“If you manage to get in the booth, you’ve already won.”Every year, we never cease to be amazed from the talent that walks in and out of the booth. The line between who is the novice and who is the pro is now so thin, we often can’t presume to differentiate. One of our favorite competitors is Chris Kirsch, who won the SECTF competition in 2017 at DEF CON 25. Prior to competing, Chris was fairly interested in social engineering. But after attending the SECTF competition at DEF CON 23, he was totally hooked. One year later, he applied and was accepted to compete, however, his first attempt was difficult. He recalls, “My target was a firewall company, my call time was on a Saturday afternoon, and the only staffed number during that time was customer technical support. Knowing that these departments have very strict processes (and often long queues), I didn’t want to phone that line and opted to call personal cell phones of employees, spoofing the HQ’s number. Nobody picked up their phone, and I learned later that employees at this company are getting worked so hard they never pick up their cell phones on weekends.” Despite having a really good report score, Chris scored zero points on his live-call portion. However, he didn’t let that complication stop him. The next year, he was chosen to compete again. This time, Chris managed to get every single flag during one phone call that was so impressive, it brought the entire SEVillage to their feet in applause. He even reenacted the call with Chris Hadnagy to highlight how just one phone call can completely compromise a company. Chris finds many ways to use his experience competing in both his off-stage life and career in marketing. He says, “My primary life lesson out of these experiences for social engineering and marketing: Know your audience before you open your mouth.”
Rachel Tobac became known for her scarily entertaining videos and her ability to step into the booth and smoothly collect flag after flag. She quickly became one of our most famous contestants, known for her competitive spirit and her encouraging attitude, always in the front row rooting on her fellow competitors. She has gracefully placed 2nd place for 3 years counting. Like Chris, her first visit to the SEVillage is what hooked her on social engineering. She says, “My husband convinced me to come to DEF CON even though I was convinced it would all be ‘over my head’. He plopped me down in the SECTF room and I got to see two calls (both went to voicemail). I was absolutely hooked and felt like I had found my calling—SECTF combined all my favorite hobbies and fields of study. From then on, I knew I needed to compete the next year even though I was a noob.” Even though Rachel was a “noob,” her ambition paid off. “The first time I ever did a vishing (phone) call was in front of 500 people in a glass booth at DEF CON so that was definitely a highlight. Watching the crowd’s face through the glass booth as I got flags my first year is something I’ll never forget.” From that very first call to present day, Rachel says that the SECTF has changed her life drastically. “The SECTF has radically affected the trajectory of my life—since getting 2nd place for the past three years in a row I’ve started my own social engineering company and get to do this all the time now! Without the SECTF I would have never known that this niche of InfoSec existed, had the opportunity to learn and deeply practice, and I’m so thankful for Hadnagy and the SEVillage crew for supporting me as a social engineer!” A Little AdviceOne of the things we most often get asked for is advice on competing in the SECTF. As veterans of the booth, we asked Chris and Rachel what advice they would give to anyone thinking about applying for the competition. They did not disappoint. Here are their words of wisdom: - While there are many people who apply for this competition, there are very few slots. Make certain you meet all deadlines and follow all rules religiously, otherwise you will be screened out. The video you submit will be used by the judges for evaluating candidates. Make a video that is entertaining for the audience to watch while you are getting set up in the booth. Ensure you come across as a person who both has the right personality to succeed in the competition and is entertaining in the booth.
- Don’t wait until you receive your target company’s name before you begin researching and learning about social engineering and gathering OSINT. Chris says, “I listened to all Social-Engineer.Org podcasts going back three years and read Michael Bazzell’s book ‘Open Source Intelligence’ as my main prep for the competition.” Rachel notes, “I highly recommend reading all of Chris Hadnagy’s books, and reading SEORG’s Social Engineering Framework from the start to finish.”
- What gets you into a company in a real-life SE engagement may differ from what helps you win the competition. Be aware of rules and time limits. For example, in a professional engagement, you may be able to build rapport over several calls and days but in the booth, you cannot.
- Practice vishing by calling your personal service providers without enough information to authenticate accounts.
- Pick phone numbers that are staffed during the time of your call but don’t choose a personal number. Strongly prefer numbers that don’t follow a strict process. Individual numbers are bad because people may not be at their desks, and process-driven numbers (tech support, customer service) are harder to get away from their script onto your script. Phone your target numbers with your phone on mute (per SECTF rules) on the same weekday and at the same time of your call to see if that number is staffed.
