Locked in a soundproof booth: My experience at DefCon’s SE-CTF competition.
Part 3: How a Salesman Infiltrated the World’s Largest Hacker Conference
By Blake Mitchell, Director of Sales at Cmd
First off, I would like to thank the Social Engineer.org team and volunteers for setting up and organizing this event and challenge. I would like to congratulate @whitneynmaxwell for coming in first place and @RachelTobac for coming in 2nd for the third year in a row. I have a newfound respect for all the hard work that the contestants, volunteers and organizers have put into this event.
If this is the first article in the series you’re reading, I strongly encourage you to go back and check out Part 1 (how I got into the competition) and Part 2 (putting together my OSINT report) to understand the full journey.
In this final article in the trilogy, I’ll be taking you through the process of being at DEF CON 26 and taking the stage for the live call portion of the SECTF competition. Then I’ll be sharing what I learned and the advice I have, now that I’ve been through the whole experience.
Conference parties, AKA my extended SECTF pre-party
I landed Monday morning in Vegas. Getting settled into my room, I started to realize the marathon event that was ahead of me. Between B-Sides, Black Hat and DEF CON, there was a lot of socializing on the calendar before my Saturday morning call time of 10:45 for the SECTF.
The excitement for these events is huge — connecting with my friends and colleagues who are flying in from all over the country and attending all kinds of events looking to make new ones. I attended all sorts of events in those few days, from intimate gatherings of 20–30 people all the way up to sponsored parties with thousands of people.
As a sales person, I really focus on the parties. I find I always make my best contacts in the security world at the parties. It’s a running joke in our office that I’ll always wind up talking to the most random person about their pugs or their kid’s upcoming football tournament, only to find out that they’re a C-suite exec at a huge organization when talk finally wanders back to business. My most famous story is when I offered to take Freddy Dezeure, the now former head of the EU-CERT, to a Snoop Dogg concert. There’s a lot of overlap with the social engineering stuff, because really what it comes down to is that people love when they can talk about being a human and not about work in a conference environment where they’re basically talking about work nonstop for days on end.
I had a great time meeting new people at the various conferences over the course of the week and discussing my new favorite topic of social engineering with them, but it definitely took a toll on my prep for the competition. When you attend these parties and you are having fun, it’s super easy to lose track of time and stay out way later than you were planning on. Now I do have one advantage in that I don’t drink anymore (which definitely helps when I’m rolling out of bed the next day), but I was still in pretty rough shape by the time I took the stage. This was my first year attending a conference with my Fitbit so it was cool to watch how my health was affected by various aspects of the conference in real time.
Leading up to my call time on Saturday morning, I had only managed 9 hours of sleep over the course of 2.5 days. This obviously did not help me prepare for Saturday. I was pretty excited to jump in the booth but I was also nervous. The day before, I kept thinking through all the different scenarios and all the different ways I could pull data from my target company. I couldn’t turn my mind off. So even the sleep I did manage to get in the early hours of Saturday morning was kind of a mess.
I was tossing and turning all night, thinking and dreaming about the outcome of this and whether or not I’d done enough to prepare. As you can see above, I somehow managed to wake up 17 times in 4.5 hours.I finally got out of bed at 5:45am and worked on organizing my data before scrambling last minute to find somewhere to print my documents (note to self: do this ahead of time next go around) before I got ready to take the stage.
Making the phone calls
With my lack of good sleep and the anxiety of being in the booth, I wasn’t in the best shape. But I was ready. The main pretext (or reason for why I was making the call) that I ended up using was that I was calling from corporate trying to validate the details of a bug bounty report (aka, my SE-CTF report). I went with this pretext based on the fact that when we did email phishing exercises at my last org, we found we had a 80% click-through rate when impersonating high-level or public-facing executives. So it seemed like as good a plan as any. At 10:45am, I headed into the booth.
My first phone call was with a low-level employee. I went straight in with an authoritative “Hey this is corporate. Can you please tell me what kind of phone you’re on?” Turns out he was right in the middle of completing a complex task (and if I’d been responsible for him making an error it could have cost the company millions of dollars, so I’ll leave this one vague). But I got him to answer the question, only for the phone line to disconnect. When I got back on the phone with him, I managed to grab the internal IP address over the phone as well.
My next call was to the SOC, a functioning operations center. Turns out it wasn’t a great target because they were way too busy to answer my questions about my bug bounty pretext. He wanted to get my contact info so he could email me, which of course wasn’t going to work. I assumed he wanted to get me in trouble for calling the number. I told him I was doing a meeting Monday morning with the CISO of the organization and the VP of IT. Then the guy starts getting antsy. Thinking on my feet I said “I’ve been to your office” and start describing info I saw in the photos of his office which calmed him down a bit. Or at least I thought.
