing.
So we're being transparent.
There's a lot of things wecould touch on, but those are a
(33:44):
few.
Joshua Schmidt (33:45):
So, alif, it's your job to kind of know that
about organizations and thenkind of work around it and poke
holes in that.
Are there tactics that you'veseen that have been effective
when you reach an organizationto do a pen test and you go, oh,
they really have their stufftogether?
Or you shared a story with me acouple of days ago about people
that, other than whispersaround the water cooler about
(34:06):
hey, there's a pen tester comingin on Friday, what have you
seen that's effective in kind ofstopping those threat actors?
Alethe Denis (34:14):
Same company.
I was tasked with sending thema phishing email the week prior
to try to elicit that Wi-Figuest network password, and I
spent a lot of time learningabout their you know building
landlord property managementcompany and creating a
(34:36):
fabricated multi-level thread ofemails between this fictitious
person at the propertymanagement company and a
technician that was coming onsite.
It was a very compelling email,in my opinion.
They received the email andthey immediately routed it to
the correct person who handledthese types of requests.
(34:57):
That person immediatelyresponded and said you're not
the person that I deal with atthis property management company
, Can you elaborate?
And then they routed it to theIT and security person at the
company, and that was exactlythe right thing to do.
I was horrified.
(35:17):
I was terrified that I wasgoing to get you know filleted
when I went to do the onsitephysical the following week, and
so what I learned from that iswhen the employees of our client
organizations follow the properprocedure, nine times out of 10
(35:41):
, they will block me from beingsuccessful, and the only chance
that I have as an attackeragainst that as if I can somehow
distract them or compel them toignore that procedure and so,
where companies can ensure thatthey don't fall victim to social
(36:06):
engineering is trainingemployees to stick to that
process and procedure and tofollow the company policies
around authentication andverification, specifically
Because the second that anemployee starts asking questions
, I know I am toast.
(36:28):
That's great.
Joshua Schmidt (36:29):
So we have talked quite thoroughly at this
point about, you know, actualphysical penetration tests and
things like that.
Um, now it's kind of movingover to some deep fakes.
We know phishing's been aroundfor as long as email's been
around, but, um, what do you seethe new threat landscape and
how that's emerging?
Um, and are you using any ofthose tools, uh, to do virtual
(36:51):
pen testing and things like that?
Alethe Denis (36:53):
um, instead of actually showing up and trying
to get past my I have the catthat ate the bird grin on my
face, because I've always saidthat the it guy is like the
nigerian prince of voicephishing pretexts and you know,
(37:14):
it's just like the tried andtrue voice phishing pretext.
When it comes to red teaming inparticular, I find most red
teamers will fall back on that.
Well, I'm just the IT guy andI'll just call them and tell
them to give me their passwordor some such you know
reformation of that pretext.
And so, with the ability for usto create these very compelling
(37:41):
audio and now video and audiodeep fakes at Bishop Fox, we've
been able to create real timedeep fakes that we can use in
the context of socialengineering in our red team
engagements, and it has takenthings to a completely new and
(38:01):
amazing place when it comes toour red team assessments and the
engagements that we'reperforming right now.
This is something that I don'tknow where it's going, but it's
going there really fast.
There are a lot oforganizations that are
(38:22):
attempting to make thissomething you know, ready to go
out of the box, tool wise, andthat's really exciting to see
things recently that are makingthis much more accessible to
just the general public, as wellas other teams that want to
utilize this in the context oftesting.
But what we're doing right nowactually enables us to make a
(38:48):
phone call and use essentiallywhat amounts to a voice changer
to transform our voice into ourclient employee's voice in real
time and have a conversationwith another employee at the
organization as if we are thatperson.
(39:08):
And it is compelling,believable and very realistic
and terrifying how realistic.
Nick Mellem (39:18):
We're getting pulled into the future real fast
and furious and there's notmuch we can do about that, but
it's really cool to hear youguys are using that technology
so, as we look towards thefuture 2025, it's a new year.
Joshua Schmidt (39:29):
Are there any plans to be at wild west
hackenfest this year or anyconferences coming up?
Alethe Denis (39:33):
Yeah, so I have some fun conferences happening.
I will be presenting a keynoteat CactusCon in February.
I'll also be presenting akeynote at the Layer 8
conference, which is aconference focused on open
source intelligence gatheringand social engineering, in
(39:54):
Boston in June.
And then I still have somespots open on my dance card but
I'm looking to fill those outfor the remainder of the year.
I will absolutely be at DEF CONsupporting the DEF CON group's
board and in the community thereat DEF CON as well.
(40:15):
But, yeah, still trying tofigure out some other conference
appearances, so we'll see howthings work out.
Joshua Schmidt (40:23):
Thanks so much, alith, for your time today.
It's been really interestinghearing about your experience
and some of your fun stories,and thanks for taking the time
to chat with IT Audit Labs today.
Anyone have any final questionsor thoughts before we sign off
for the day?
Eric Brown (40:37):
Yeah, I would just say, Leith, if you're ever in
the Minneapolis area, hit us upand maybe we can figure out how
to socially engineer Nick avegetarian meal.
Alethe Denis (40:51):
Thank you so much for having me.
It was wonderful to chat.
I really enjoyed theconversation.
Joshua Schmidt (40:56):
Absolutely.
You've been listening to theaudit presented by IT Audit Labs
.
My name is Joshua Schmidt, yourco-host and producer.
Today we've had Eric Brown,managing Director, and Nick
Mellum, and we've been joined byAlith Dennis from Bishop Fox.
Thanks so much, alith.
Please like, share andsubscribe.
We have episodes coming onevery other week so you can find
us wherever you source yourcybersecurity infotainment.
(41:17):
Check us out.
Talk to you soon.
Eric Brown (41:20):
You have been listening to the audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact.
Or all our security controlassessments rank the level of
(41:43):
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onApple, spotify or wherever you
(42:05):
source your security content.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.