How a Salesman Infiltrated the World’s Largest Hacker Conference: Part 1
I manage sales for Cmd, an advanced server protection tool for cloud-first environments. And in two weeks, I’ll be getting on stage in Las Vegas in front of over 1,000 hackers at DEF CON, the world’s largest hacker conference. Between my coworkers and our customers, I spend my days surrounded by some of the smartest minds in the cybersecurity space. Now, I’ll be taking the stage at the Social Engineering Capture the Flag (SECTF for short) competition as I attempt to manipulate the employees of a global firm into giving me sensitive data about their organization over the phone.
So how did a sales professional gain entry into an elite hacker competition? Maybe the more important question is…what have I gotten myself into?
What’s DEF CON?
First off if you don’t know already, DEF CON is a place where ethical hackers*, three-letter agencies, and security professionals congregate for a few days in Las Vegas to have fun, connect, and discuss the new trends emerging in the world of cybersecurity. On the floor of this conference, some of the best hackers in the world will be sharing how they hack into stuff and their advice so we can better protect our friends, families, organizations, and everyday people from the biggest threats of today.
*To be very clear, there is a big difference between good hackers and bad ones. Early on, hackers were on the good side and crackers were the baddies. When hacks and breaches started becoming mainstream news, the media began reappropriating the term “hackers” to mean both bad and good. So now we call the good guys ethical or white hat hackers. Here is a great article from an activist in the hacker community named Chris Roberts.
My sales origin story
When it comes to using computers, my skills are rudimentary at best. I can barely type at 25 WPM and I find it super challenging to stare into a computer screen for too long (even the process of writing this article has pushed me out of my comfort zone). Put simply, I like fast and easy. I like simple and intuitive (think Apple-style graphical user interfaces). I’d much rather hop on a quick phone call instead of typing out a lengthy email. I drive our engineers nuts by being loud and distracting, as my attention span is…short.
I’m a sales guy, through and through. You might say that selling is in my blood. As early as five years old, I started assisting my parents with sales presentations as they got their business off the ground. I’ve enjoyed a varied career in sales so far, selling anything and everything if the opportunity was right. From cars to beer, Uranium to real estate, you name it and I’ve probably sold it at some point.
A particularly memorable stint gave me the opportunity to move my wife and son down to Mexico, where I sold vacation properties on the resort that included the first golf course designed by Tiger Woods. My office overlooked the largest pool in North America. Safe to say, it was a pretty sweet gig.
After a while, we were getting sick of making the commute back and forth between Canada and Mexico every couple of months. My wife and I were in the process of getting our affairs in order to permanently move the family down to Mexico…when our lives were forever changed. We found out my wife was pregnant with my daughter. Realizing we wanted to be close to family, we made the decision to return back to Vancouver.
Joining the world of cybersecurity
By the time we got back to Vancouver, it was December of 2015 and I had no idea what direction to take my career. One of my friends, AK from Black Ops Security, recommended that I connect with a strong pentesting/VAR firm that needed help with sales and I leapt at the chance.
Up until that point, I had never worked in IT or cybersecurity. In fact, the most I’d done was to set up a NAS in my house to be able to stream movies on an Android box. I was a bit intimidated, but AK gave me the confidence that he would help me navigate the technical details needed to land the job. He got me to watch and read everything from Mikko Hypponen, Kevin Mitnick, and Brian Krebs, as well as every Verizon DBIR Report and articles on Hacker News and Dark Reading. I spent weeks absorbing everything I could, then reached out. I managed to talk my way into the job.
The company took the chance on me and I exploited the opportunity, learning the ins and outs of security while pentesting and selling enterprise security tools. One of the highlights of my time there was when I was granted the chance to dabble in social engineering assignments. I got to walk through the offices of a Fortune 100 organization dropping USB payloads. I crafted phishing emails to attack over 10,000 unsuspecting employees. It was awesome. With my newfound passion for security and my transferable sales skills, I was able to help this 8-year-old established security firm grow their business.
Around this time, I met this security-loving Australian named Jake at a security conference. We got to talking about spear phishing and the best techniques for crafting the perfect attack. Jake then started telling me about his ideas around protecting Linux servers, and how he saw it as a very underserviced area despite the growing popularity of this open-source operating system within the world’s largest enterprise organizations. That conversation prompted me to start doing some research and asking questions to find out more about the idea of protecting Linux. I learned about SELinux, AppArmor, and other Linux security tools on the market. I saw how difficult it was to provide visibility, context and control in an easy manner, buying into Jake’s vision. I saw there was a better way. Late in 2017, Jake reached out to me with an opportunity of a lifetime; by November, I’d joined the Cmd team as their Director of Sales.
Learning about DEF CON’s SECTF competition
While building out our sales strategy, I made it a point to attend as many conferences as I could to generate connections and continue to learn everything I could about cybersecurity. Truth be told, my favorite part of conferences is usually the conversations I get to have in between the talks and panels. I get bored in talks when the speaker dives ultra-deep into the tech talk (again, short attention span). In February, I found myself in Seattle for BSides looking at the agenda. A talk on wetware exploits by Robert Sell caught my eye, so I dropped in. During his talk, he shared his experience of coming in 3rd place at a competition called the SECTF at DEF CON the previous year. Because of my interests in social engineering and my natural sales brain, I found out where he worked and followed the ABC’s of sales, trying to land a meeting with Robert so I could show him what we’re up to at Cmd. He shut me down and ignored me. (By the way, I still haven’t landed that meeting. Robert if you’re reading this, DM me.)
I arrived back in the office on Monday morning still buzzing from the conference. Joe, one of my colleagues, was telling us about a random security podcast he’d just listened to where there was an interview with this guy named Chris Hadnagy. He runs a company called Social-Engineer and organizes the SECTF at DEF CON. I guess Chris had made the statement that he is scared of salespeople. Joe then told me he thought I should enter this competition. He thought that with my sales skills, I’d have a strong possibility of winning it all. (Another thing you should know about me is I’ve always been a bit impulsive. Sometimes it works in my favor, sometimes it bites me in the ass.) Knowing nothing about the competition and having never even attended DEF CON, I decided I’d enter.
Earning my spot in SECTF
In order to get into the competition, I needed to make a video. There’d likely be tons of people applying and only a handful would get selected to participate in the competition, so I had to make it good and stand out from the crowd. I didn’t want to make a fool of myself, so I researched some of the past entry videos. Once I’d seen a few, I thought it didn’t look so hard. My video capitalized on the fact that the name “Blake Mitchell” is super common (Warning: do not Google “Blake Mitchell” on your corporate network). I gathered a few friends and made my entrance video, with a focus on keeping it engaging, short, and as funny as possible. You can watch it here.
Once I published and submitted my video, I sat back and waited to see what happened. In early April, I heard back from the organizers. It turns out it was a stiff competition this year: about 245 people had sent in videos to apply for SECTF. Against the odds, I’d grabbed one of the coveted spots. Come August, I’d be one of 14 people participating in SECTF live on stage at DEF CON alongside industry veterans like Rachel Tobac, Joe Gray, Robert Sell and others. I was so excited….until I read the fine print. And saw I’d have to put together what was sure to be the most in-depth written report of my life.
. . .
Enjoyed what you’ve read so far? Read part two in the series here. I get into what it took to put together the OSINT report and some of the sensitive information I was able to find on my target company.
If you’re going to be at DEF CON this year, come and see me participate in SECTF. If you want to check out what we are doing at Cmd (or grab a special limited edition Cmd badge), we would love to sit down and give you a demo of the tool. Shoot me an email to blake@cmd.com and we can get chatting.
