Coaching Takeaways from the DEF CON 32 Vishing Competition
After winning the DEF CON 31 Vishing Competition, I was invited back by Social Engineering Community to coach competitors in the next year’s competition–how exciting!
With DEF CON 33 coming up, I thought it would be a good time to finally jot down my thoughts on how coaching went, and how it correlated with overall team performance in the competition.
The Big Numbers
Each of us three coaches offered two 30-minute sessions of coaching to all 14 teams. I did 15 total sessions across 9 teams, and was surprised by a few that either only did sessions with the other coaches, or none at all! I saw the live calls for about half of the teams at DEF CON, and took some notes to correlate with my coaching.
The team that came in first, A Girl Has a Team, had some fantastic calls. They were a team of three with one returning competitor, and their pretexts were expertly tailored to their phone targets–especially a recent hire who was very excited about their new job. It was an impressive combination of OSINT research and vishing planning.
Interestingly, I didn’t have any coaching sessions with this team! I believe A Girl Has a Team had sessions with one or two of the other coaches, and they clearly put in a lot of work. While they didn’t place in the top three for either the OSINT report or vishing plan report, they had the top live call score. This makes sense as it’s where teams had the most opportunity to score points.
Next up was Hall & OSINT in second, a first-time team of one. I didn’t catch their calls, but we did have a coaching session that focused a lot on OSINT. I noted this feeling like a pretty productive session, and the scores would seem to agree! Hall & OSINT placed third in OSINT reports, and tied for first with another team in vishing plan reports. They placed third in live call scores–just one point below the team the next team up.
While there was a fairly large gap between the overall first and second place scores, the difference between second and third places was pretty narrow. Both teams did great!
In third place by that narrow margin was another first-time team, The Brothers Shamus, with a group of three. It’s always interesting to think about team sizes and performance. At DEF CON 30, I came in second as a solo competitor, and then in first at DEF CON 31. I believe going solo was an advantage, as I had everything in my head, and could execute every detail down to perfection (or at least what I considered perfection). On the other hand, having a larger team is helpful to distribute the work on OSINT and the vishing plan!
I also had a single coaching session with The Brothers Shamus. This one was focused on vishing, and wasn’t as packed with questions/discussion as some of my other sessions, so it felt moderately productive. Like the first place team, they didn’t place in the top three for either OSINT or vishing plan reports, but they had the second highest live call score, which was enough to land them third place overall.
Their placement was no surprise to me, as I noted their live calls going really well! Their first call was very productive, but their target was driving and away from their computer, so they might have been limited in the points they were able to score.
The Other Numbers
I still had some great coaching sessions with teams beyond the top three! Team Scotzipan had three first-time competitors, and they came in first on OSINT reports. They had a lot of great questions for me when we met, which is exactly what I wanted as a coach. It’s easiest to help people when they’re curious and have specific topics to focus on! We talked a lot about the phone calls themselves, and they were nice enough to share some lovely Corporate Tunes!
The main trend I noticed from coaching was that teams with higher final scores were generally the ones who came to coaching sessions with more questions and preparation. For others, we could have a meeting where I shared my experiences and general advice, but the time was less productive.
There were outliers to this–both teams that did well without coaching, and those who had great coaching sessions but lower final scores. With a something like the Vishing Competition, there will always be an element of luck. You can test your phone numbers beforehand and try to call the people most likely to pick-up, but you’re still at the mercy of chance.
Some teams had trouble getting anyone to answer, and at least one was letting calls go way too easily! A top piece of advice I tried to give everyone was fight to keep every single call going, as the hardest part is often getting someone to answer. If someone really has to go and hangs up, fine. But at least push back against the first excuses, or go for a hail mary flag! If the person is about to hang up, why not ask them to try visiting a troubleshooting website for you real quick? At that point, you have nothing to lose.
When writing about my experience in the previous competitions, my goal was always to pull back the curtain and show what it’s like being a competitor. My coaching experience was a natural evolution to that–an opportunity to help teams prepare and execute to the best of their abilities.
I’m excited to watch more calls and see what’s in store for DEF CON 33!