Then he asked me for my name. This is where I messed up. Rather than using a name that he’d be able to find within the org, I panicked and used a (not great) fake name. I tried to get him give me some info about the wifi, listing off the SSIDs that I knew from my OSINT, but the guy wasn’t having it. He kept trying to look me up on their computer system, even putting me on hold to look. Realizing this was probably a dead end, I hung up.
Then my next call was to the lead incident responder for the organization, who was in the middle of boarding a plane. He literally put me on hold while the flight attendant looked at his passport, but then he popped back on and was chatting with me in a friendly, jovial manner. I told him the pretext about my bug bounty. But it didn’t go great because I was hoping to get info about his computer but because he was obviously away from it (and under the impression I needed info to validate this report), he gave me the recommendation to talk to another colleague. Since I could practically see the 20 minutes I had ticking by, I didn’t have time to follow up on this lead.
After that, I tried a few more numbers but kept hitting voicemails. It was over. I’d suspected that by the time I got to these numbers on my list that I was probably toast if I hadn’t grabbed much early but I had to give it a try.
So…what did I learn?
I guess this is the part where I share how this process changed me. I have a ton of takeaways. Here’s a few that come to mind.
1. It got me to care about research and studying more than any school assignment ever did
As soon as I left, my mind was going non-stop, playing that 20 minutes over and over and over again wondering what I could have done better or differently. Something that started off as a dare definitely evolved into something more for me.
2. I’m no longer “just” a sales guy
Learning more about the security world through prepping for this competition gave me a newfound respect and appreciation for what it takes to be a security engineer. And the really cool thing I discovered is that my interest and newfound knowledge in the world of social engineering has opened new doors for me when striking up a conversation with someone new.
One such event happened at the Risky Business party. I’m standing near a guy. I’ve never met him before and I had no idea who he was. At the end of the night, I was hungry and wanted a steak. So we invited him along because he is friends with a potential client of Cmd. We all go out for dinner and I start throwing down with this guy on everything around pentesting and security. He knew I was a rookie and a sales guy but when I told him about SECTF, we got deep into conversation. I’d clearly passed the salesperson level and I even managed to pick up some super valuable knowledge about how to pentest in the process. After speaking with him for a while, I’m sure @Mubix would have had a conversation with me…but it never would have gone as in depth if we didn’t have a security topic to break the ice with.
3. Social engineering is the best vice a sales guy could have
I grew up hearing my dad tell me me over and over again “You are only as good as your last sale.” And I took it to heart. After almost 20 years in sales and after working with thousands of sales people across multiple organizations, I’ve seen how much this job can take a toll on you, especially if you’re struggling to close a sale. Sales people so badly need positive outlets for the daily stresses that are put on our shoulders. Too many turn to super unhealthy vices like booze and drugs to get by. Others lie, manipulate and just generally treat the people around them like garbage just to offload some of their frustrations on to others to make a sale. I should know; I’m guilty of doing that myself, earlier in my career and I am proud that I do not do this any more.
One of the biggest personal takeaways for me in the process of preparing for this competition is experiencing the internal confidence I built while honing the skills required. To see how my sales skills could be applied to a new challenge, a new opportunity. It’s been pretty indescribable.
My recommendations
If you’re thinking of participating in a future round of SECTF, this is what I’d say now about preparing for the live call portion:
1. Have the name of someone within the org who you’re impersonating.
One of the things that really screwed me was not being prepared with a believable fake name, someone that could be found on a computer system to validate that I actually worked for the org.
2. Your OSINT report is incredibly valuable.
I don’t think I really understood the full gravity of it until I was in the booth. Take the time necessary to do your research and really flesh it out.
3. Spend time preparing for the calls.
Try the numbers you plan to call ahead of time to make sure they pick up (within the parameters of the rules for the competition). Try roleplaying with a friend, or calling another company to test it out with people you don’t know just to understand how people will react to your questions.
4. Tailor your strategy to the specific target.
Your pretext, tone of voice, and what flags you attempt should be specific to the person you’re calling. It takes more time but I saw it help in numerous examples in my own calls and watching others make theirs.
What’s next?
So the question that was asked to me numerous times would I do this again? Yes, yes I would. I’d only want to do though it if I could really dedicate the time to do it again, but I know I could do better. I’ve learned from my mistakes. I’ve learned from seeing others in the booth this year. Plus, having conversations with more people now who do this full time for a living has given me great insights as well.
But for now, I’ll keep my focus on bringing in sales for Cmd.
Thanks for reading this far. I really appreciate all of the support through this process. If you know anyone who’d be interested in reading, feel free to share.
If you want to learn more about SE-CTF or putting together an OSINT report, I would love to chat and share my experience. Even if you just want some Cmd swag, I’m always happy to help out. I am still a sales guy at heart! ;)
Connect with me via:
Twitter: @thecaboguy
Linkedin: www.linkedin.com/in/blakeamitchell/
Email: Blake@cmd.com
We would appreciate if you followed me and Cmd, and clap this post.