- Have fun in the booth! The DEF CON and SEVillage audience is incredibly supportive and kind. If you manage to get into the booth, you’ve already won.
Empowering a New Generation of Social EngineersFor DEF CON 19, the SEVillage added another competition aimed at educating the next generation of social engineers. The SECTF4Kids was created to teach kids how to safely and effectively use social engineering and how to enhance their critical-thinking skills. Over the years, we’ve hosted kids aged 5-12 who enter with eager minds and take on every assigned task. We have had the privilege of watching a few of these kids grow up before our eyes. Ashley is one of them. Ashley started competing in the very first SECTF4Kids when she was 13 years old. She previously told us that the SECTF4Kids is what helped jumpstart her love for robotics, “…the SECTF4Kids sparked my love for solving puzzles and for competition. And because of those reasons, I joined my school’s robotics team.” Her team eventually partook in competitions worldwide! Ashley says her desire to keep persevering despite when things were going wrong is something she learned competing in the SECTF4Kids, “Without all of the critical thinking skills I learned from SECTF4Kids, I definitely wouldn’t have been able to—or would have had a more difficult time—solving the problems robotics presents.” DEF CON 25 was the launch for our SECTF4Teens competition. As we watched the kid competitors grow each year, we realized there was still so much for them to learn. Built specifically for the 13-17-year-old crowd, we took our kids competition to the next level: more challenging tasks, harder puzzles, and more critical thinking required than we have ever asked of them before. The youth who have entered this competition have not only showed us their talents but have also touched our hearts. One teen in particular who competed in the SECTF4Teens at DEF CON 26 impacted us greatly. He arrived among a school group who brought a few students to compete at DEF CON. Just a few weeks prior to the contest, he unexpectedly and suddenly lost one of his parents. Naturally, he was devastated and wasn’t sure that he wanted to compete anymore. With encouragement from his family and school instructor, he decided to attend anyway. His instructor later told us that, beginning the morning of the competition, the teen was afraid he made the wrong decision. The teen was quiet and somber, and acted like he didn’t want to be there. But by the end of the event, he was smiling, laughing, and to this day still speaks with excitement about his experience. His parent later told his instructor that the SECTF4Teens transformed him and that he started to turn around for the better after his time in the SEVillage. We are proud to play a part in any of the lives of the kids and teens who we meet at the SEVillage. Their willingness to learn, their drive to compete, and the strength they must hold to conquer anything placed in front of them is tremendously motivating to us. We are proud of each and every one of them. The Next Ten YearsAs we enter our tenth year of running the SEVillage, we’ve been able to reflect on how one little competition has grown into something much bigger than we ever could’ve imagined. Throughout our tenure of fostering the structure, professionalism, and awareness of social engineering as a whole, we have strived to continuously evolve this exciting and compelling field. To maintain this momentum and advancement, we are proud to announce the next evolution in social engineering: SEVillage Orlando 2020. SEVillage Orlando 2020 is a comprehensively elevated and next-level venture. For three days, attendees are immersed in an unprecedented training experience, including: - Choosing up to 5 multi-hour workshops taught by world-renowned leaders in human behavior, physiology, OSINT, and psychology;
- A variety of speaking sessions from expert-level presenters, varying from fast-paced concentrated content to panels and keynotes;
- SEVillage’s signature competition, the SECTF;
- Exciting breakouts and challenges;
- 3 Evening Events plus many opportunities for networking; and
- All-inclusive lunches, beverages, and breaks
We hope you’ll join us on Thursday, February 20 through Saturday, February 22, 2020 in Orlando, FL for this never-before-seen training conference bringing together sought-after speakers to deliver exceptional content. With an absolute maximum capacity of 1,000 attendees, we urge you to visit SEVillage.org and register soon. Thank you for your continued enthusiasm and support. We look forward to seeing you soon and to shaping the next ten years with you! Written By: Amanda Marchuck and Allie Hansen Sources: https://www.social-engineer.org/ https://www.social-engineer.org/sevillage-def-con/the-sectf/ https://www.social-engineer.org/sevillage-def-con/ https://www.social-engineer.org/general-blog/sectf-8-years-review-2010-2017/ https://www.twitter.com/chris_kirsch https://www.veracode.com/blog/security-news/how-single-phone-call-can-compromise-your-company https://www.social-engineer.org/?s=michael+Bazzell https://www.social-engineer.org/category/podcast/ https://www.social-engineer.org/general-blog/sectf4kids/ https://www.social-engineer.org/framework/general-discussion/ https://twitter.com/racheltobac |